ThreatProtection8.18 StudentGuideRevB

Threat Protection
Level 2
Release November 2022

Proofpoint, Inc.
925 West Maude Ave
Sunnyvale, CA 94085
www.proofpoint.com
Threat Protection
Level 2
Student Guide
Proofpoint, Inc.
Copyright © Proofpoint, Inc.,925 West Maude, Sunnyvale, CA 94085 USA. All rights
reserved.
Information in this manual is subject to change without notice. No part of this publication
may be reproduced or distributed in any form or by any means, electronic or mechanical,
for any purpose, without the express written permission of Proofpoint, Inc.
Produced by Proofpoint Technical Training. This curriculum is a product created and
delivered by many individuals working at Proofpoint and we acknowledge them here.
About Proofpoint
Proofpoint, Inc. is a leading cybersecurity company that protects organizations’ greatest
assets and biggest risks: their people. With an integrated suite of cloud-based solutions,
Proofpoint helps companies around the world stop targeted threats, safeguard their data,
and make their users more resilient against cyber attacks. Leading organizations of all
sizes, including more than half of the Fortune 1000, rely on Proofpoint to mitigate their
most critical security and compliance risks across email, the cloud, social media, and the
web. No one protects people, the data they create, and the digital channels they use
more effectively than Proofpoint.
Trademarks
Proofpoint is a trademark, registered trademark, or tradename of Proofpoint, Inc. in the
United States and other countries. Proofpoint Enterprise Archive is a trademark of
Proofpoint, Inc. All other trademarks contained herein are property of their respective
owners.
Threat Protection - Level 2

Courseware Version 8.18 B
November 2022
Printed in the United States of America
ii
Contents
Lesson 0: Introduction ......................................................................................................1
Lesson 1: Threat Landscape and SMTP ......................................................................... 7
Lab 1-1: Access the PPS and Mail Clients ................................................................16
Lab 1-2: Configure and Test a New Inbound Mail Route .........................................18
Lesson 2: Email Protection Infrastructure ..................................................................... 23
Lab 2-1: Configure PPS GUI Settings .......................................................................37
Lesson 3: Message Processing .................................................................................... 45
Lab 3-1: Configure and Test Policy Routes ..............................................................65
Lab 3-2: Create a Firewall Rule .................................................................................68
Lesson 4: Quarantine ..................................................................................................... 71
Lab 4-1: View Quarantine Messages ........................................................................82
Lesson 5: Smart Search and Log Viewer ...................................................................... 85
Lab 5-1: Use Smart Search and Log Viewer ............................................................97
Lab 5-2: Analyze Filter Behavior .............................................................................100
Lesson 6: TLS Encryption ............................................................................................ 109
Lab 6-1: Configure TLS Encryption .........................................................................122
Lesson 7: User Management and End User Services ................................................ 125
Lab 7-1: User Import ................................................................................................136
Lab 7-2: Access the End User Interface ..................................................................151
Lab 7-3: Modify the End User Interface ..................................................................153
Lesson 8: Email Firewall .............................................................................................. 155
Lab 8-1: Enable Recipient Verification ....................................................................164
Lab 8-2: Implement SMTP Rate Control .................................................................170
Lesson 9: Email Authentication ................................................................................... 175
Lab 9-1: Use Email Authentication ..........................................................................206
Lesson 10: Spam Detection ......................................................................................... 211
Lab 10-1: Create a New Spam Detection Policy .....................................................224
Lab 10-2: Enable Audit ............................................................................................232
Lab 10-3: Working with Organizational Safe Lists ..................................................236
Lab 10-4: Creating Inbound and outbound SPAM Policies ...................................245
Lesson 11: Virus Protection ......................................................................................... 249
Lesson 12: Impostor Email ......................................................................................... 259
Lab 12-1: Deploy the Anti-Spoof Rule ....................................................................274
Lesson 13: Email Warning Tags .................................................................................. 277
Lab 13-1: Enable Email Warning Tags ....................................................................288
Lesson 14: Targeted Attack Protection ....................................................................... 291
Lab 14-1: Configure URL Defense .........................................................................302
Lab 14-2: Configure Attachment Defense ...............................................................315
Lab 14-3: Detect and Analyze Threats in TAP Dashboard .....................................331
Lesson 15: Proofpoint Encryption ............................................................................... 333
Lab 15-1: Configure Subject-line Encryption ..........................................................345
iii
Lab 15-2: Configure Auto-Encrypt for PCI ..............................................................348
Lab 15-3: Configure Auto-Encrypt for Groups ........................................................354
Lab 15-4: Revoke an Encryption Key ......................................................................360
Lesson 16: Data Loss Prevention ................................................................................ 363
Lab 16-1: Report Data Loss .....................................................................................373
Lesson 17: Regulatory Compliance ............................................................................ 375
Lab 17-1: Implement a Dictionary ...........................................................................383
Lab 17-2: Implement a Custom Smart Identifier .....................................................391
Lab 17-3: Implement Proximity Match ....................................................................394
Lesson 18: Digital Assets ............................................................................................. 399
Lab 18-1: Implement Digital Asset Security ............................................................412
Appendix A: Email Forensics ........................................................................................415
Lab A-1: Track and Investigate Email .....................................................................434
Lab A-2:Email Header Analysis with Search ...........................................................438
iv
Lesson 0: Introduction
Welcome to the Threat Protection course! This is a hands-on, instructor-led course. This student guide is
designed for both traditional and virtual classroom instruction with a live instructor. This course covers
Release 8.18 of the Proofpoint Protection Server (PPS) software and emphasizes the protection of your
organization from incoming email threats.
After completing this course, you will be able to:
• Follow the message path from a sending mail system to a receiving mail system.
• Use the PPS Management UI to perform all administrative tasks
• Explain PPS cloud-based, physical, and virtual deployment scenarios.
• Configure Policy Routes to address special use cases and/or improve performance
• Explain how PPS filtering works
• Develop and test PPS rules developed to protect your users by enforcing email messaging policies
• Configure rules to quarantine messages
• Use PPS logs and log viewing tools to evaluate rule performance, efficiency, and effectiveness.
• Implement TLS to establish secure communication channels with other MTAs
• Seamlessly import users from external LDAP sources
• Use Organizations, Sub-Orgs, and Groups to manage users
• Customize Administrator roles
• Customize the appearance of PPS end user applications according to your organization’s standards
• Configure the behavior of the Web Application
• Configure Recipient Verification, SMTP Rate Control, and Bounce Management
• Explain the purpose and function of SPF, DKIM, and DMARC
• Configure DMARC
• Describe the features and function of Spam Detection
• Configure Spam Detection, including Organizational Safe/Block lists and Custom Spam Rules
• Create Inbound and Outbound Spam Policies
• Describe impostor email threats and how to them
• Explain how the Virus Protection Module works
• Explain and configure URL Defense and Attachment Defense operations
• Explain and configure Proofpoint Encryption
• Configure PPS to respond automatically when unauthorized data disclosures occur
• Configure PPS to detect regulated data in email
• Configure PPS to recognize your organization’s digital assets and Quarantine / Report detected
breaches
©2022 Proofpoint. All rights reserved. Proofpoint, Inc. - Confidential and Proprietary 1
Email Protection Level 1 — Student Guide
Course Content
In addition to this introduction, the course consists of the following lessons:
• Lesson 1 - Threat Landscape and SMTP
Discuss how email threats fit into the overall threat landscape and review how email flows from
senders to recipients. Review SMTP commands and configure an inbound mail route.
• Lesson 2 - Email Protection Infrastructure
Describe PPS deployment scenarios, such as the on-premises standard cluster and PoD. Become
familiar with the PPS management interface and software components.
• Lesson 3 - Message Processing
Describe how PPS filters email messages to protect email users and organizations. Describe the
purpose and components of policy routes and email firewall rules. Configure and implement policy
routes and email firewall rules.
• Lesson 4 - Quarantine
Describe the purpose of the quarantine and how to configure quarantine settings. Search for
quarantined messages. Discuss how the quarantine impacts message filtering. Configure rules that
quarantine messages.
• Lesson 5 - Smart Search and Log Viewer
Describe the settings for log viewer, reporting, alerts and Smart Search. View entries recorded in the
filter and MTA logs using log viewer and Smart Search.
• Lesson 6 - TLS Encryption
• Configure TLS encryption. Describe the purpose and function of certificates. Import a signed
certificate.
• Lesson 7 - User Management and End User Services
Describe how PPS manages users and organizes sub-orgs and groups. Import and manage users.
Describe the function of the End User Digest. Create custom branding of the end user interface. Make
modifications to the end user web application.
• Lesson 8 - Email Firewall
Describe the unique components and features of the email firewall module. Configure and implement
these features in the module: recipient verification, SMTP rate control, and bounce management.
• Lesson 9 - Email Authentication
Describe the purpose and function of these email authentication methods: SPF, DKIM, and DMARC.
Configure DMARC policies and rules.
• Lesson 10 - Spam Detection
Describe how Proofpoint Dynamic Reputation and spam detection work. Configure spam detection
features and spam policies. Configure safelists, blocklists, and custom spam rules.
• Lesson 11 - Virus Protection
Explain how the virus protection module works. Describe the virus protection module’s general
settings, virus definitions, policies, and rules.
• Lesson 12 - Impostor Email
Identify the various types of impostor email threats and describe how to mitigate them. Configure the
anti-spoof rule.
2 ©2022 Proofpoint. All rights reserved. Proofpoint, Inc. - Confidential and Proprietary
Introduction
• Lesson 13 - Email Warning Tags

Use Email Warning Tags to warn or inform users that an incoming message may be dangerous.
• Lesson 14 - Targeted Attack Protection
Explain how TAP protects users from malicious attachments and URLs. Configure settings in URL
defense and in attachment defense, and then test the results. Describe how to access and use the
TAP Threat Dashboard.
• Lesson 15 - Proofpoint Encryption
Explain how Proofpoint Encryption works. Describe the features of Secure Reader. Configure
Proofpoint Encryption to protect sensitive information in email messages.
• Lesson 16 - Data Loss Prevention
Describe how DLP works. Configure a rule to report messages with unauthorized data, and then use
the DLP dashboard to view messages that trigger the rule.
• Lesson 17 - Regulatory Compliance
Explain what regulatory compliance is. Configure a rule that uses a dictionary to detect regulated
information in outbound email. Implement a custom smart identifier and proximity match to prevent
regulated data leaving your organization.
• Lesson 18 - Digital Assets
• Identify the components of the Digital Assets module and describe how it secures your organization’s
confidential documents. Configure digital asset security to prevent messages leaving your
organization with confidential documents attached.
• Appendix A - Email Forensics
Analyze email headers and other information in emails received through the mail server. Review the
chronological and network analysis of the received header. Analyze the headers for DKIM, TLS, and
other non-standard email headers.
Introduction
Lesson 1: Threat Landscape and SMTP
Introduction
This lesson explains the protocols and technology of email transmission and reception. It provides
information useful for troubleshooting email connectivity issues.
7
Threat Protection Level 2 — Student Guide
8 Copyright © 2022 Proofpoint, Inc.

Threat Landscape and SMTP
Student Notes:
• Snapchat
• Snapchat leaks employee pay data after CEO email scam
• Microsoft
• Steal users' Office 365 login credentials
• https://www.techradar.com/news/office-365-phishing-scam-uses-google-ad-
domains-to-evade-security
Copyright © 2022 Proofpoint, Inc. 9

Student Notes
This diagram gives a high-level overview of how an email gets from the sender to the recipient. The terms
and concepts discussed will be referenced throughout the course.
1. Sender uses Mail User Agent (MUA) to send email. Let's call the sender Rachel. She works at
shoes.com and needs to send a message to her friend, Ross, at socks.com. To begin she opens her
email client, such as Outlook. This email client is referred to as a Message User Agent, or MUA. She
composes her message, ensures that it is addressed to Ross, and clicks send and the message goes
to the MTA.
2. Message handed off to Mail Transfer Agent (MTA). The MTA is located inside the company's
firewall. The MTA must figure out how to get the message to User at usersdomain.com.
3. Sender’s MTA locates Receiver’s MTA using DNS MX record. If the owner of the socks.com
domain has published their MX record to DNS, the message will be sent across the Internet and will
arrive at User's MTA.
4. Sender’s MTA connects to Receiver’s MTA on TCP port 25. User's MTA figures out which internal
email server handles email for User. This is usually accomplished using an internal directory server.
5. Receiver’s MTA delivers message to MUA. The MTA sends the message to User’s MUA.

Student Notes
On this page you’ll see the order in each part of a message arrives. Since the pp filter processes in order
the message it has received, it becomes necessary to understand the email transmission process. The
filter checks for any rule that applies for each part of the message that is received. If there is more than
one rule that fires in one section, the rule with the highest disposition precedence will fire. If the
disposition stops the message, the processing will stop. Keep in mind that once you get to the body of
the message, you must receive the entire message including the attachments.
Filterd processes SMTP data associated with messages sequentially, in that it begins with a source IP
address connecting to the PPS, followed by the HELO command, followed by the MAIL FROM:
command, and so on. As the PPS is parsing through these SMTP commands, the PPS rules are waiting to
evaluate aspects of the message. This evaluation takes place by session calls from the filterd daemon.
For example, when the envelope information is arriving, the filterd will make a session call to the rules that
evaluate the envelope. If there is a rule that evaluates the body of the message, that would be another
session call when the body arrives, if it arrives. It's possible that the rule that evaluated the envelope made
a decision to discard or reject the message, in which case it's not necessary to scan the body.
There may be a rule that requires additional information in order to make a decision. This information may
be external to the PPS. The filterd will perform Asynchronous Information Gathering to fetch the
information required by the rule. For example, there may be a rule that requires the sender's IP address to
be verified with a reverse DNS lookup. The filterd performs the query so that the rule can complete the
evaluation and make a decision.
Eventually the rules will report back to filterd with a final decision on the message. This allows filterd to
assign a disposition to the message and process it accordingly. We will discuss dispositions later in this
course.

Student Notes
This is an example of the communication that takes place during an SMTP session. This can be
accomplished using any client software that supports a Telnet session. In this example we used Telnet to
connect to an email server. The responses from that email server are shown in red.
To begin we telnet to the FQDN of the email server. This would be the FQDN found during a DNS query.
Because telnet uses port 23, and we want to simulate an SMTP session which uses port 25, the telnet
command must include “25” at the end.
The email server responds with an SMTP return code of 220 followed by some information that further
identifies itself. There are many SMTP return codes and you should reference RFC 2821, 1123, 1893 and
2034 for a complete description, but basically the first digit of the response code denotes whether it is
good, incomplete or simply bad:
2 - Success Reported
4 - Temporary Failure
5 - Permanent Failure
The first command we need to issue to the mail server is the HELO command. This is a basic greeting that
starts the communication between the telnet client and the SMTP server. We include the FQDN of the
sending device that is initiating this session. Important: this FQDN can be spoofed. Later in this course we
will discuss how the PPS can determine if this name is spoofed or not.
Next the mail server responds with another SMTP return code, this time 250. The server trusts us so far
and is ready to continue communication. If the server wanted to reject our session it would respond with
an SMTP return code that began with a 5.
Next, we send a MAIL FROM: command. This identifies the email address of the sender. Again, this can
be spoofed and will be discussed later in the course.
Next, the email server has no problem receiving messages from the value in the MAIL FROM: field and it
responds with another SMTP return code (250) and a note that the sender is OK. If the mail server had a
filter or rule that prevented it from receiving emails from the value in the MAIL FROM: field, then a reject
code would be returned.

Next, we send the RCPT TO: command. This identifies the email address of our intended recipient. The
mail server recognizes this address as a valid recipient and returns SMTP code 250 and a note that the
recipient is OK. If this recipient was invalid (the employee left the company, the address has a typo, no
one with that address exists at the company) then a reject code would be returned.
Next, we issued the DATA command. Everything up to the DATA command is considered the ENVELOPE
of the message. Everything after the DATA command is considered the BODY of the message. The server
responds with a 354 code that simply means to begin sending the body of the message and indicate
when you are done by entering a period on a line by itself.
What follows are the message headers. Shown are the most common message headers. There are many
more that could be displayed but are usually suppressed and not seen by the average email user.
Important: It is not required that the “From” value in the header match the MAIL FROM: value in the
envelope. This is a common spoofing method used by hackers and will be discussed later in this course.
After the message headers we leave a blank line then begin with the content of the message. We indicate
that we are done by leaving a period by itself on the last line. The server responds with a 250 code and a
note that the message was accepted for delivery.
The last command issued is the QUIT command. This lets both parties know that it is time to end the
SMTP session.



Lab 1-1: Access the PPS and Mail Clients
Objectives
• Access host server (server4.training.proofpoint.com) via RDP with assigned account
• Access vs-xx link for assigned server and view admin, mail2, and mail.ex usernames and passwords
• Login to your PPS server
• Open two additional tabs
• Access the webmail client as your mail 2 user
• Access the webmail client as your mail.ex user
Instructions
1. Instructor assigns your server (vs-xx) and username.
2. Open an RDP session to server4, which is the classroom lab portal.
a. Open a Remote Desktop Connection (RDP); then click Show Options
b. Authenticate to the lab portal server with the following:
• Computer: server4.training.proofpoint.com or 208.86.203.181
• User name: training0\username
c. Click Connect; then enter the password Proof!train9
d. Click Yes to accept the connection
e. From the RDP session, open Firefox
f. A page with the list of classroom servers appears.
g. Click the vs-xx link for your assigned server to see your server details page.
h. Take note of your podadmin, mail2, and mail.ex usernames and passwords
3. Log into your PPS server.
a. Open a new browser tab: then click Bookmarks > vs-xx
b. Log in using these credentials.
• Login: podadmin
• Password: Proof!train9
4. Access the webmail client for the mail2 user.
a. Open a new browser tab; then click Bookmarks > mail2
b. Log in as your mail2_user / train
5. Access the webmail client for the mail.ex user.
a. Open another new browser tab; then click Bookmarks > mail.ex
b. Log in as your mail.ex_user / train
6. Stay logged into the admin GUI and the webmail clients for the next lab. Throughout this course, you
will be generally sending email messages from your mail2_user@training.proofpoint.com to your
mail.ex_user@ex.proofpoint.com.


Lab 1-2: Configure and Test a New Inbound Mail Route
Scenario
You are assigned the task of configuring a new PPS installation to support the ex.proofpoint.com sub-
domain. The Proofpoint Protection Server (PPS) has no inbound mail route. You must configure the
inbound mail route, and then confirm mail routing by sending test messages to your mail.ex_user.
Objectives
1. Send a test message from your mail2_user to your mail.ex_user (with no Inbound Mail route, this
message will fail to send)
2. Add an Inbound Mail route
• for domain ex.proofpoint.com
• destination is 10.25.0.92
3. Send three more test messages from your mail2_user client for the following rules
Recipient Text in Subject

mail.ex_user@ex.proofpoint.com continue
mail.ex_user@ex.proofpoint.com reject
mail.ex_user@ex.proofpoint.com reply
4. View the message headers to determine the flow of the messages

The PPS email firewall is pre-configured with the following rules:
Rule Condition Action
continue subject contains “continue” quarantine, continue to

process the message
reject subject contains “reject” quarantine, reject the
message with a reply
reply subject contains “reply” quarantine, reply to sender
with a message, continue to
process the message

Instructions
1. Test the behavior of the PPS with no Inbound Mail route.
a. Go to the browser tab for your mail2 user’s webmail client
b. Click Compose
c. In the To field, enter mail.ex_user@ex.proofpoint.com
d. In the Subject field, enter No mail route
e. In the body, enter Hi it’s me
f. Click Send
Your mail2 user will receive an “Undelivered Mail Returned to Sender” message. This message is
sent by the Mail Delivery System.
2. Configure the Inbound Mail route so this server will process messages for the ex.proofpoint.com
domain.
a. Go to the browser tab for your Proofpoint Protection Server
b. From the System tab in the management GUI, navigate to System > Inbound Mail
c. Click Add; then enter the following:
• Mail for Host / Domain: ex.proofpoint.com
• Destination / Error Message: 10.25.0.92
• Leave other default settings as they are
d. Click Save Changes
3. Wait for the change to be saved and synced—until the server node in the status pane shows green.
(The server node icon will show yellow while the configuration change is syncing.)
4. Send the “continue” message from the mail2 user to the mail.ex user.
a. In the To field, enter mail.ex_user@ex.proofpoint.com
b. In the Subject field, enter continue
c. In the body, enter hello it’s me
d. Click Send
5. Check for the “continue” message in the mail.ex user’s inbox.
a. Go to the browser tab for your mail.ex user’s webmail client
b. Click Refresh in the upper right corner
The “continue” message should be in the mail.ex user’s inbox.
6. Send the “reject” message from the mail2 user to the mail.ex user.
a. In the Subject field, enter reject
b. In the body, enter hello it’s me
c. Click Send
Your mail2 user will receive an “Undelivered Mail Returned to Sender” message. This message is
sent by the mailer-daemon@training.proofpoint.com.
7. Send the “reply” message from the mail2 user to the mail.ex user.
a. In the Subject field, enter reply
b. In the body, enter hello it’s me
c. Click Send
Your mail2 user will receive a reply from proofpoint-pps@training.proofpoint.com. The subject of the
message says “This is a reply message”.

8. Check for the “reply” message in the mail.ex user’s inbox.

a. Go back to the browser tab for your mail.ex user’s webmail client
b. Click the Refresh button
The “reply” message should be in the mail.ex user’s inbox.
9. View the message headers to determine the flow of the messages from the mail2 mail client to the
mail.ex mail client.
a. Go back to the browser tab for your mail.ex user’s webmail client
b. Select one of the messages received by the mail.ex user
c. Select the menu icon (aka the “hamburger”)
d. Select View source
The header entries show the flow of the message.
See sample below.



Lesson 2: Email Protection Infrastructure
Introduction
The Proofpoint Protection Server (PPS) is a powerful software application that integrates spam detection,
virus protection, message encryption, regulatory compliance, and digital asset protection technologies
into an extensible message management platform.
This lesson explores the available PPS deployment options, its management interface, software
components, and configuration best practices.
23

Email Protection Infrastructure
Student Notes
On-Premises
• Services such as filtering, storage, and archiving are maintained inside the organization
• Advantages
• Control of data
Cloud Service
• Advantages
• Lower maintenance, lower initial costs, elastic
Hybrid
• Attempts to maximize the benefits of both with minimum risks
• Types
• hybrid-user, hybrid-function, hybrid-location

Student Notes

Student Notes
A cluster is a collection of Proofpoint servers. One server is designated as the Config Master, and the
remaining servers are designated as Filtering Agents. The agents filter and relay the messages, and the
master provides centralized configuration and administration through the web-based management
interface. The master can be enabled for filtering, in fact this is the default setting. For large deployments
Proofpoint recommends turning off filtering on the master so that it can be dedicated to administrative
tasks. Deploying two or more agents provides redundancy and eliminates a single point of failure. The
standard cluster is scalable and can grow to 25 or more agents to handle increased workload.
The master pushes a consistent configuration to the agents while simultaneously consolidating the logs
and quarantine repositories from the agents. Messages that pass filtering are relayed to the email servers
directly from the filtering agents. They are not routed through the master.
Every five minutes the master connects to a Proofpoint Update Server to check for new spam definitions,
module updates, system upgrades, software patches, virus signatures, etc.
Agents can be added to your cluster that are dedicated to certain tasks. These are referred to as Optional
Nodes. These nodes can help improve PPS performance in high-volume messaging environments. There
are three optional nodes:
• Quarantine. The Quarantine Node maintains the Quarantine and the Incident Queue databases. The
advantage to designating a Quarantine Node is scalability. By moving the Quarantine off the master
Proofpoint Protection Server, you are balancing the load in the cluster.
• Smart Search. By default, the Smart Search database is maintained on the Config Master.
Administrators have the option of adding an agent to a cluster and designating it as the Smart Search
Node. Each agent in a cluster that is filtering email forwards its logs of sendmail events and filtering
events to the Smart Search Node for aggregation, indexing, and analysis.
• Log Node: The Log Node is similar to the Smart Search Node. By default, the log database is
maintained on the Config Master. Administrators have the option of adding an agent to a cluster and
designating it as the Log Node. Each agent in a cluster that is filtering email forwards their logs of
sendmail events and filtering events to the Log Node for aggregation and reporting.

Student Notes
Proofpoint on Demand (PoD) is the hosted cloud-based PPS service. It is the same cluster architecture,
but the servers are not on-premises. Proofpoint manages the hardware in one of many data centers.
Customers still configure their cluster by logging into the configuration master as if the cluster was on-
premises. The entry point for your company's email is the cloud-based cluster, and once filtering is
complete messages are relayed to your on-prem email server or another hosted email service such as O-
365, Gmail, etc.


Student Notes
The default management screen displays the PPS modules as tabs across the top. The left-hand menus
are submenus of each tab.
In the example of the management interface above, the admin user is logged in. Admin is the default
account for on-premises PPS deployments. This account is a “super-user” account and has unrestricted
access to all modules and configurations. It controls the administrative privileges for all other
administrator accounts.
Only the admin account can access the command line interface (or CLI). No other account, even if
designated a “super-user” account, can access the CLI.
Best practices dictate that the admin account should be carefully controlled, it should not be the main
account used by administrators to log into the PPS, and the password should be changed on a regular
basis.

Student Notes

Student Notes
The System Tab and its submenus include items that are not specific to the Email Protection Module or
the Information Protection Module. Most of your administrative functions for the PPS will be done under
this tab. PoD customers will not see the “Appliance” submenu.
These submenus will be explored throughout the remainder of this course.

Student Notes
The Email Protection tab and its submenus are where you will configure the Email Protection module.
There may be different menu items listed here based on the add-ons that have been purchased. For
example, if you have not purchased the license for Targeted Attack Protection, that submenu will not be
displayed. These submenus will be explored throughout the remainder of this course.

Student Notes
The Information Protection tab and its submenus are where you will configure the Information Protection
module. There may be different menu items listed here based on the add-ons that have been purchased.
These submenus will be explored throughout the remainder of this course.

Student Notes


Lab 2-1: Configure PPS GUI Settings
Scenario
Customizing the PPS GUI can prove applicable for those organization who have multiple clusters. It
makes it easier to identify inbound from outbound clusters.
You are also tasked to increase the timeout interval for this classroom setting. For your production
system, we recommend you keep the default timeout setting.
Objectives
• Change the Admin Server Session Timeout setting to 300 minutes (For classroom use only)
• Configure the Custom Header with a Header Gradient color of your choice
• Configure the Custom Header with a Header Text that uses the name of your PPS server
• Log out of the Admin GUI and log back in to verify the changes
Instructions
1. Change the Admin Server Session Timeout setting on your PPS server.
a. From the System tab, select System > Settings > Admin Server; then wait a minute or so for the
page to open
b. Change the Admin Server Session Timeout to 300 minutes
c. Click Save Changes; then wait a minute or so for the save and sync process to complete
2. Configure the Admin Server Custom Header.
a. From the Admin Server page, scroll down to Custom
b. For the Header Gradient, select a color of your choice
c. For the Header Text, enter the name of your server: vs-xx Server
d. Set Show on Login to On
e. Click Save Changes; then wait for the save and sync process to complete
3. At the top of the GUI page, select Logout.
The login dialog appears with the color you selected and the header text you entered.
4. Login as podadmin / Proof!train9.
Notice the management GUI header is the color you selected and shows the name of your server.
Also notice the page that appears is the same page that was open when you logged out. Each time
you login to your PPS server, it will open to the page you were on when you logged out—this is called
navigation menu persistence.
5. (Optional) Disable navigation menu persistence.
a. Under Navigation Menu, turn Enable Persistence Off
b. Click Save Changes; then wait for the save and sync process to complete
c. Logout then login again
The System > Summary page is now your default GUI page.


Student Notes
The PPS operating system is based on the Red Hat Enterprise kernel CentOS. As is typical with most
security appliances, it has been hardened by removing or deactivating all services that have no relevance
to the PPS. In addition, rules have been added to the IP Tables to block unnecessary or unused TCP or
UDP ports. It is a 64-bit based system, and when installed onto hardware by Proofpoint, the software is
tuned for the size of server used.

Student Notes
The PPS is a Unix operating system under the hood. The processes in Unix are called daemons. The
name of each process usually ends with a “d” for daemon. The software contained in the PPS product is
primarily the Filter Daemon (filterd). This is the process that performs the actual filtering based on
intelligence derived from the rules and policies defined by the administrator.
The Spam Engine is of our own design. It uses the spam definitions (retrieved by each PPS cluster every
five minutes) to generate multiple spam classifier scores for each message. These scores trigger rules
that dictate how the message is to be handled. Spam Detection is discussed later in this course.
Proofpoint Encryption is a fully integrated encryption and decryption solution based on symmetric-key
algorithms and requires no special software on the part of the recipient in order to decrypt a message.
Authenticated users can decrypt, forward, and reply to encrypted messages using a browser-based
interface.
Smart Search is a filter log searching tool. Filter logs are created by the filtering agents then aggregated
and consolidated onto the master. The master converts them to a MySQL database for faster searching
using Smart Search.
The Conversion Engine (known as cvtd or the convert daemon) is responsible for deconstructing a
message as it arrives so that rules that are only interested in a certain part of the message (the envelope,
the headers, the body) can be provided with that information as soon as it's available rather than waiting
for the entire message to arrive.
The Message Transfer Agent logic for delivery of messages is done by Sendmail, the same Sendmail that
exists in standard Unix/Linux systems.

Student Notes
The PPS does include some third-party software. The Virus Engine is from F-Secure. The software used to
manage the MySQL database for the purposes of Smart Search is MariaDB. The software that provides all
of the web services (management web interface, end user web interface, decryption web interface) is
Apache/Tomcat.

Student Notes
The configuration master communicates with the filtering agents over specific TCP ports. If the master
and the agents are separated by any kind of firewall or router it is important to allow communication over
these ports:
• 3306 (Database)
• 10000 (Configuration)
• 10010 (Logs)
All name servers must be able to resolve the names of the master and all of the agents. For example, with
a widely distributed cluster having filtering agents located in different parts of the world, it is very important
that the name servers in those parts of the world are able to recognize the master's name so that the
agents can find the master.

Student Notes
Proofpoint releases regular updates to the Proofpoint Protection Server software. These incremental
updates include new features, bug fixes, and critical updates. As many of these incremental updates can
be automatically deployed, a "What is New" icon is displayed in the upper right corner of the management
interface. When you click this icon, it displays more information about the latest product update.
Always refer to the knowledge base (do we have a link we can put here?) for release notes on new
updates and information on patches.
Configuration changes and the Quarantine are not available during an update. Most of the menus in the
management interface are not available until the update completes. An "Update in Progress..." message
displays in the upper right corner of the management interface during a software update.


Lesson 3: Message Processing
Introduction
Policy routes provide a method for grouping connection and envelope attributes into conditions. Policy
routes are similar to rules, in that they are comprised of one or more conditions administrators use to
apply filtering modules and rules to messages in a specific route.
Policy routes are available as a condition in rules and globally restrict the filtering modules. The number of
policy routes needed varies according to the complexity of your messaging infrastructure.
This lesson reviews conditions available when building a policy route, default policy routes, and updating
the outbound policy route. It also teaches how to create a rule and explains disposition precedence.
45

Message Processing
Student Notes

Student Notes
Proofpoint Protection Server is deployed between the customer’s Email Infrastructure and the Internet by
changing the customer’s MX records to point to PPS hostname or Ips address.
Filtering is at the heart of message management and disposition in the PPS. As an email administrator,
you will spend the bulk of your time monitoring your email systems for any unauthorized or suspicious
activity and adjusting the filters to deal with any security issues that arise.
filterd is the name of the daemon that does all of the filtering based on your rules and policies, which you
will configure through the management GUI. filterd spawns multiple instances as needed.

Message Processing
Student Notes
As additional modules act on messages, multiple rules can trigger. If one rule says to discard the
message, but another rule says to deliver the message, what should the PPS do?
Each of the modules has a precedence order. If the rule that says to discard the message has a higher
precedence than the rule that says to deliver the message, the message will be discarded.

Student Notes
A disposition is comprised of a delivery method and delivery options.
When a message triggers more than one rule, only one disposition can be chosen as the action. The
action that PPS chooses is based on the above order of disposition precedence.

Message Processing
Student Notes
Policy Routes allow you to include or exclude messages from being filtered, which helps reduce load on
the PPS. This feature is useful, for example, if you do not want to use PPS resources to filter messages
from senders that you trust. Suppose you want the Spam Detection Module to filter all inbound email,
except email from trusted partners. After defining the routes, you can apply spam filtering for all inbound
email from everyone and exclude inbound email from your partners from spam filtering. For each filtering
module, you can choose to which routes to apply email filtering and which routes to ignore on a per-
module basis. When you exclude a specific route from filtering by a specific module, the inbound or
outbound email on that route will not be filtered by that module and no rules will trigger for email for that
route.
PPS comes with the following default policy routes:
• internalnet
• Prevents blocking of mail from internal networks
• Pre-populated with local host's IP address
• outbound
• Defines one or more machines allowed to send outbound mail
• Not pre-populated
• spfsafe
• Defines one or more safe sender domains that adhere to the SPF protocol
• Verifies legitimacy of senders
• Not pre-populated
• tls_fallback
• Used with tlsfallback Buffer Queue
• When the transport layer security (tls) route is enabled, PPS attempts tls encryption
• If that fails, Proofpoint Encryption is used instead
• Pre-populated with condition indicating message was sent from Buffer Queue

• xclient_trusted
• Create a list of trusted senders from which your organization accepts the XCLIENT command
• allow_relay
• Triggers when incoming connection allowed to relay mail to external domains
• Use to exclude mail from being processed by Proofpoint Dynamic Reputation service
• Prevents throttling of mail originating internally
• tls
• Used for transport layer security (tls) routing
• default_inbound
• Created automatically for appliance when inbound filtering is configured
• Determines which inbound mail is accepted for filtering
• Determines destination hosts responsible for mail delivery
• pp_spoofsafe
• Messages sent from authorized trusted senders bypass the pp_antispoof Email Firewall rule.
• This Policy Route is typically used for mass mailings sent on behalf of your Organization
• journal
• Used to indicate journal feed from Internal Mail Defense

Message Processing
Student Notes
Policy Routes are used to define a subset of messages within the mail flow to which filtering rules can be
applied
• Used to filter messages based on connection and envelope information
• Composed of one or more conditions
• Used a control mechanism to specify which module and rules are applied to messages
• Shed processing load
• If the policy route is FALSE; then no rule processing takes place
Policy Routes are useful for testing new rules while systems are live and in production
Two classes of Conditions are available when building Policy Routes
• Connection Conditions
• Envelope Conditions
A Policy Route can apply on a global level - for example, "filter all inbound messages for virus infections,"
and on a per-rule level - for example, "for the recipients included in Policy Route X, discard all virus-
infected messages." This allows for the most granularity and control over filtering modules and rules in
filtering modules.
Examples of Policy Routes:
policy_route_A - Sender IP Address Ends With 232.21 AND Country Code Equals ar
policy_route_B - Sender Hostname Contains proofpoint.com AND Envelope Sender
Belongs To Group legal
Once defined, Policy Routes are made available throughout the product.

Student Notes
Policy routes allow your PPS to determine the direction your messages are flowing. Unlike a network
firewall where traffic arrives on one interface and leaves on another, thereby making the traffic direction
obvious, the PPS has one interface connected to your network. In order for the PPS to recognize inbound
traffic from outbound traffic and the appropriate rules to apply, you must use policy routes to identify that
traffic.
Policy Routes are used with rules and modules for directional filtering. Your appliance has no concept of
direction until it is set up by a combination of inbound mail routes and policy routes. Inbound is mail
coming from the Internet from domains you control. Outbound is mail coming from your servers to
domains you do not control. You can set your policy routes for inbound and outbound attributes and then
create rules and restrict them to inbound and outbound policy routes.

Message Processing
Student Notes
Conditions are what rules or policies routes are based on. Complex conditions are created by using the
value “and” in different parts of the messages or combining messages with the value “or.” Keep in mind
though, complex conditions don’t fire until the end of the message. Using a list of values instead of
combining the value “or” is usually more efficient. Using a list of values can also be used with dictionaries.
Implementing inefficient rules can have a serious impact on your system so it’s always best to test rules to
a test email address using quarantine and continue before implementing a rule system wide.
Two types of conditions can be used to define a policy route. One type is Connection Conditions:
• Country code
• Local Hostname
• Local IP
• Sender HELO Domain
• Sender Hostname
• Sender IP Address
• Sender Reverse IP Address
The other type is Envelope Conditions:
• Envelope Recipient
• Envelope Recipient Belongs to Sub-Org
• Envelope Recipient Belongs to Group
• Envelope Sender
• Envelope Sender Belongs to Sub-Org
• Envelope Sender Belongs to Group
• Message Header From (Address Only)
Other policy routes can also be used as conditions.

Student Notes
Rules enforce your organization’s messaging policies.
• Determine what messages are allowed and what messages are not allowed.
• Rules may be defined in different modules in PPS and enforce different policies
• Examples:
• Email Protection rules enforce policies to protect against spam and other malicious message types
• Regulatory Compliance Rules protect against accidental disclosure of Personal Healthcare or
Personal Financial information
• Digital Asset rules protect against disclosure of corporate assets via email
Rule Components:
• ID and Description
• Note: no spaces or hyphens allowed in Rule ID
• Policy Routes
• Determine which messages are evaluated.
• Unless a policy route is defined ALL rules evaluate EVERY message.
• Conditions
• Define “interesting” information
• Trigger policy decisions
• Determine that an action needs to be taken
• Dispositions / Actions:
• Determine what action to take when a rule evaluates true.
• Quarantine Option
• Delivery Method to allow, to block, to encrypt, to modify header information
• Other Options

Message Processing
Student Notes
There are three components to a rule, Settings, Conditions, and Dispositions.
When creating a rule, the Settings component is where you will enable the rule, give it a unique rule ID,
and provide an optional description.
Having the enable option on this screen allows an administrator to fully configure the rule and save it
without enabling it. That way if there are policies such as change control or supervisor review, this can be
done first before enabling the rule.
The ID (name) of the rule consists only of letters, numbers and one special character, the underscore. No
spaces or any other special characters are allowed. IDs will always be lower case, even if typed in upper
case. Once the rule is saved the ID cannot be changed, so choose the names of your rules carefully. The
only option is to clone the rule, give the clone a better name, and delete the original.

Student Notes
The next component is Conditions. This is where you will decide which messages you want this rule to
inspect, and what specifically in the message you want to inspect.
The first part is where you will define the messages that should or should not be inspected by this rule by
choosing a policy route. If no policy route is chosen, then ALL messages will be inspected against the
rule. You can restrict the rule to only inspect certain messages by enabling the "Restrict processing to
selected policy routes" checkbox. Only messages that match the criteria defined in the policy route you
choose will be inspected. Or you can specify certain messages that this rule should not inspect by
enabling the "Disable processing for selected policy routes" checkbox.
• Strategies for simplifying conditions:
• Use a list of values instead of many ORs
• Complete list of options is available in Help
• Carefully check Boolean logic and regex
• Use simple Boolean logic
• Test RegEx
• Use policy routes instead of complex conditions

Message Processing
Student Notes
Next you will start building the conditions. There are many message attributes to choose from.
There are:
• Connection attributes
• Envelope attributes
• Message attributes.
These attributes can be combined by using the AND/OR operators.
Example Conditions:
• Attachment File Size is Greater Than xx Bytes
• Detected Language Equals Portuguese
• Detected Language Does Not Equal Portuguese
• Envelope Recipient Belongs to Sub-Org Legal AND Envelope Recipient Does Not Belong to Group
Marketing
• Sender IP address equals x.x.x.x OR Sender IP address is in Network x.x.x.x/x

Student Notes
Composite conditions are when two or more conditions are joined by OR or AND operators.
• Conditions joined with OR
• Conditions joined by OR are only evaluated until the first condition that evaluates as true. At that
point any remaining conditions are not evaluating, and the rule is triggered.
• If the conditions are the same SMTP type, the rule will be evaluated on the session call which
evaluates.
• Conditions joined with AND
• If a rule contains conditions joined by AND in a single session call: the rule will be evaluated on
that session call.
• Rules containing conditions joined with AND in different session calls will not be evaluated until
the end of message processing.
A complex condition includes nested sub-conditions under a condition. For example:
• Envelope Sender Email Address equals “esteele@training.proofpoint.com”
AND
• Envelope Recipient Email Address equals “dhodges@training.proofpoint.com”
OR
• Envelope Recipient Email Address equals “mbrowning@training.proofpoint.com”

Message Processing
Student Notes
The final component of a rule is the Disposition. The disposition is the action taken if the condition is met.
The first option is Quarantine message. This is an option and is not a final disposition. If you select this
option, you will then have to specify to which folder you would like the copy of the message to be placed.
Remember this is just a copy. The original message will have a final disposition assigned to it that may still
deliver the message.

Student Notes
The Email Firewall module is not the only module that uses rules. Other modules such as the Email
Authentication module and the Regulatory Compliance module also use rules to handle messages. They
are all very similar and once you understand how to create the basic rules in the Email Firewall module,
the rules in the remaining modules will be intuitive.

Message Processing
Student Notes
Rule order matters. Rules are processed from the top of the list down. If you create a new rule to block a
message and place that rule at the bottom of the list, but there is an existing rule at the top of the list that
allows the message, then the message will be allowed and will never make it down the list to your block
rule. To change the order of your rules, click on the up/down arrows in the "Order" column.
Tips for creating efficient rules:
• Rules can be crafted to reduce load
• Reject at SMTP Envelope Level with useful information
• Use strategies to reduce the number of rules applied to each message
• Order of arrival
• Policy Routes
• Quarantine negates load shedding effects
• Use Policy Routes to your advantage when creating rules
• Be careful to not exclude your rule from ever firing based on combined policy routes
• When you put envelope/connection conditions within the rule it requires the rule to be evaluated
• Envelope/Connection conditions in a Policy Route can keep the rule from evaluating
• Multiple Policy Routes applied to a rule are “OR” conditioned


Message Processing
Lab 3-1: Configure and Test Policy Routes
Scenario
Your PPS has several preconfigured rules. The reply rule is configured to send a reply when the word
“reply” is in the subject field.
Objectives
• Configure a policy route to deny this preconfigured reply rule from processing messages sent by your
mail2 user
• Test the new policy to verify it works
Instructions
1. Configure a policy route to bypass the reply rule.
a. From the System tab, navigate to System > Policy Routes
b. Click Add
c. For the Route ID, enter production_test
d. Click Add Condition; then select or enter the following.
• Condition: Envelope Sender
• Operator: Equals
• Value: mail2_user@training.proofpoint.com
e. Click Add Condition.
f. Click Save Changes.
2. Test the policy route with the reply rule.
a. Select the Email Protection tab
Email Firewall rules page appears
b. Scroll down to the bottom of the list of rules; then edit the reply rule
c. Under Conditions, for the Policy Routes, select the checkbox for Disable processing for
selected policy routes

d. From the Available list, select production_test; then click the >> button to add the policy route to
the Disable For Any Of list
e. Click Save Changes
3. Test the policy route.
a. Log in to the mail server as the mail2_user; then compose a message using the following:
• To: mail.ex_user@ex.proofpoint.com
• Subject contains: reply
• Message body contains: Hello again
b. Click Send
How does this compare to the last time you did this? The production_test policy route denied the reply
rule processing this message.
How complex would the reply rule have to be without the Policy Route option?
To get these same results you would have to use a condition with the DOES NOT EQUAL operator.

Message Processing

Lab 3-2: Create a Firewall Rule
Scenario
You are tasked to create a new rule to test the Proofpoint Protection Server email firewall
Objectives
• Create a rule to change the subject for messages from training.proofpoint.com whose envelope sender
email address contains “training”
• Test the change_subject rule to verify message sent with changed subject (Modify Subject and Continue)
Instructions
1. Create a rule to change the subject for messages from training.proofpoint.com.
a. From Email Firewall > Rules, click Add Rule
b. For Enable, select On
c. For the ID, enter change_subject
d. Policy routes: select Restrict processing to… and enable the default_inbound policy route
(use >> to move default_inbound to Require Any Of:)
e. Click Add Condition; then configure the following:
• Condition: Envelope Sender
• Operator: Contains
• Value: training
f. Click Add Condition
g. Under Dispositions, make sure Continue is selected
h. Check the box: Change subject based on detected language
i. In the Subject field, enter Rule Works: ${Subject}
j. Click Add Rule (at top)
2. Test the change_subject rule.
a. Go to the mail2_user mail client tab; then compose a message using the following:
• To: mail.ex_user@ex.proofpoint.com

Message Processing
• Subject contains: Modify Subject Test

• Message body contains: Hi again
b. Click Send
3. Check the mail.ex user’s inbox to verify the message was delivered with the changed subject.
4. Disable the change_subject rule and save changes.


Lesson 4: Quarantine
Introduction
The Quarantine is an area where copies of messages that triggered rules can be stored for further review.
These messages are stored in a database on the Proofpoint Protection Server and are accessible through
the management interface.
Administrators can create Quarantine folders to further organize messages in the Quarantine. For
example, you can create separate folders for messages sent to the Quarantine that contain adult content,
are infected with a virus, or trigger an Email Firewall rule.
71

Quarantine
Student Notes
This shows where Quarantine fits in the mail processing flow.
Most modules in the PPS have rules that can be configured to quarantine messages for a variety of
reasons. The Quarantine is a repository where copies of messages can be stored for further review. The
messages are stored in a database on the PPS and are accessible through the management GUI.

Student Notes
Navigate to System > Quarantine > Folders to view the default Quarantine folders in your PPS.
Administrators can create additional Quarantine Folders to further organize messages in the Quarantine.
For example, you can create separate folders for messages sent to the Quarantine that contain adult
content, are infected with a virus, or trigger an Email Firewall rule.
When a PPS cluster consists of multiple filtering agents, each agent system maintains a local Quarantine
Queue. Messages are transferred from the agent's queue to the PPS master (or Quarantine node if in
use). When you view and manage the messages in the Quarantine, you are managing a consolidated
repository of all the messages from all of the systems in the cluster. If for any reason the master Proofpoint
Protection Server is temporarily off-line, the agent systems continue to populate their local Quarantine
queues until the master Proofpoint Protection Server is back on-line. At that point the messages are
transferred from the agents to the master Proofpoint Protection Server Quarantine.
By default, the messages in the Quarantine are stored for two weeks. Avoid keeping messages for too
long or quarantining large messages. Remember that Quarantine is not a final disposition. It is an optional
action that can be taken when a rule is triggered, but it does not define the final action.

Quarantine
Student Notes
To search for quarantined messages, under the system tab, navigate to Quarantine > Messages. Enter
your search criteria in the top pane of the screen. Most search fields are self-explanatory.
Administrators typically select a folder from the folder drop-down list before initiating a search query. The
all folders choice will apply the search query to all of the folders to which the administrator has access. Be
aware that selecting all folders may increase the time it takes for the search query to complete.
If the Maximum Age search criterion is set to Auto, only messages injected into the Quarantine in the last
24 hours will display.
The Fast Query feature noticeably speeds up a query when you are searching for messages that meet
specific search criteria. To temporarily disable the Fast Query feature, clear the Fast Query check box. You
will see a message warning you that the query will slow down considerably.
You can narrow down a search even further by using the advanced search criteria. Click the Advanced
Search button to see the advanced search options on the Quarantine > Messages page.
Important: Click the Reset button after a search. If you hide the Advanced Search criteria without
resetting, the advanced criteria will continue to apply to a simple search.

Student Notes
Quarantining a message can negate load shedding effects. If a message arrives and a rule makes a
decision based on something in the envelope, the PPS can assign that disposition and be done
processing the message. However, if the option to quarantine that message is selected, then the PPS
must receive the entire message in order to copy it to a quarantine folder.
As the remainder of the message is received, additional rules may be triggered and different dispositions
could be assigned, thereby using processing resources.

Quarantine
Student Notes
A disposition is comprised of a delivery method and delivery options.
When a message triggers more than one rule, only one disposition can be chosen as the action. The
action that PPS chooses is based on the above order of disposition precedence.

Student Notes
To quarantine a message, select the Quarantine Message check box under the Dispositions section of a
rule. Once selected, a drop down will appear and you must choose which folder you want the message to
be copied to. You can edit the properties of the folder or create a new folder from here. You can also make
these changes by navigating to System > Quarantine > Folders.
As previously noted, quarantine only stores a copy of the message, it is not a disposition. Quarantining
also requires that the entire message to go through. Because of this, you’ll want to avoid quarantining
large items or quarantining messages for too long.
When building a rule, keep in mind that if a copy of a message is sent to the Quarantine, the message will
continue to be filtered by all of the modules, potentially triggering more than one rule. This will lead to the
delivery method with the highest priority to be the final disposition for the message.

Quarantine
Student Notes
If more than one filter module attempts to copy a message to different quarantine folders, the message
will be copied to the folder specified in the module with the higher precedence. For example, if both an
Email Firewall rule and a Spam Detection rule are triggered by the same message, the message will be
copied to the quarantine folder named Quarantine. If multiple rules are triggered within the same module,
the quarantine folder specified in the first rule will be used.

Student Notes
Quarantine, the message will continue to be filtered by all of the modules, potentially triggering more than
one rule. This will lead to the delivery method with the highest priority to be the final disposition for the
message.
For example, if a message triggers a rule in the Email Firewall which calls for a copy of the message to be
placed in the "Spoofed" folder, and the message also triggers a rule in the SPAM Detection module which
calls for a copy of the message to be placed in the "Suspected SPAM" folder, because the SPAM
Detection module has a higher precedence than the Email Firewall module, the message will be placed in
the "Suspected SPAM" folder.
If two rules in the same module are triggered and both rules call for a copy of the message to be
quarantined, the rule that fired first will dictate which folder the message is copied too.

Quarantine

Lab 4-1: View Quarantine Messages
Scenario
You are tasked to use quarantine information to explain how two earlier rules were applied to the latest
message
Objectives
• Locate the latest message in the Quarantine > Messages folder
• Disable the change_subject rule
Instructions
1. Check the quarantine folder for the latest message:
a. From the System tab, select Quarantine > Messages
b. At the top of the quarantine list should be a message with Rule Works: subject in the Subject
column. If necessary, wait a one or two minutes; then refresh the list
c. Open the message at the top of the list
d. From the View Message drop-down menu, select Triggered Rules
The All Triggered Rules table shows that the continue and change_subject rules were both
triggered.
Why was this message quarantined while also being delivered?
___________________________________________________________________________
Why was the change_subject rule also triggered?
___________________________________________________________________________
2. Disable the change_subject rule; then Save Changes.

Quarantine


Lesson 5: Smart Search and Log Viewer
Introduction
This lesson discusses the basic techniques used for testing rules and explains some basic rule diagnostic
and troubleshooting techniques.
When a rule does not work as expected, PPS generates events that show in a log. The PPS logs may
provide the clues needed to resolve the issue with a rule.
You review the logs through the management user interface. This lesson explains how to use Smart
Search to search combined filter and MTA logs and how to use Log Viewer to search raw logs.
85

Smart Search and Log Viewer
Student Notes
PoD Log API is a log streaming service available for customers using Proofpoint On Demand. Using this
service, customers can download email threat intelligence as message and mail log for monitoring,
reporting, and alerting purposes. Typically these logs are forwarded to SIEM solutions like Splunk, HP
Arcsight, IBM QRadar, LogRhythm, and others.
Three requirements to enable PoD Log API are as follows:
• Must be a Proofpoint on Demand customer
• Must be using Cloud Based Smart Search (CBSS) (No Appliance based Smart Search nodes)
• Must have Remote Syslog license

Student Notes
What is Smart Search?
It's part of the product that will index filter (and mail logs) so that we can find what's going on with
messages at a very high overview to see what sort of rules are triggering on messages, and other search
criteria. There are limits to how intelligent it can be. This will be covered more in the general Search
options. First, let’s go over some of the settings. It's quick, it's easy. However, one of problems with Smart
search is it's Java-based, and it's not constrained in disk IO, so it can be IO hungry at times.
The length of time for which Smart Search data is retained is controlled by the setting under System >
Smart Search > Settings in the PPS UI on on-premises appliance deployments, the default is 7 days and
is configurable by the administrator (though of course, longer retention requires more disk space on your
master host, or even a dedicated smart search host for large clusters and long retention times), and 30
days for a Proofpoint-On-Demand (hosted) environment.
To create a search query to find information about messages with specific criteria, enter the information
you are searching for into the search fields. Start with a broad search, then narrow down the search by
entering data into additional fields.
After populating the search fields, click Search. The results display in the Results pane. The Results pane
displays the date, sender, recipient, and subject for the message. The Final Action column displays the
final disposition for each message - for example, if a copy was sent to the Quarantine, and what the last
filtering engine processing state was for the message. Select a choice in the Results Per Page list to
control how many messages to display at a time in the Results pane.

Student Notes
To view details for an entry in the Results table, click the plus sign (+) icon. A table displays, providing
additional detailed information.
Click Export in the Results table to export the search results data to a CSV format for the exported data.
The exported data includes all of the data in the Results table, the message details table, and the MTA
logs. The exported data does not include information that applies to SMTP Turbocharge.

Student Notes

Student Notes
In the Log Viewer screenshots and lab that follows, you will see log entries that show these four phases in
the routing process.
1. Log entries are recorded by PPS when the sending MTA connects, showing the following:
• The sending MTA’s IP address
• The sending MTA’s hostname, which has been resolved with the MX record in DNS
2. After the sending MTA connects to the PPS, it begins to send SMTP data. PPS modules begin
processing message data and creating entries associated with SMTP commands and data.
3. After processing the message through the rules in the various modules and judging what the final
disposition of the message is going to be (which will be discussed in more detail later), PPS does the
following:
• Assigns a QID to the message
• Sends the message to the Sendmail service
• Disconnects the SMTP session
The MTA log contains the entries recorded as Sendmail sends the message to the mail server.

Student Notes

Student Notes
There are two ways for administrators to view the logs on the PPS Master: using Log View or using Smart
Search. The Log Viewer is primarily used for troubleshooting. To use, navigate to System > Logs and
Reports > Log Viewer.
There are six different types of logs you can search through. They are:
• The Filter log lists activity generated by the filtering engines
• The Email Command Processor log displays activity generated by End User Digests.
• The MTA log lists messages passed from sendmail to the mail server for delivery.
• The Regulatory Compliance log displays events generated by the Regulatory Compliance Module.
• The Digital Assets log displays events generated by the Digital Assets Module.
• The Proofpoint Encryption log displays events generated by Proofpoint Encryption.

Student Notes
You can search any of these logs for specific entries and highlight the entries of interest. When you use
these two features together you can easily narrow down the search for specific items in the log and
highlight the entries for ease of viewing. For example, administrators can search the log for sender
addresses, recipient addresses, message IDs, or rules that have been triggered. This feature is useful for
tracing the path of a message through the Proofpoint Protection Server's filtering engines.
Note: The Find field will search on exact matches only. The Highlight field accepts Perl Compatible
Regular Expressions (PCRE).
• Log levels can be adjusted to provide copious amounts of information
• Log levels default to Information
• Debug is adequate for most email routing problems
• Trace is used for severe issues
• Filter log tags each connection with a session number
• Log key "s="
• Filter log tags entries with the software module name
• Log key "mod="
• Use the Filter search to isolate a specific message

Student Notes


Lab 5-1: Use Smart Search and Log Viewer
Scenario
You are tasked to find the details pertaining to messages you have just sent.
Objectives
• Use Smart Search and Log Viewer to find the details about the processing of messages
• Search for messages sent from your mail2 user in the last 24 hours
• Identify the values in the Final Rule field Quarantine Rule fields in the table
• Compare the details for the “Trigger the reject rule” message to the Final Rule field and Quarantine
Rule values
• Use the SID number for the most recent message to view the message processing phases within the
entries
• Search for “judge” to identify which rule is the Final Rule
Instructions
In this lab exercise you will be using Smart Search and Log Viewer to find log entries generated by the
processing of messages you sent in previous labs.
1. Use Smart Search to find messages.
a. From the System tab, navigate to Smart Search > Search.
b. In the search fields, enter the following:
• Sender: mail2_user
• Subject: <leave blank>
• From the Time drop-down menu, select Last 24 Hours
c. Click Search
Note the number of results that are listed. Also note that most of the values in the Final Action
column contain a plus (+) symbol.
d. Click a few of the plus symbols in the Final Action column to see what the Final Action was for
these messages. (Most will be Sent).
2. View the information about the most recent message, which is at the top of the list of results.
a. From the row at the top of the results list, click the plus symbol in the Date column
b. Note the table of data organized into the Field and Value columns
c. Note the Final Rule field and the Value associated with it.
d. Note the Quarantine Rule field and the Value associated with it.
3. View the information about the “Trigger the reject rule” message.
a. From that row of the list, click the plus symbol in the Date column.

b. Compare the Policy Routes applied to each of two messages.

c. Note the bar on the right border of the Fields and Values table.
d. Click the double-arrow icon in the center of the right border (the “Show MTA Log” button).
Note the information for the two messages that is stored in the MTA Log. These MTA log entries
were generated by Sendmail as the last message was processed for delivery.
The older message was rejected so there is no MTA data because it was not delivered.
4. View the log entries for the most recent message in Log Viewer.
a. From the table of data for the row at the top of the results list, copy the SID Value
b. From the System tab, navigate to Logs and Reports > Log Viewer
c. In the Find field, paste the SID Value
d. From the Order drop-down, select Ascending Date
e. In the highlight field, enter rule=; then click Search.
Note that both the change_subject and continue rules are shown in the log entries:
Do these log entries indicate which rule is the Final Rule, as was shown in Smart Search?
f. In the Highlight field, enter judge; then click Search
Since they both fired, each of the rules is included in the judging process.

Student Notes

Lab 5-2: Analyze Filter Behavior
Scenario
You will use Smart Search and Log Viewer to find specific messages
You are tasked to predict how PPS will deliver a message that triggers two rules with conflicting delivery
methods
In this lab exercise you will be using Smart Search and Log Viewer to find log entries generated by the
processing of messages you sent in previous labs.
Objectives
• Disable any rules used in previous labs
• Create two rules that use conflicting delivery methods; one rule that uses Deliver Now and one that
uses Reject
• Send a message to your mail.ex_user with reject in the message body
• Identify which Quarantine Rule and which Final Rule took precedence.
• Identify to which quarantine folder the message was sent
Instructions
1. Disable any rules used in previous labs.
a. From the Email Protection tab, navigate to Email Firewall > Rules
b. Scroll down to the bottom of the rules list; then deselect any of the following rules that might
remain selected:
• continue
• reject
• reply
• change_subject
c. Scroll to the top and select Save Changes
2. Create two rules that use conflicting delivery methods; one rule that uses Deliver Now and one that
uses Reject.
a. Add the first rule with the following parameters:
• Enable: On
• ID: deliver
• Condition: Envelope Sender Email Address equals mail2_user@training.proofpoint.com
• Quarantine message: Selected
• Quarantine Folder: Quarantine
• Delivery Method: Deliver Now
b. Add the second rule with the following parameters:
• Enable: On

• ID: reject_block
• Condition: Message body only
• Operator: Contains
• Value: reject
• Quarantine message: Selected
• Quarantine Folder: Blocked
• Delivery Method: Reject
c. Verify that both rules were saved and enabled.
d. Send a message to the mail.ex_user; make sure reject is in the message body.
e. Use Smart Search to see which Quarantine Rule and which Final Rule took precedence. Which
quarantine folder was the message sent to? Why was it sent to this folder?
__________________________________________________________________________
f. Review the log file to see the progress in rule application. Identify which final rule took
precedence.
3. Disable the deliver and reject_block rules; then Save Changes

Student Notes
To generate a report, navigate to System > Logs and Reports > Report Viewer. There are dozens of pre-
defined reports to chose from. You can narrow the list by using the Category drop down at the top of the
page.
To run a report, simply click on the report name. Optionally you can modify the time period the report will
run for.
When the report appears on the screen, you can print or email the report, or you can customize the report
settings and run it again. This allows you to tailor the report to meet your needs if the default settings do
not work. If you would like to save your modifications so that you can run the report again, click Save
Report at the bottom. You will be asked to give the report a name. Your inventory of custom reports will be
listed under Logs and Reports > Report Publisher > Saved.

Student Notes
Use the Logs and Reports > Report Settings > General page to enable scheduled report generation and
distribution, determine data retention periods, how often to roll over the database, and how to present
spam reporting.
Master Log database maintains these data tables.
• Raw data tables that contain unprocessed data.
• Tables that store data aggregated by the hour
• Tables that store data aggregated daily
• Tables that store data aggregated monthly
This database of aggregated data will be used for generating reports and will be retained for the periods
listed below
Report Retention Period

• Hourly 30 days
• Daily 1 year
• Monthly 2 years
You can generate reports for system statistics, statistics for any of the modules, classifications, rules,
policy route and message dispositions.
Every report represents data captured for a specific period of time. Reports fall into these categories:
• Time-series plots - line graphs that typically display performance or trends over a period of time. In
these graphs, the x-axis is always depicted in increments of time - hours in a day or days in a month.
• Aggregated data plots - bar charts or pie charts that represent an aggregation of data over a period of
time. In these charts, the x-axis is depicted as anything except time - for example, types of viruses,
domain names, message dispositions, or top 10 domains that send email to your organization.
• Saved reports - if you find that you repeatedly use the same report, you can add it to your Saved
category for easy access in the future.

Student Notes
To view alerts, navigate to Logs and Reports > Alert Viewer.
The Alert List can hold thousands of entries. Use the search form to display alerts of interest to you. You
can use more than one search criteria at a time. You can sort the results by clicking on the column
headings.
To view the details for an alert, select it in the Alert List. An alert detail pane displays more information for
the alert. The filter icon in the label column narrows down the content displayed in the Alert List.

Student Notes
Each Proofpoint Protection Server maintains log files to capture system alerts. By default these alerts are
retained for one month. To change this retention period navigate to Logs and Reports > Alert Settings.

Student Notes



Lesson 6: TLS Encryption
Introduction
This lesson teaches the recommended configuration settings for TLS Encryption. You will implement TLS
Encryption, import a signed certificate, and send a message through a secured communication channel.
109

TLS Encryption
Student Notes
Explicit SSL/TLS (Opportunistic)
• Client will run a STARTTLS command to upgrade a connection to an encrypted one.
• If the negotiation fails in the process, a plain-text transmission will be established.
Implicit SSL/TLS
• Client will try to establish a secure connection without asking a server about its compatibility.
• If a server is not compatible or a connection times out, a transmission will be abandoned.
Unencrypted transport: If a TLS connection is not established between the sending and receiving MTA,
messages are sent via unencrypted transport to the receiving MTA.
If a TLS connection is established between the MTAs, mail is sent via secured transport between PPS and
the receiving MTA.
These methods both use the default SMTP profile.

Student Notes
The message is only secure between the sending and receiving MTAs. Between the sender and the local
MTA and then between the receiving MTA and the mail recipient, the transport is not secured. MTAs use
digital certificates, generated and signed based on the public key infrastructure (PKI) model, to establish
a secure channel via TLS. The email itself is not encrypted but the data channel between the MTAs is
secured by TLS encryption.
TLS vs Proofpoint Encryption:
• TLS is easier to use from an end user perspective
• It is completely transparent to the end user
• No steps necessary to decrypt the message
• TLS is easy to turn on
• Proofpoint Encryption might not be an option
• Business partners might require TLS
When a partner requires that messages be sent over a secure data channel, you can configure a TLS
Domain that meets that partner’s requirements. To do this, from the System tab, select System >
SMTP Encryption > TLS Domains; then select Add and enter the information for the specific domain.
This will use the default SMTP profile to always send messages to this domain over TLS.
Another method is to use TLS if available. This is also known as “opportunistic TLS.”
If the receiving MTA supports TLS, a secure data channel will be established between the sending MTA
and the receiving MTA. If it does not, messages will be sent over an open channel.

TLS Encryption
Student Notes
These are the main steps used to begin implementing TLS. They will be discussed in more detail in the
following slides.

Student Notes
Enable TLS and select options for requesting client certificates.
• TLS provides a secure method for encrypting the SMTP data stream
• As with most secure connections, Digital Certificates and PKI are used to negotiate an agreed upon
“Shared Secret.” (Also known as a symmetric key encryption.)
• PPS can be configured to exchange keys without verifying certificates (cipher strength up to 168-bit
key is supported)
• PPS can be configured to require certificates when acting as the receiving server, or to provide
certificates when acting as the sending server.
• The TLS Minimum Protocol Version setting can be set for inbound mail and for outbound mail.

TLS Encryption
Student Notes
Configure a TLS domain for domains that require encryption.
• Here we invoke Opportunistic TLS (if available) for the training.proofpoint.com domain
• Once enabled, this setting applies only to traffic to this domain
• You provide fully qualified domain names for the domains that require encryption
• You can control specific domain behaviors

Student Notes
As the PPS admin, you’ll need to create the CSR. From the System tab, navigate to System > Certificates
> Certificates; then click Generate Certificate Request. After you fill in the form, click Request Certificate.
The information in the State/Province field must be the complete name--no abbreviations. The Country
should be indicated by the two-character code for your country.
After clicking the Request Certificate button, you will see a text field which contains the entire text of the
certificate request. Then you do the following:
• Highlight and copy the entire text, including the blank line at the end
• Paste the text of certificate request into a text editor; then save the file with either the PEM or PKCS12
format
Before saving the PEM formatted file, make sure there is a blank line after the last line of text in the
certificate request. The last line will be: -----END CERTIFICATE REQUEST-----

TLS Encryption
Student Notes
The Certificate Authority (CA) list on the SMTP Publishers page contains more than 160 CAs. These are
not the only trusted CAs. If you have your CSR signed by a CA not in this list, you’ll need to import the
CAs trusted root certificate using the import option on this page.
For the lab that follows, the trusted root certificate from the certificate authority that is running in the
classroom lab environment has already been imported.

Student Notes
Importing the signed certificate through the GUI stores the certificate related files in the correct locations.

TLS Encryption
Student Notes
The imported certificate will show as Signed and will be given a Serial number.
The name of the CA that signed the certificate is shown under Issued By.

Student Notes
The SMTP service has to be configured to use the CA-signed certificate or it will continue to use the
default, invalid self-signed certificate.

TLS Encryption

Lab 6-1: Configure TLS Encryption
Scenario
Configure the training.proofpoint.com domain to establish a secure channel if available
Objectives
• Enable TLS
• Configure a TLS Domain
• Import a signed certificate (already signed by a trusted CA)
• Configure the SMTP service to use the signed certificate
Instructions
1. Configure TLS to use 128-bit cipher strength.
a. From the System tab, navigate to System > SMTP Encryption > Settings; then configure as
follows:
• Enable TLS: On
• Minimum Cipher Strength for TLS Domains: 128-bit key
• Request Client Certificate: On
• Enable Sending of the Client Certificate: On
• TLS Minimum Protocol Version: SSLv3 (for inbound and outbound)
b. Click Save Changes
2. Configure a TLS domain to use opportunistic TLS.
a. From the System tab, navigate to System > SMTP Encryption > TLS Domains
b. Click Add
c. Configure the TLS domain with the following settings:
• Domain/IP/Host: training.proofpoint.com
• Encrypted: If Available
d. Click Add Entry
3. Disable any rules configured earlier.
b. Uncheck any rules you may have created in earlier labs
c. Click Save Changes
4. Import the signed certificate to your PPS server.
a. From the System tab on the PPS server, navigate to System > Certificates > Certificates page;
then select Import
b. Browse to the Documents directory and double-click the vs-xx-cert.pem file; then select Import.
It will appear as signed in the certificates list.

TLS Encryption
c. Note the number in the Serial column.

Note: The certificate you import was signed using a CSR generated by your PPS. You can only import
the resulting signed certificate once. If you delete that imported certificate and try the import
again, it will not work.
5. Configure the SMTP service to use the new certificate.
a. From the System tab, navigate to System > Certificates > Services.
b. From the Certificate drop-down menu for SMTP Server, select the imported certificate
The newly imported certificate will have the serial number in parentheses.
It takes several minutes for the change to take effect. PPS services are being restarted after the
configuration change.
6. Test the TLS Encryption configuration.
a. Send a message to your mail.ex_user
b. Go to the recipient’s inbox and open the message you just sent
c. Click the Menu button (the “hamburger” icon); then select View source
d. Look for the entry that shows version=TLSv1.2
For example, (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NO)
7. On the PPS system, view entries in the filter log.
a. From the System tab, navigate to Logs and Reports > Log Viewer
b. Find the sessionID from the most recent message sent by your mail2 user
c. In the Search field, paste the sessionID; then enter starttls in the Highlight field
d. From the Order drop-down menu, select Ascending Date
The search results will contain an entry with data similar to the following, which shows that the
PPS server established a TLS connection with the mail server:
[2019-03-07 15:59:47.102690 -0800] info s=2r3c02r00v mod=smtpsrv
cmd=starttls tls_version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
cipher_bits=256 verify=NO


Lesson 7: User Management and End User Services
Introduction
This lesson describes how PPS manages users. It describes the user repository and how PPS organizes
users into a logical hierarchy. This lesson teaches strategies for importing, organizing, and managing
users in the user repository.
125

User Management and End User Services
Student Notes
You can search for users in the database based on the criteria shown in the above screen shot.
The User Repository is a data source that stores entries for all users in the Organization. It is used for
Recipient Verification, alias consolidation (for single digest messages), and user-specific configuration
which includes:
• Spam policy
• Filtering opt in/out
• Receive digest or not
• Personal safe/blocked list
• Delegated user allows additional person to manage digests
The User Repository maintains the following information:
• User email address
• Delegated user to manage each mailing list, if applicable
• List of senders whose email messages are acceptable
• Safe Senders List
• List of senders whose email messages are not acceptable
• Blocked Senders List
• Email aliases for the user
• Sub-Orgs and Groups to which users belong, as well as attributes for each user
The repository contains two types of user records for sending digests:
• Users - Users and delegates receive a digest
• Mailing List - Only the list owner receives a digest

Student Notes
From the page above, you can open the Schedule page for a profile to configure the schedule to keep the
user repository updated.
In most cases, you only need a single profile to import users and keep your repository up to date. The
most common data source types are LDAP-compatible databases. This single profile method:
• Preserves user’s group memberships
• Works well for single location / single division organizations
In some cases multiple profiles are:
• Used for multi-division or multi-location organizations
• Needed where administration must be delegated to non-root admins

Student Notes
You can use virtually any LDAP-compatible directory source, for example:
• Windows Active Directory
• Most Common
• Fully supports LDAP protocol
• OpenLDAP
• Open source LDAP server
• IBM Domino

Student Notes
Profiles are typically used for authentication as well as imports. Each combines import profiles, import
parameters, connection information, authentication parameters, authentication credentials, and user
LDAP attributes. Once you have a profile created, a schedule can be created for imports. Proofpoint can
take the load off an LDAP server by authenticating against the user repository that was imported from
LDAP.
When creating an import/auth profile, you:
• Define external directory source
• Configure the profile settings:
• Connection information for the LDAP server in the Host/IP address field
• User import parameters in the Base DN field
• Database admin user authentication parameters in the Bind DN field
• Enter authentication credentials in the Password and Port fields
• View user LDAP attributes

Student Notes
https://proofpointcommunities.force.com/community/s/article/Best-Practices-for-Proofpoint-to-Azure-
Active-Directory-Integration
https://proofpointcommunities.force.com/community/s/article/Azure-SSO-Step-1-Configure-the-Azure-
Proofpoint-on-Demand-App-Azure-Best-Practices
https://proofpointcommunities.force.com/community/s/article/Azure-SSO-Step-2-Configure-SAML-2-0-
Profile-Azure-Best-Practices

Student Notes
The Proofpoint Protection Server supports only one IdP identity provider (IdP) instance. You can only
add one SAML 2.0 authentication profile to your Proofpoint cluster.
Examples include: Okta, OneLogin, Oracle Federated Identity (OIF), and Microsoft Active Directory
Federation Service.
Import/auth profiles can also use SAML 2.0 (Security Assertion Markup Language). SAML is a standard
for exchanging authentication and authorization data between services. For example, to use existing
external credentials for user authentication (Federated Authentication).
When configuring a profile that uses SAML, you must provide:
• The Identity Provider (IdP)
• Authenticate a user and issue an assertion, for example; AD FS, PingFederate, CA SiteMinder,
Okta, etc.
• The Service Provider (SP)
• Validate the SAML assertion and grant access to the resources, for example: Proofpoint End User
Web Application, Proofpoint Secure Reader, Proofpoint Protection Server Management UI

Student Notes

Student Notes
Organization
• Only one per cluster
• Mail filtering attributes apply to entire organization
• Managed by root administrators
Sub-Org
• Distinct business units based on organizational structure
• Typically used for divisions or locations
• Can apply Policy Routes to specific sub-orgs for mail flow management
Group
• A grouping of users can have the same mail filtering attributes
• Can belong directly to the Organization managed by root administrators
• Can belong to one Sub-Org managed by Sub-Org administrator
User
• Can belong directly to the Organization
• Can belong to one Sub-Org
• Can belong to multiple groups
• Mail filtering attributes can be unique to the user


Lab 7-1: User Import
Scenario
Your user information is maintained in an LDAP database. You need to use this as a source to keep your
PPS users up to date
Objectives
• Configure an LDAP Profile to import and manage users
Instructions
1. Create an Import/Auth Profile for the training.proofpoint.com domain.
a. Go to User Management > Import/Auth Profiles
The Import/Auth Profiles page opens.
b. Click Add
c. Click the Data Source drop-down list
d. Select LDAP/Microsoft Exchange/Active Directory/Lotus Domino; then enter the following:
• Profile Name: ldap_profile
• Description: To import users in training.proofpoint.com
• Host/IP Address: 10.25.0.9
2. Click Configure (green button); then enter the following:
• Bind DN: training\admin10
• Password: train
• Port: 636
• Secure Socket Layer (SSL): On
• Default Domain Name: training.proofpoint.com
3. Click Add Entry to complete the profile configuration.
4. Create an Import/Auth Profile for the ex.proofpoint.com domain.
a. Click Add
b. Click the Data Source drop-down list
c. Select LDAP/Microsoft Exchange/Active Directory/Lotus Domino; then enter the following:
• Profile Name: ex_ldap_profile
• Description: To import users in ex.proofpoint.com
• Host/IP Address: 10.25.0.91
5. Click Configure (green button); then enter the following:
• Bind DN: ex\admin10
• Password: train
• Port: 636

• Secure Socket Layer (SSL): On

• Default Domain Name: ex.proofpoint.com
6. Click Add Entry to complete the profile configuration.
Complete the Import process for the training.proofpoint.com and ex.proofpoint.com users.
7. Use ldap_profile and ex.ldap_profile to import users into the repository on your PPS.
a. Check the boxes for ldap_profile and ex_ldap_profile
b. Click Import
c. From the bottom of the popup window, click Import Now
In less than 30 seconds, the Status window indicates “Result: SUCCESS” for both imports.
d. Click Close
8. Go to User Management > Users to confirm there are 185 entries in the User Repository.

Student Notes
Pre-configured default branding (using the Proofpoint logo shown above) is provided for the following
End User Services.
• End User Digest Branding
• Encryption Branding
• Secure Share Branding
To create new branding, go to End User Services > Branding Templates; then click Add.

Student Notes

Student Notes
The End User Digest is an email notification of email messages that were sent to the Quarantine. The
Digest provides you with a list of the messages addressed to you that are stored in the Quarantine.

Student Notes
End User Services provides two types of digests:
• Update
• Only sent per schedule
• Contains only the messages caught since the last update digest was sent
• Summary
• Only sent from the Management UI or requested by the user
• Contains all messages in quarantine for that user
The purpose of the End User Digest is to:
• Empower end users
• Allow user self-service to save time for administrators
• Allow users to respond to false positives
• Provide end user control of their personal safe and blocked lists
Digests can be customized for functionality and appearance
• Commands users allowed to see / use
• Folders that users can view
• Control folder level actions

Student Notes
User digests can be enabled, disabled or scheduled to your preference. The schedule of when the
digests are sent is controlled by the admin and should be adapted to what your company policy is. The
norm is to have it sent once a day. In the digest, there is a lot of customizability with the commands, filters,
content and resources.
You can configure who receives the digest, including these options:
• Users in user repository
• Send digest / send empty digest
• Organization / Sub-Org / Group / User attribute
• All recipients in quarantine
• Used when no user list is available
• Can be limited to individuals, sub-orgs, or domains
• Digest deployment options
• No blank digest
• All users
• Some users

Student Notes
Scheduling is important and depends on your policies:
• At least once a day is appropriate
• More than two per day can confuse/annoy users

Student Notes

Student Notes
By default the end user e-mail digests provides a link to the end user web application that does not
require authentication. However, it will require authentication if you log in directly. This setting can be
turned off if that is your preference. You can use different authentication sources to force authentication
based on group membership or user attribute.

Student Notes

Student Notes
The End User Web Application:
• Is accessed via “Manage My Account” link in Digest
• Operates on port 443 on the configuration master
• Can have access restricted by authentication
Users can use the Web Application to do the following:
• Manage safe/blocked senders
• Change spam policy
• Change language
• Generate new digest messages
• View quarantined messages

Student Notes
The end user web application is the web-based equivalent of the end user digest email and is highly
configurable.
The administrator can control what’s available to be adjusted by the end user. The end user web
application allows for some of the burden to be taken off the admins because it enables the end users to
manage the features of their own accounts.

Student Notes
The end user web application is the web-based equivalent of the end user digest email and is highly
configurable. Once again, the administrator can control what’s available to be adjusted by the end user.
The end user web application allows for some of the burden to be taken off the admins because it enables
the end users to manage the features of their own accounts.


Lab 7-2: Access the End User Interface
Scenario
You want to view the end user interface before implementing it in your organization
Objectives
• Configure authentication to the Web Application
• Access the Web Application.
• Take note of the options available in the lower left corner of the Web Application
Instructions
1. Configure authentication to the Web Application.
a. From the System tab, navigate to User Management > Organization > Authentication.
b. From the Authentication Source drop-down, select ex_ldap_profile.
c. Click Save Changes.
2. Access the Web Application.
a. Open a new browser window and enter the URL to the End User Web interface:
https://vs-xx.training.proofpoint.com
b. Log in as mail.ex_user@ex.proofpoint.com with password train.
3. Explore the Web Application interface. Take note of the options available in the lower left corner.
4. Leave the Web Application page open.


Lab 7-3: Modify the End User Interface
Scenario
Your organization wants the end user interface to include certain features.
Objectives
• Enable the following as you configure the end user interface:
• Encryption Key Management
• Include the Email Firewall folder in Quarantine
• Include the Phish, and Spam Definite folder contents in the user digest
Instructions
1. Enable Encryption Key Management.
a. From the System tab, navigate to End User Services > Web Application
b. Enable the radio button for Show Encryption Key Management
2. Enable Email Firewall module.
a. Navigate to End User Services > Filters > Modules
b. Move Email Firewall to the Include in Digest box
3. Enable the Quarantine folders.
a. Go to End User Services > Filters > Folders
b. Move Phish to the Include in Digest box
c. Move Spam Definite to the Include in Digest box
e. Go to the Web Application browser tab and press F5 to refresh.
Note the additional Encryption option on the navigation menu and the folder Email Firewall added to
the Quarantine menu.
4. Close the Web Application tab by doing the following
a. From the upper right corner, select Logout
b. Close the browser tab


Lesson 8: Email Firewall
Introduction
Of the PPS modules, the PPS Email Firewall module contains the largest collection of rules, conditions,
and dispositions.
This lesson describes unique components of the PPS Email Firewall. It also describes the function and
how to implement Recipient Verification, SMTP Rate Control, Outbound Throttle, and Bounce Address
Tag Validation (BATV).
155

Email Firewall
Student Notes
The Email Firewall Module:
• Filters messages by both connection and message attributes
• Provides access lists that determine which senders are trusted (trusted) and which senders are
untrusted (blocked.
• Uses Email Firewall rules in a pre-determined order to filter connection and message attributes
• Allows administrators to change the pre-determined filtering order
• Additional information can be found in the Admin Guide section “Controlling Rule Order” or in PPS
Help
Within the Email Firewall module are settings and configuration options for the following PPS features:
• Recipient Verification
• Dictionaries
• SMTP Rate Control
• Outbound Throttle
• Bounce Management
• Email Firewall Rules
These features are built into the Email Firewall Module, and since every PPS cluster comes standard with
the Email Firewall Module installed these features do not require any additional licensing.

Student Notes
Dictionaries are located in email firewall and regulatory compliance modules. They consist of a list words
which are matched against messages. by default there is an offensive word dictionary, however you can
create your own. You can also use regular expression, count occurrences, and adjust weights for
individual words in dictionaries
Although Dictionaries run independently of your rules, they assign a score that can be used as conditions
for rules. This is especially useful in email firewall rules. dictionaries that are not being used with rules
should be disabled. If your dictionary is enabled, messages will be evaluated against the dictionary and
still assigned a score even if there is no rule using them. You cannot restrict a dictionary to a policy route.
• Matching capabilities include
• Exact Match
• Regular Expression Match
• Occurrence Counting
• Weighting
• Email Firewall rules can be created to utilize dictionary scores
• If your dictionary is enabled, all messages will be scored by the dictionary even if there are no rules
using the dictionary

Email Firewall
Student Notes
Email Protection Configuration Best Practices: 17 Recipient Verification - General >’Message Does Not
Contain a Valid Recipient’ setting and the Rules >'verified' rules should be set to 'reject’ or ‘discard’.
The Recipient Verification module should be restricted to the 'default_inbound' policy route.
This will prevent your email servers, such as Exchange, from being flooded with invalid recipients for
which they would have to generate Non-Deliverable Reports (NDRs).
Filtering continues for valid recipients
Advantages
• • Can shed a lot of load by stripping off invalid recipients and throwing away messages with no valid
recipients
Disadvantages
• • User repository must be accurate
• • Database replication has to be functioning (port 3306)
• • Can throw away good mail if misconfigured
What happens if the PPS can’t connect to the data source you have specified for verification? The
Verification Failure options allows you to configure PPS to fail open or fail closed in this situation.

Student Notes
Configure this profile to make the Proofpoint Protection Server use the entries in the User Repository
(User Management > Users page) to verify legitimate recipient email addresses.

Email Firewall
Student Notes
While the global settings on the General page apply to messages that have no valid recipients, you can
create rules that apply a disposition to a message on a per-recipient basis.
For example, if a message comes in that is addressed to Rachel, Randy, and Ryan, but Ryan is not a valid
recipient (he has left the company or was never employed) the rule can remove Ryan as a recipient and
continue to process the message for Rachel and Randy.
The PPS includes one default rule called “Verified”. This rule can be enabled, disabled, and edited, but it
cannot be deleted. This rule uses the Verification Profile named profile (in other words the User
Repository) to check the recipient addresses.
This default rule is set to handle messages from all policy routes and check them against the user
repository. If messages from a specific policy route need to be given a different disposition or checked
against a different profile a new rule can be created. The desired profile can be chosen under the
Conditions section of the rule.

Student Notes
By checking the logs you can see if the PPS determined the recipient to be valid or invalid. Look for the
verified keyword within the log. If the value that follows this keyword is a 1 then the PPS determined that
the recipient was valid.
If the value following this keyword is null then the PPS determined that the recipient was invalid. This is
useful when troubleshooting messages that are not delivered to the email infrastructure. If the PPS
returned a null value, but the recipient is in fact valid, this could mean that the user repository (or alternate
profile) is not in sync.
• Verified=1 means that the recipient is valid
• Verified=0 means that the recipient is invalid

Email Firewall

Lab 8-1: Enable Recipient Verification
Scenario
You need to prevent messages without legitimate recipients being processed
Objectives
• Enable Recipient Verification in the Email Firewall module
• Specify ex.proofpoint.com as the domain where you want to verify recipients
• Enable the verified rule and configure the rule disposition to Reject the recipient
• Test Recipient Verification by sending a message to billybobxx@ex.proofpoint.com
Instructions
1. From the Email Protection tab, navigate to Email Firewall > Recipient Verification > General.
2. Configure the general settings as follows:
a. Select the On radio button and
Restrict processing to selected policy routes... default_inbound
b. De-select the option to Disable processing for selected policy routes
c. Select the Reject the message and return the following button
3. From the Email Protection tab, navigate to Email Firewall > Recipient Verification > Profile
4. From the listed profiles, click on profile; then do the following:
a. Set Enable to On
b. Select Verify recipients for specific domains
c. In the text box, enter ex.proofpoint.com
5. From the Email Protection tab, navigate to Email Firewall > Recipient Verification > Rules
6. From the list of rules, click on verified; then do the following:
a. Set Enable to On
b. In Dispositions, select Reject the recipient and return the following
7. Test Recipient Verification by sending a message to an invalid recipient.
a. From your mail2_user email client, compose a message to billybobxx@ex.proofpoint.com
(where xx = the number for your PPS)
For example, if your server is vs-62, you would enter billybob62@ex.proofpoint.com.
Note: You must use the correct server (vs) number in the email address for this lab to work!

Email Firewall
b. Enter any subject and message text of choice

c. Send the message
You should receive an “Undelivered Mail Returned to Sender” message because the user is
unknown.
8. From the System tab in the management GUI, navigate to Logs and Reports > Log Viewer
a. In the Find field, enter billybobxx.
b. Click Search
c. From the most recent log entry, copy the SID number and paste it into the Find field.
d. In the Highlight, enter 550; then click Search.
A list of log entries appears; one of the entries shows the 550 code is highlighted.
Notice, in the same log entry with the 550 code, you will see rule=verified. This means the verified
rule fired on this message.
Also notice, the number of log entries is limited. Recipient Verification rejects messages with
invalid recipients before the PPS spends much time filtering these messages.

Student Notes
SMTP rate control is similar to a local version of PDR. It maintains a local reputation list for known senders
and limits connection rates based solely on your smtp traffic for spam, virus, invalid recipients and idle
connections. The throttling behavior is completely automatic. You can adjust the thresholds, but it’s
recommended that they’re left at default because changing the rate of time can make the smtp rate
control less effective. Smtp rate control also allows for the creation of safe lists which allows messages to
come through without being throttled.
Maintains local reputation data for known senders
Limit connection rate based solely on your SMTP traffic:
• Spam, Virus %
• Invalid Recipient % (Directory Harvest Attacks)
• Idle Connections
Throttling behavior is completely automated:
• Bad IPs throttled
• Cleaned IP will fall off list after maximum of 24 hours
Safe lists are easy to create (Non-Throttled Hosts List)
• Possible uses include internal servers and trusted hosts
Current status of IP addresses is available in the admin interface

Email Firewall
Student Notes
SMTP rate control is similar to a local version of PDR. It maintains a local reputation list for known senders
and limits connection rates based solely on your smtp traffic for spam, virus, invalid recipients and idle
connections. The throttling behavior is completely automatic. You can adjust the thresholds, but it’s
recommended that they’re left at default because changing the rate of time can make the smtp rate
control less effective. Smtp rate control also allows for the creation of white lists which allows messages to
come through without being throttled.
Email Protection Configuration Best Practices: SMTP Rate Control - SMTP Rate Control is active, its DHA
rule is enabled, and Recipient Verification is also enabled.

Student Notes
Email Protection Configuration Best Practices: SMTP Rate Control - SMTP Rate Control is active, its
Directory Harvest Attack (DHA) rule is enabled, and Recipient Verification is also enabled.

Email Firewall

Lab 8-2: Implement SMTP Rate Control
Scenario
You have been called upon to mitigate spam attacks
Objectives
• Enable SMTP Rate Control
• STOP and wait for instructor to start Spam stream
• View the Spam % for 10.25.0.60
• Remove the throttle on this IP address
Instructions
1. From the Email Protection tab, navigate to Email Firewall > SMTP Rate Control > Configuration.
The SMTP Rate Control Configuration screen appears.
2. Set Enable to On
3. Click Save Changes
4. STOP: Wait for your instructor to spam your server. This may take a few moments.
Note an increase in the number of quarantined mails shown on the status bar at the bottom of your
screen as the spam messages come in.
5. Navigate to Email Firewall > SMTP Rate Control > Connections
Note that the IP address 10.25.0.60 has been throttled as the percentage of spam messages from this
source exceeds the threshold set by the SMTP Rate Control rules.
This is the IP address of the training lab environment mail server. As we have effectively throttled our
own mail server in this exercise, we need to remove the throttle before we can continue. To do this, we
will safe-list the IP address by adding it to the non-throttled hosts list.
6. Click the check box on the row assigned to the address and select Add IP to Non-throttled Hosts
from the Options menu.

Email Firewall
Student Notes
When spammers use your organization's domain to forge sender email addresses, the bounced messages
return to your organization. Bounce management solves this problem by using a key to sign your
organization's outbound messages. This signature is used to verify inbound bounce notifications. The
bounce notifications resulting from spam will not have the appropriate signature and can therefore be
blocked.
Bounce Management uses Bounce Address Tag Validation (BATV).
• Open standard
• Ensures email returned to your system was sent from your system
• Signs the envelope sender address and the return address headers on outbound messages.
• Legitimate bounces are returned to the signed sender address
• Bounces with an unsigned recipient address are identified as backscatter
• Default rule looks for null sender (<>)

Student Notes
Bounce address tag validation is an open standard and ensures that return mail was sent from your
system. It tags the envelope sender address and return address header for outgoing messages. A rule is
created to look for bounce back messages with a tag to verify its legitimacy. This helps to eliminate back
scatter, however because bounces are legitimate mail so you cant really identify them as spam.
BATV Address Format
prvs=0192a86d6f=user@example.com
prvs identifies a BATV-signed address
0 identifies which key was used (there are 10 slots)
192 is an expiration date stamp
a86d6f is the hexadecimal signature
user@example.com is the original address
filterd recognizes this syntax, even for addresses signed by other sites. Rule conditions, safe/block lists,
etc. will use the underlying address.
The Proofpoint Protection Server ships with a default Bounce Management policy that disables signing for
the default_inbound policy route.
The default Bounce Management policy contains three rules that will trigger if the following conditions are
met:
• Envelope recipient signature is valid
• Envelope recipient signature is invalid or expired
• Envelope recipient signature is missing
If you add a new Bounce Management policy, it will have these same rules. You cannot change the
conditions of these rules, but you can edit the actions. These default rules are described on the next
page.
Email Protection Configuration Best Practices – Bounce Management (BATV) - Bounce Management
(BATV) is enabled, and all rules are also enabled, especially the 'emptysender' one.

Email Firewall
Student Notes
This slide shows an example of a BATV tagged address. You can see that the senders email is prepended
with a small collection of information so we can recognize any bounced that may occur. The Proofpoint
filter also recognizes this syntax from other servers and uses just the sender’s email address during rule
evaluation
Bounce Management policies contain the following rules:
• Envelope Recipient Address Signature Is Valid - if the message envelope recipient contains a valid
signature, the message continues to process through the filtering modules. To make changes to the
disposition of this rule, click Edit. You cannot change the condition for this rule.
• Envelope Recipient Address Signature Is Invalid or Expired - if the message envelope recipient
contains an invalid or expired signature, a copy of the message is sent to the Quarantine folder
Bounce Management and the original message is discarded. To make changes to the disposition of
this rule, click Edit. You cannot change the condition for this rule.
• Envelope Recipient Address Signature Is Not Present - these rules are evaluated if the message
envelope recipient does not contain a signature. The purpose of these rules is to distinguish between
messages that are bounces from messages that are not bounces. You can create additional rules to
trigger for specific conditions. For example, you can create a rule where if Any Part of Message
Contains "out of office", continue processing the message and send a copy of the message to a folder
in the Quarantine. The rule will trigger if the envelope subject contains "out of the office" and the
envelope recipient signature is not present. When you have several rules listed for the Envelope
Recipient Address Signature Is Not Present condition, the first rule to trigger will prevail.
Click Add Rule to create a new rule, or Clone Rule to create a new rule that is based upon an existing rule.


Lesson 9: Email Authentication
Introduction
The purpose of email authentication is to verify that information about email origin at the Message
Transfer Agent (MTA) level.
This lesson describes the techniques used to validate or authenticate email arriving to your organization.
175

Email Authentication
Email Authentication Methods

Sender Policy Framework (SPF)
• Designed to detect spoofed sender addresses in emails, which threat actors often use in phishing
attacks and when sending spam.
• SPF makes it possible for the email receiver to use a DNS query to check that an email claiming to
come from a specific domain (the envelope-from domain) comes from an IP address authorized by
that domain's administrators.
DomainKeys Identified Mail (DKIM)
• Also designed to detect spoofed sender addresses in emails.
• The sending system signs each outgoing email message with a digital signature, linked to a domain
name. The receiving system verifies the signature using the signer's public key which is published in
DNS.
Domain-based Message Authentication Reporting and Conformance (DMARC)
• Also designed to detect spoofed sender addresses in emails.
• Allows sending domain admins to publish a policy in their DNS records to specify which method
(DKIM, SPF or both) is used when sending email from their domain.
Sender Policy Framework (SPF) is an email authentication method.

• Anti-spam protocol used to authenticate or verify the domain of an email sender
• Useful in deterring spammers who often disguise their true Internet address by pretending that their
email comes from a legitimate domain
• PPS performs a DNS query to check the SPF record of the sending domain to determine if the sender
is legitimate
Threat actors may attempt to disguise their SPAM messages, making them look like they originated from
a legitimate domain. By enabling SPF in PPS, you can eliminate this type of SPAM. The PPS will verify that
the message is source from the domain it claims to come from. (By using SPF, organizations can
eliminate this type of SPAM by verifying that the message sourced from the domain it claims to come
from.) The MTA that receives the message checks that the source IP address of the message matches the
published IP address for the sending domain.
The rules in the SPF Rules list include the following conditions, which are predefined by the SPF protocol:
• Pass
• Fail
• Soft Fail
• Neutral
• TempError
• PermError
• None
Each of these conditions is described in the SPF Rules list. Proofpoint has predefined the rules for these
conditions. You can enable, disable, edit, or delete these rules.DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM)
Allows a recipient to verify the authenticity and integrity of a message
• A cryptographic key pair – one private, one public
• The private key is used by the signing agent to sign messages being sent from an organization The
public key is made available to recipients via DNS TXT records

• The receiving organization can then use the public key to verify the signature
• Validates that no one altered the signed portions of the message while it was on its path to the
recipient
Domain-based Message Authentication, Reporting and Conformance (DMARC)

• DMARC is a method of email authentication that builds on SPF and DKIM. DMARC goes a step further
and uses Identifier Alignment. This requires that not only must SPF or DKIM pass, but it also requires
at least one of the domains used by SPF or DKIM to align with the domain found in the FROM header.
• The public key is made available to recipients via DNS TXT records
• The receiving organization can then use the public key to verify the signature
• Validates that no one altered the signed portions of the message while it was on its path to the
recipient
Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC is a method of email authentication that builds on SPF and DKIM. DMARC goes a step further
and uses Identifier Alignment. This requires that not only must SPF or DKIM pass, but it also requires at
least one of the domains used by SPF or DKIM to align with the domain found in the FROM header.

Student Notes
SPF records - their benefits and caveats
• Can reduce attempts by spammers to spoof your domain
• Emails sent from a spammer’s unauthorized host is far more likely to be captured by spam filters
• Makes your domain less attractive to spammers
• Doesn’t protect the domain from spoofing
• Just checks the envelope-from (Return-Path) and not the from header domain
• Doesn’t protect the domain from Spam
• You still need to deploy spam filtering systems and create domain reputation system
• Doesn't provide authorization of the email sender
• Just provides authorization of the email server that sends a message on behalf of a domain.
• Works only at the domain level
• A limit exists of 10 DNS queries for resolving the SPF policy
• a, mx, ptr, include!?
• SPF does not cover subdomains
RFC 7208 Sender Policy Framework (SPF) for Authorizing Use of Domains in Email Examples to try SPF:
# DIG MX Record
dig +short mx ex.proofpoint.com
10 mail.ex.proofpoint.com.
# DIG NS Record
host -t ns proofpoint.com
# DIG TXT Record
host -t txt proofpoint.com

Student Notes
DKIM not only verifies that a message originated from the source it claims to originate from, but it also
verifies that the message was not altered by a man-in-the-middle attack during transit. DKIM relies on
asymmetric encryption using a public/private key pair.
• Doesn’t protect the domain from spoofing
• Just check the envelope-from and Return-Path
• Doesn’t protect the domain from Spam
• You still need to deploy spam filtering systems and create domain reputation system
• Doesn´t provide authorization of the email sender
• Just provides authorization of the email server that sends a message on behalf of a domain.
• Works only at the domain level
• A limit exists of 10 DNS queries for resolving the SPF policy
• a, mx, ptr, include!?
• SPF does not cover subdomains
RFC 5585 - DomainKeys Identified Mail (DKIM) Service Overview
RFC 6376 - DomainKeys Identified Mail (DKIM) Signatures
RFC 5863 - DomainKeys Identified Mail (DKIM) Development, Deployment, and Operations

Student Notes
dig +short txt corp-2019-08-07._domainkey.proofpoint.com
"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyX32/SyepLjp0TW372fzo"
"RjIV+xSMqKM5JkEhmvrrF2HyzNTNHCwY2h2SjA7RF1psqJG8rQXdBvkySa5/
6189u0uGV9NywAP7Lzj6RGjnRrT9BdETZg8wUx6JyQ+Ze1BZNUujVyKb54ZYygTIo9lw"
"ePvwKIekj1SQBhwdQ+H374QfqrACyFU3b1JYAtaWNTGCFDaQXwBlW98Yeckj3/
lf0QUdN8axnjnS0kGKEgcW2pSoOm4OaRYEDRAYlFf71Ry0UylO7ePGo0tvQCNLd8Yo"
"oOQcpYn5aw9WiBxLL5XbBC6OcLLD+JU0mjaZL3BWsssrA/wbkX/YxjGVKhWqbFU7wIDAQAB"
• DKIM Signature can be found in the message in a new header
• Simple Canonicalization removes only empty lines
Relaxed Canonicalization removes only empty lines and trim spaces

Student Notes
The DNS TXT records cannot be longer than 255 characters! And the DKIM records can get quite lengthy,
commonly more than 2048 bits, so splitting them is sometimes unavoidable. To split a DKIM record, you'll
just need to cut the string into multiple parts like the slide example:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyX32/
SyepLjp0TW372fz oRjIV+xSMqKM5JkEhmvrrF2HyzNTNHCwY2h2SjA7RF1psqJG8rQXdBvkySa5/618
9u0uGV9NywAP7Lzj6RGjnRrT9BdETZg8wUx6JyQ+Ze1BZNUujVyKb54ZYygTIo9l
wePvwKIekj1SQBhwdQ+H374QfqrACyFU3b1JYAtaWNTGCFDaQXwBlW98Yeckj3/l
f0QUdN8axnjnS0kGKEgcW2pSoOm4OaRYEDRAYlFf71Ry0UylO7ePGo0tvQCNLd8Y
ooOQcpYn5aw9WiBxLL5XbBC6OcLLD+JU0mjaZL3BWsssrA/wbkX/YxjGVKhWqbFU 7wIDAQAB -----END
PUBLIC KEY-----

Student Notes
SPF and DKIM drawbacks
• These mechanisms work in isolation from each other
• Each receiver makes unique decisions about how to evaluate the results
• The legitimate domain owner never gets any feedback
• The challenge for senders - Mail Authentication is hard and with uncertain benefit
• Missing alignment mechanisms between different address

Student Notes
DMARC also includes the ability for domain owners to specify how email that is pretending to come from
their domain is processed by the recipient. Domain owners can publish in their DNS text record (the
DMARC record) a policy that dictates the action to be followed by a receiving MTA if authentication using
SPF and DKIM fails. Options could include quarantine, reject, or none.
Domain owners can also indicate in their DMARC record an email address to which the receiving
organization should send a report. This reporting mechanism allows organization to be made aware that
someone out there is pretending to be them.
dig +short txt _dmarc.proofpoint.com
"v=DMARC1; p=reject; sp=reject; fo=1;
rua=mailto:dmarc_rua@emaildefense.proofpoint.com;
ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com"

Student Notes
More details on DMARC parameters
https://www.iana.org/assignments/dmarc-parameters/dmarc-parameters.xhtml
Domain-based Message Authentication, Reporting, and Conformance (DMARC) Parameters
• Adkim DKIM alignment mode

• Aspf SPF alignment mode
• Fo Failure reporting options
• Np Requested handling policy for non-existent subdomain
• Sp Requested handling policy
• Pct Sampling rate
• Rf Failure reporting format(s)
• Ri Current Aggregate Reporting interval
• Rua Reporting URI(s) for aggregate data
• Ruf Reporting URI(s) for failure data
• Sp Requested handling policy for subdomains
• V Specification version
fo=0: Generate a DMARC failure report if all underlying authentication mechanisms (SPF and DKIM) fail
to produce an aligned “pass” result. (Default)
fo=1: Generate a DMARC failure report if any underlying authentication mechanism (SPF or DKIM)
produced something other than an aligned “pass” result. (Recommended)
fo=d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of
its alignment.
fo=s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment

Student Notes
There are two types of reports that can be created by a DMARC failure, RUA (aggregate report), or RUF
(forensic report). The value of these tags is the email address you want these reports sent to. If you do not
want one of these reports leave the field empty. The domain of the email address used in these fields
does not need to match your domain. For example, you may be using a third party to investigate DMARC
issues for your organization. In such cases you would use their email address in the RUA and/or RUF
field.
The aggregate report is very structured. It is formatted in XML making it easy to extract key pieces of
information. The forensic report is less structured. It includes actual pieces of the message such as
message headers or embedded URLs. If your DMARC record is requesting forensic reports there is no
obligation for the recipient organization to provide them if they are unable or unwilling to do so. But to be
compliant with DMARC they should always send the aggregate report if requested.

Student Notes
Example of an Aggregate Report.

Student Notes
Example of a Failures Report.

Student Notes
Authenticated Received Chain (ARC) should be inserted when:
• Inserting or changing Subject header
• Appending disclaimers and footers
• Stripping attachments
• Content-encoding change
• When the message crosses trust boundary

Student Notes
The proofpoint_arc domain set is used for DMARC Authenticated Received Chain (ARC) validation in the
Email Authentication Module. If your organization has enabled DMARC and also ARC, the proofpoint_arc
Domain Set is automatically applied. It contains a sample set of domains. Administrators must update the
list for the proofpoint_arc Domain Set before enabling ARC.
ARC is applied only if a given domain has a blocking action (for example, p=reject or p=quarantine) on
publish DMARC policy and the email has ARC signed.


Student Notes

Student Notes
Navigate to Email Authentication > Settings enter the FQDN of your configuration master.

Student Notes
Navigate to Email Authentication > SPF > General. Enable the feature and select the policy routes that
define those messages you want to perform SPF checks against.
You may need to specify policy routes you don’t want to perform SPF checks against, such as a trusted
partner or organization. To do this you would select those policy routes under “Disable processing for
selected policy routes….”.

Student Notes
There are many rules you can enable for SPF. To get a full description of the condition for each one refer
to RFC 7208. The default action is set to “Continue to process the message”, so be sure to edit the action
for these rules if you want to block messages that fail SPF.
Leave the fail as is due to frequent failure of SPF records.

Student Notes
To manage the inbound side of DKIM, navigate to Email Authentication > DKIM > General. Enable the
feature and select the policy routes you do or do not want to perform DKIM checks to.

Student Notes

Student Notes
Once you have created a Domain Set you can reference it in a DKIM rule. Create as many rules as
necessary with the requisite conditions and dispositions.

Student Notes

Student Notes

Student Notes

Student Notes
DMARC is simple to configure. Navigate to Email Authentication > DMARC > General. Enable the
feature and select the appropriate policy routes. Remember that DMARC acts on messages only if SPF or
DKIM fail. If you have not configured SPF or DKIM you will see links taking you to those configuration
menus.

Student Notes
To manage DMARC rules navigate to Email Authentication > DMARC > Rules. There are many default
rules as per RFC 7489 which can be enabled/disabled or edited. You can also add more rules if needed.
Use the Email Authentication > DMARC > Rules page to edit existing DMARC rules, enable, disable, or
delete
The default rules in the DMARC Rules list include the following conditions:
• NoRecord - the message DMARC record equals None and the message continues to process
through the filtering engines.
• NoRecordFailSPF - the message DMARC record equals None and its SPF result is Fail. The message
is rejected with a reply to the sender.
• Pass - the message DMARC result is Pass and the message continues to process through the filtering
engines.
• Quarantine - the message DMARC result is Quarantine. The original message is discarded and a
copy is placed in the Quarantine folder DMARC Quarantine.
• Reject_Verified_DMARC – the DMARC domain is verified as known by Proofpoint and the DMARC
result is Reject. A copy of the message is placed in the Quarantine folder DMARC Reject.
• Reject - the message DMARC result is Reject. The message is rejected with a reply to the sender and
a copy is placed in the Quarantine folder DMARC Reject.
• None - the message DMARC result is None. The message continues to process through the filtering
engines.
• TempError - the message DMARC result is Temporary Error. The message is rejected temporarily with
a 4XX return code, and a copy is placed in the Quarantine folder DMARC Temp Error. The sending
MTA may retry at some later point.
• PermError - the message DMARC result is Permanent Error. The message is rejected permanently
with a 5XX return code.

Student Notes
When the PPS is filtering inbound email against SPF, DKIM and DMARC, a message header called
Authentication-Results is added.


Lab 9-1: Use Email Authentication
Scenario
You need to configure Email Authentication on your Proofpoint PPS Server to block a spoofed message.
Objectives
• Test and view SPF pass/fail
• Test and view DMARC pass/fail
• View SPF and DMARC resource records on a DNS server
Instructions
1. Configure the Authentication Service Identifier.
a. From the Email Protection tab, navigate to Email Authentication > Settings
b. In the Authentication Service Identifier box, enter the fully-qualified domain name of your PPS
server
For example, vs-19.training.proofpoint.com
2. Send a test email from your mail2 user to your mail.ex user. Use the subject line of SPF test 1
3. Find the SPF result for your test message.
a. Go to the mail box of your mail.ex user and find your SPF test 1 message.
b. Click the menu icon and choose View Source.
c. Locate the Authentication Results. Did the message get an SPF pass? ____________________
4. Receive a spoofed message.

a. Wait for your instructor to send you a spoofed message that will not be from your mail server.
b. Check your mail.ex user’s inbox to verify the message was delivered with the subject Update 1.
c. View source for that email.
d. Find the Authentication Results. Did the message get an SPF pass?_______________________
e. Can you see the sender's IP address?___________________________________________________
5. Find the SPF rule for the received email.
a. Navigate to Email Protection > SPF > Rules and find the rule that was triggered by the spoofed
email.
What does it say to do with the email?
_____________________________________________________________________________________
6. View the SPF resource record (RR) on the DNS server.
a. Open a command prompt on your RDP server.
Click the Start button in the bottom left corner of the screen and type command and click the icon
for Command Prompt.
b. Enter the following command to get the SPF RR:
nslookup -type=txt training.proofpoint.com 10.25.0.251
where:
-type=txt is the type of RR you want, for example, txt, mx, soa
training.proofpoint.com is the domain name
10.25.0.251 is the address of the name server that you wish to query
c. Is the IP address specified in the SPF record the same as the senders IP address for the spoofed
email Update 1? ______________________________________________________________________
7. Configure DMARC policies and rules.
a. Go to Email Authentication > DMARC > General
b. Set Enable: On
d. Go to Email Authentication > DMARC > Rules
e. Edit the reject rule so that the Delivery method is set to Discard.
f. Click Save Changes
8. Send a test email from your mail2 user to your mail.ex user. Use the subject line of DMARC test 1
message.
9. Locate the DMARC result for your test message.
a. Go to the mail box of your mail.ex user and find your DMARC test 1.msg.
b. Click on the menu icon and choose View source.
c. Find the Authentication Results. Did the message get a DMARC pass?
_____________________________________________________________________________________
10. Receive the second spoofed message.
a. Wait for your instructor to send you a second spoofed message that will not be from your SPF
authorized mail server.
b. Check the mail.ex user’s inbox to see if the message was delivered with the subject Update 2. It
should not arrive.
______________________________________________________________________________________

11. Diagnose delivery failure.

a. Go to your PPS and use Smart Search to find what happened to the email Update 2?
b. Was the message quarantined?
______________________________________________________________________________________
c. If so, which rule caused the quarantine and which quarantine folder is the message in?
d. Which rule was the final rule? ___________________________________________________________
e. Why did the message fail DMARC? ______________________________________________________
12. View the DMARC RR for training.proofpoint.com.
a. Open a command prompt on your RDP server.
b. Enter the following command to get the DMARC RR:
nslookup -type=txt _dmarc.training.proofpoint.com 10.25.0.251

Student Notes


Lesson 10: Spam Detection
Introduction
Proofpoint Protection Server (PPS) uses the Proofpoint Dynamic Reputation Service (PDR) to monitor
inbound email messaging traffic from individual IP addresses and IP subnet ranges to classify suspected
spam based on volume. Anti-spam settings can be applied at the Organization, Sub-Org, Group, or User
level.
Administrators use these custom settings to create a unique set of rules that enable tailored spam policies
that take user preferences into account. This lesson explores PDR and the creation of anti-spam settings
to keep incoming mail safe, secure, and as free of spam as possible.
211

Spam Detection
Student Notes

Student Notes
Dynamic Reputation leverages Proofpoint's machine-learning driven content classification system to
determine which IPs may be compromised to send spam, for example, part of a botnet. The purpose of IP
reputation is to delay or block IPs identified as being part of a botnet or under the control of spammers.
We do not intend to delay or block legitimate email that our customers are expecting.

Spam Detection
Student Notes
Proofpoint Dynamic Reputation (PDR) is easy to use and generates the IP reputation list from Proofpoint.
Information for PDR is gathered from the Proofpoint MLX engine and is used to maintain the IP reputation
list. An email firewall rule can be set up to check the PDR score for a message and will allow or block it
based on that score. It is very effective because it drops at a connection level, saving you valuable
resources by eliminating the need to process any message data, saving CPU cycles. PDR typically
eliminates anywhere from 30 to 70 percent of inbound traffic.
Known as Reputation Service, this feature is a connection management and email reputation service that
uses Proofpoint NetMLX machine-learning technology to block incoming connections from malicious IP
addresses. PDR provides defense against spam, directory harvest attacks, denial of service attacks,
snowshoe spamming, and other email-borne threats.

Student Notes
PDR constantly inspects SMTP connections at the IP address level. When a message arrives at your PPS,
a quick call is made to Proofpoint centralized servers to get the reputation status or score of the sending
IP address. This is a very quick and lightweight query, similar to DNS. Based on the response, your PPS
will process the message according to the rules that have been defined.
The PDR service is automatically set up by way of licensing. Pre-configured rules are included and are
enabled by default. The only changes you can make are to disable the rule or change its disposition. You
cannot add new rules.

Spam Detection
Student Notes
Policy Spam rules fire on engine classification message categories. The product creates a numeric score
for each classifier it evaluates. Must reach 80 for spam rule to fire. This example shows Classifications and
Malware with a score of 80 that causes the Spam rule to fire. Any Classifier must reach a minimum of 80 to
trigger its spam rule.
The Spam Detection Module assigns classification scores to each message. The intelligence used to
accomplish this classification is obtained through spam definitions that are retrieved every five minutes
from the PPS Update Servers. Using the spam definitions, the PPS will scan and assign multiple
classification scores to each message. This spam scores range from 0 to 100 (0 signifying that the email
is valid, 100 signifying that the email is spam). By default, there are eight categories that could receive a
score.
For example, a message arrives and is scanned by the Spam Detection Engine. Based on the most
recently acquired spam definitions, the message gets the scores shown in each of the default categories
shown above. Policy Spam rules fire when the engine classifies messages into categories.
Next the PPS will find a policy that tells it what to do with this message based on the scoring.
The Suspected Spam rule should be disabled.

Student Notes
The Spam Detection Module examines every aspect of incoming email - the sender's IP address, the
message envelope, headers, structure, and the message content and formatting. It applies thousands of
tests to determine the likelihood that a message is spam.

Spam Detection
Student Notes
Use Spam Policies, not Policy Routes, to control how spam rules are applied.
• Recommended Configurations
• Create inbound and outbound spam policies.
• Create additional policies for groups with different needs.
• Turn off End User Visible for policies.
• Prevent accidents
• Default policy most restrictive
End User Visible Options
You have the option to allow end users to choose which spam policy they want applied to them. In the
example above there are a total of five policies including the default one. In the End User Visible column
administrators can check the box of those policies they want the end user to be allowed to choose from.
The end user can make this selection by logging into their End User Web Application and navigating to
Profile. There they will see the options made available to them by the administrator. If you don’t want end
users to have this option, leave the End User Visible column unchecked. You can assign individual spam
policies to a user in the user repository.

Student Notes
Policies are where you define rules.
Malware Spam
Malware spam is considered most dangerous, and is above all other spam rules that send copies to the
Quarantine. Messages that contain known threats and messages with attachments that contain known
threats are classified as malware spam. Messages caught by this rule are quarantined in the Malware
folder.
Impostor Spam
The impostor spam classification uses scoring derived from the Stateful Composite Scoring Service
(SCSS). It is intended to identify messages from attackers who attempt to defraud your Organization by
spoofing a high-level employee. This rule requires an SCSS license. Messages caught by this rule are
quarantined in the Impostor folder.
Definite Spam
Discards messages that score 100 without sending copies to the Quarantine. This rule is initially disabled
by default since most administrators want to quarantine all spam when they first deploy the Proofpoint
Protection Server. Proofpoint recommends that you delete messages with a spam score of 100. All you
need to do is enable this rule and save your changes.
Phish Spam
Messages caught by this rule are quarantined in the Phish folder. This rule is configured conservatively by
default. To apply a more aggressive stance while possibly incurring a small number of false positives, edit
the rule by clearing the check box for Spam for the Lower Threshold condition.
Adult Spam
Similar to phish, many organizations do not want pornography or adult-natured spam to show up in user
Digests. To apply a more aggressive stance while possibly incurring a small number of false positives, edit
the rule by clearing the check box for Spam for the Lower Threshold condition.
Spam Quarantined
Messages that score 50 and above are discarded and copies are sent to the Quarantine.

Spam Detection
Low Priority
This rule displays only if your Organization is licensed for SCSS (the Stateful Composite Scoring Service).
Messages that meet conditions that classify them as Low Priority will be included in the Low Priority Mail -
Delivered (or Low Priority Mail - Quarantined) sections of the email Digest and End User Web Application
so that users can act upon those messages. When messages are classified as Low Priority, and users
provide feedback, the SCSS trains on the characteristics of those messages to classify future messages
as Low Priority.
Bulk Email
Newsletters and advertisements are typically classified as bulk email. By default, bulk email is delivered to
user's inboxes and is also visible to users in their email Digests and Web Application. (The administrator
can control what is included in the Digests and Web Application.) This allows users to determine if they
wish to continue receiving the bulk email from the sender. For example, if a newsletter is sent to a wide
distribution of users, each individual can decide whether or not they want to continue receiving the
newsletter from the sender. Administrators have the option of sending email classified as Bulk to the
Quarantine instead - in that case users would only see the bulk email in the Digest or Web Application.
Either way, users can manage bulk email by allowing or blocking email from the sender using commands
in their Digests or Web Application.
Delay Suspected Messages
The suspected spam classifier is scored based on a number of message attributes which are found in
spam but by themselves are not enough to generate a spam score above 50. By delaying such messages
until later spam definitions are received, it is likely that you will be able to stop additional spam that would
not otherwise have been stopped. Messages suspected of being spam that score 80 or above are stored
in a Suspected Spam folder for a period of time until new spam MLX definitions are available. Messages
are re-filtered for spam after the new definitions are available.
Circle of Trust
This requires a license for the Stateful Composite Scoring Service - SCSS. This rule is meant for a small
group of users in your Organization. See About the Circle of Trust Classifier for more information.
Not Spam
This rule is unique in that its condition cannot be modified, and the rule cannot be disabled, removed, or
re-ordered in the list of rules. You can modify the Dispositions of this rule if you wish. This rule should
always be the bottom rule and it is meant to protect the administrator. If you moved this rule higher on the
list, it would possibly cause spam to enter your email infrastructure. If you deleted this rule it would cause
some set of messages not to be scored at all.

Student Notes
This Delivery Option applies only to the Spam Detection Module. When you select it, messages that are
classified as Bulk Email are included in the email Digest and Web Application for the users in your
Organization. This gives each user the opportunity to continue to receive bulk email from the sender, or to
stop receiving email from the sender.
Low Priority Mail - Delivered means the email is already delivered to the user's inbox and a copy is
included in the Digest and Web Application.
Low Priority Mail - Quarantined means the message is not delivered to the user's inbox, but a copy is
placed in the Quarantine.
Users decide whether or not they want to receive future messages from the sender with the Allow Sender
and Block Sender commands available in the Digest and Web Application.

Spam Detection

Lab 10-1: Create a New Spam Detection Policy
Scenario
Administrators may need to create a new spam policy.
Objectives
• Create a new policy that is selectable by the end user.
Instructions
1. From the Email Protection tab, navigate to Spam Detection > Policies > Policies.
2. Select the default policy.
This policy contains rules related to spam and bulk email:
• The spam rule – Condition spam score > 50 – enabled by default
• The bulk rule – Condition bulk email score >= 80 – enabled by default
• The lowpriority rule – Condition low priority score >=80 – not enabled by default
• The notspam rule – Condition spam score >= 0 – enabled by default
3. Go back to Spam Detection > Policies > Policies
4. Clone the default policy to create the spampol_lp policy:
a. Click Add Policy; then configure the new policy as follows:
• Name: spampol_lp
• Description: optional
• Clone the Classification Policy Rules From: default
5. From the Policies page, select spampol_lp to see the rules.
6. Enable the spampol_lp lowpriority rule in the new policy and disable to spampol_lp bulk; then click
Save Changes
7. Go back to Spam Detection > Policies > Policies
8. For the spampol_lp policy, the End User Visible check box should be checked by default.
After completing this, your users can manage their low priority messages without your intervention
and still be compliant with organizational policies.

Spam Detection
Student Notes
SCSS makes spam classification more accurate. By enabling this feature, you are authorizing Proofpoint
to collect metadata from your PPS and review it in Proofpoint’s threat centers using automated software.
This allows Proofpoint to better characterize what your emails look like, leading to reduced false positives.
The SCSS option is a licensed option. The license is free. Contact a your Proofpoint representative or
open a case to acquire the license.
When Stateful Composite Scoring Service (SCSS) is activated:
• Spam effectiveness is improved, reduces false positives, and improves the overall user experience
• PPS cluster goes into an impostor “learning state”
• No impostor scoring occurs during the learning state
• Proofpoint monitors customer traffic during this period
• Evaluates how traffic scored
• Ensures no False Positives
• To move out of learning state, these thresholds must be met
• Minimum learning time of ~9 days
• Volume of 2K messages
• Totally automated process

Student Notes
Another great feature of this module is the ability to enable users to report false negatives. the easiest way
to do this is to include them in the audit group. Their mail will be quarantined and they will have the option
to select messages and report them as a false positive, false negative or other. This can also be followed
up with by opening a CTS ticket. Please note that often times, mailing lists and bulk mail are not
considered spam by default.
False positives occur when the PPS considers a message to be spam when in fact the message is
legitimate and should have been delivered. To help fine tune the spam definitions and reduce the
occurrence of false positives/negatives, you should report them to Proofpoint. Navigate to the message in
the system quarantine, select the message, and then select Options > Report.

Spam Detection
Student Notes
Select the appropriate actual reason and message type options, and then fill in the Comments field as
appropriate. After completing the form, click Report at the bottom. This does not open a case with
Customer Support. You will not be notified of the findings. If it is determined that your reported case is in
fact correct and the message should not have been classified as spam, then the spam definitions will be
updated.
The Actual Reason options are
• FP (Legitimate Mail) for false positives
• FN (Spam) for false negatives
• Other
The Message Type options are
• Business/Personal Mail
• Legitimate Bulk Mail (Opt-In)
• Zero-Hour

Student Notes
If you would like to open a case for a false positive, rather than just reporting it, you can do so by using
the Proofpoint Customer Success Center. Select “Email Classification Errors (FN/FP)” as the case record
type. Then click continue.

Spam Detection
Student Notes
Complete all necessary fields, including a description or justification. Then click Browse at the bottom to
attach a sample message. It is preferable that the sample come from the system quarantine folder rather
than the user’s email client inbox.
• A single message can be uploaded as a.msg, .txt, .eml, or .822 file.
• Multiple messages can be uploaded in .tar, .tar.gz, or .zip archive file formats.
• Provide the Reference ID generated by the PPS when reported from the Quarantine.

Student Notes
The Audit folder can be used to keep copies of emails for later analysis.
Scenario
User complains that emails are reaching them that should have been filtered by PPS Spam Module.
Administrative Action
1. Configure the notspam rule to keep copies of the messages in the Audit folder, so that the user can
indicate which ones should be classified as spam.
2. Enabling the Audit folder on the rule does not mean all users’ emails that trigger that rule are kept,
because that could potentially use a lot of disk space. You must also go to the user’s account in the
user repository and enable the Audit folder on their account. Only users with the Audit folder enabled
can have their messages kept in the Audit folder.

Spam Detection

Lab 10-2: Enable Audit
Scenario
Often an end user would like to release a piece of mail that was misclassified. This is difficult with the
default configuration because, to release it, a message must be in the quarantine.
Objectives
• Enable the Audit Feature
• From Spam Detection > Policies > Rules, select the default policy
• Enable audit for the notspam rule
• Enable auditing for your mail.ex user
• Test the audit configuration by sending a message and verifying that it is quarantined
Instructions
1. From the Email Protection tab, navigate to Spam Detection > Policies > Rules
The Spam Rules screen appears.
2. From the Policy drop-down menu, select the default policy.
3. Enable audit for the notspam rule.
a. Click the notspam rule
b. From the options in the Dispositions list, check Include in Audit folder in the Quarantine
4. Enable auditing for your mail.ex user.
a. On the System tab, navigate to User Management > Users
b. Locate your mail.ex_user and click on the user’s ex.proofpoint.com email address
c. Click the Filtering tab
d. From the Audit Message drop-down menu, select Yes
5. Test the audit configuration by sending a message and verifying that it is quarantined to the Audit
folder under Quarantine > Messages
6. Disable auditing for your mail.ex user.

Spam Detection
Student Notes
Custom spam rules are processed by the access module, like Email Firewall Rules.

Student Notes
Although safe and block lists are solely a feature of the spam module, they can still impact other rules. A
Organization blocked list executes a blocked rule for the spam policy while a Organization safe list
executes a safe rule. When either of these rules execute, it will apply to all recipients of the message,
unless the list is specific to the end user. In that case, it will only apply to the individual recipient.
It is important to keep in mind that block lists take priority over safe lists and Organization block lists take
priority over a user safe lists. Any messages that are blocked from the safe list will not be in the digest.
Although we do support these types of lists, their use is not recommended. Our recommendation is to
make alterations to your spam engine instead so that you don’t have to manage these lists manually.

Spam Detection

Lab 10-3: Working with Organizational Safe Lists
Scenario
Training.proofpoint.com has a business partner with several machines that it trusts. Mail from these
machines is being identified incorrectly as spam. They would like to add these machines to the
organizational safe list.
Objectives
• Create an organizational safe list based on IP address and verify it works
• Create an email firewall rule to discard mail from the same IP address and see if it has precedence
Instructions
1. Add an entry for 10.25.0.70 to the organizational safe list.
a. From the Email Protection tab, navigate to Spam Detection > Organizational Safe List
b. Click Add
• Filter Type: Sender IP Address
• Value: 10.25.0.70
c. Click Add Entry
2. Verify the configuration of the safe list entry.
a. Send an email from the mail2_user to the mail.ex_user
b. When the message arrives in the mail.ex user’s in box, open the message
c. Click the Menu icon; then select View source
d. Find X-Proofpoint-Spam-Reason: orgsafe in the message header
3. Configure an email firewall rule that discards mail from the same IP address.
b. Click Add Rule
• Enable: On
• ID: discard_IP
c. Click Add Condition; then configure the following:
• Condition: Sender IP Address
• Value: 10.25.0.70
d. Click Add Condition.
e. For the Delivery Method, select Discard
f. Click Add Rule
4. Test whether the safe list or the firewall rule has precedence.

Spam Detection
a. Send another message from the mail2 user to the mail.ex user
b. Check for the message in the mail.ex user’s in box
The message is not received.
c. Use the Log Viewer to find the log entries for this message and identify which rule won the
judgment
5. Disable the discard_IP rule; then click Save Changes


Spam Detection
By default, only one spam policy is present. Proofpoint recommends that customers create two additional
spam policies, cloned from the default spam policy. One policy for processing inbound messages and the
other policy for processing outbound messages. The out of the box default Organizational spam policy
cannot be deleted, but it will not be actively scanning inbound or outbound email messages. Proofpoint
recommends enabling and configuring separate inbound and outbound policies.
Two separate polices allows for more granular control of the inbound and outbound policies. Often,
customers make outbound spam policies less stringent in terms of scoring in an effort to reduce the
likelihood of false positives.
There may be a corporate need to create additional spam policies. One example would be creating an
inbound_nobulk with continues on the bulk mail so the customer is getting statistics they can use to
decide if they want to turn on the bulk rule.
You can turn off the ability of users to select the policy profile they are using. If you want them to be able
to chose which policy they are using, like inbound_nobulk and inbound_default, they will also get to see
the default policy because it always shows up when any policy is made visible.

Student Notes
Inbound Spam Rule Recommendations
• Rule order is critical
• Rule names should reflect policy name
• Do not enable Bulk if Low Priority is enabled
• Disable the Suspect Spam rule
• If both DKIM verification and URL Defense modules are enabled, disable Inbound_suspect or
unexpected behavior may occur. URL rewriting causes problems with reinjected suspect-spam mails
and will break the content of the message when DKIM verification is on. There may be a lot of false
positives which will be delayed for x number of spam updates.
These are recommendations; your specific security posture should be considered. We recommended
Rules Priority for PPS Versions 8.14 and Newer
The table does not include the modifications to the X-Proofpoint headers or subject line.

Spam Detection
Student Notes
For outbound rules, Proofpoint recommends adding folder injection alerts on the malicious rules (for
example, Malware, Phish, and Impostor) in case of a break out or compromised user.
Using a folder injection alert allows you to be notified quickly in the event of a quarantined message so
you do not need to manually check these folders daily/weekly.

Student Notes
Assigns domains to Spam Policies based on the Recipient to: field.
Change organizational setting to outbound
Mail to addresses in the inbound domain group will use the inbound policies.
Mail to addresses not in the inbound domain group will use the outbound policies.

Spam Detection
Student Notes


Spam Detection
Lab 10-4: Creating Inbound and outbound SPAM Policies
Scenario
The server training.proofpoint.com was identified as a source of spam by various reputation services. The
email administrator at Proofpoint training has decided that outbound mail should be evaluated for
malware, phish, and spam. Create inbound and outbound spam policies to protect the reputation of the
mail server.
Objectives
• Create Inbound and Outbound spam policies
• Configure the default spam policy rule order
• Deselect Spam condition from Phish and Adult rules (match table 10.1 below)
• Create and adjust the Inbound spam policy
• Create and adjust the Outbound spam policy
• Disable end user visibility on all spam policies
• Create a Domain Group for the Inbound spam policy
• Apply the Outbound Spam Policy to the Organization
Classification Description Condition

blocked Spam Block List Matched Organizational or
Personal Block List
malware Malware Spam Malware spam score greater
than or equal to 50
impostor Impostor Spam Impostor spam score greater
than or equal to 80
phish Phish Spam Phish spam score greater than
or equal to 80
adult Adult Spam Adult spam score greater than
or equal to 80 AND spam
score greater than or equal to
50
spam_definite Definite Spam Spam score greater than or
equal to 100
safe Spam Safe List Matched Organizational or
Personal Safe List
spam Spam - Quarantined Spam score greater than or
equal to 50
low priority Low Priority Low Priority score greater than
or equal to 80

Classification Description Condition

bulk Bulk Email Bulk email score greater than
or equal to 80
suspect Delay Suspected Messages Suspected spam score
greater than or equal to 80
circleoftrust Circle of Trust Circle of Trust score greater
than 20
notspam Not Spam Spam score greater than or
equal to 0
Instructions
1. Configure the default spam policy rule order.
a. From the Email Protection tab, select Spam Detection > Policies > Policies
b. Click default to edit it
c. Drag the rules into the order to match the table above. If dragging isn’t working, you can use the
up and down arrows, but that will take much longer
d. Click on Save Changes
2. Deselect the Spam conditions for Phish and Adult.
a. Click on the Phish rule, deselect the Spam condition; then Save Changes
b. Click on the Adult rule, deselect the Spam condition; then Save Changes
Your default policy should match the table above.
3. Create the Inbound spam policy.
b. Click on Add Policy
c. Name your first policy inbound_spam
d. Give your rule a description
e. Clone the classification policy from your default policy
4. Adjust the Inbound spam policy.
a. From the Email Protection tab, navigate to Spam Detection > Policies > Rules.
b. In the drop-down Policy option select your new inbound_spam policy.
c. Make sure the following spam rules (if available) are enabled:
• inbound_spam_blocked
• inbound_spam_malware
• inbound_spam_impostor
• inbound_spam_phish
• inbound_spam_adult
• inbound_spam_spam_definite
• inbound_spam_safe
• inbound_spam_spam
• inbound_spam_lowpriority

Spam Detection
5. Create the Outbound spam policy.

b. Click on Add Policy
c. Name the policy outbound_spam
d. Give your rule a description
e. Clone the classification policy from your default policy
6. Adjust the Outbound spam policy.
a. From the Email Protection tab, navigate to Spam Detection > Policies > Rules
b. In the drop-down policy select your new outbound_spam
c. Make sure the following spam rules are checked.
• outbound_spam_blocked
• outbound_spam_malware
• outbound_spam_impostor
• outbound_spam_phish
• outbound_spam_safe
• outbound_spam_spam_definite
• outbound_spam_adult
• outbound_spam_spam
d. Disable other rules, including the additional rules.
7. Disable end user visibility on all spam policies.
b. Remove the check marks from End User Visible for all of the policies
8. Create a Domain Group for the Inbound spam policy.
a. From the System tab, select User Management > Groups
b. Click Add
c. Name this group inbound_spam
d. In the description note that this is the Inbound Spam Policy
e. Change the policy precedence to 150
f. Check the box for Create Domain Group
g. Select Equals as the operator
h. In the Inbound/Outbound Domains select ex.proofpoint.com
i. Use the double arrows >> to move the domain over to the Selected Domains field
j. Click on the Filtering tab
k. For the spam policy select your inbound_spam policy
l. Click Add Entry
9. Apply the Outbound Spam Policy to the Organization.
a. From the System tab, select User Management > Organization > Filtering
b. For the spam policy select outbound_spam


Lesson 11: Virus Protection
Introduction
Antivirus protection is a key component of the Proofpoint Protection Server. The Proofpoint Protection
Server provides this functionality by integrating optional antivirus engines from several leading antivirus
vendors.
249

Virus Protection
Student Notes
Enable Virus Protection Module:
Proofpoint recommends that the Virus Protection module is left Enabled, which is the default setting.
Both "Ignore Scan Errors" and "Ignore Password Protected Files" options are set to "Off".
Policy Routes:
From the Virus Protection general settings page, you can apply the Virus Protection Module to
specific routes if you do not want all inbound and outbound messages to be filtered by the Virus
Protection Module.
Virus Scan Errors:
You can configure the Virus Protection Module to ignore messages that are password-protected,
encrypted, corrupted, or have nested archives. This feature is useful, for example, if the email users
have antivirus software installed locally on their systems.
Virus Protection Error:
The Virus Protection Error rule allows you to configure how the PPS behaves if the Virus Protection
Module stops operating properly.

Student Notes
The PPS is designed to operate in a fail-closed manner. In the unlikely event that the Virus Protection
Module stops operating properly, the PPS Virus Protection Module Error rule has the Retry option
selected for the Delivery Method. The Retry option temporarily rejects all messages that contain an
attachment.
To override this and change to a fail-open mode, change the Delivery Method to Continue.

Virus Protection
Student Notes
Proofpoint recommends the creating of two policies named "inbound" and "outbound" and the antivirus
module should never be turned off and both "Ignore Scan Errors" and "Ignore Password Protected Files"
options are set to "Off".
Do not use or change the "default" policy. The Virus Protection Module provides a default policy (called
default), which you can edit or clone as the basis for creating another policy. You cannot delete the default
policy; you can only modify the set of rules for it.
For example, you may need to create unique Virus Protection policies for different departments or sub-
organizations within your company. One group may request that infected messages be quarantined, and
another group may require that any message with a virus be immediately discarded. Individual Policy
Routes can be created and assigned to each virus protection policy to ensure that mail will be processed
accordingly.
Remember that policy order matters. As you begin creating more policies be sure to consider the
placement of each policy, especially the default policy. Usually it should be at the bottom of the list so that
it triggers last.

Student Notes
The Virus Protection Module classifies messages into any of these conditions:
Messages Not Infected
When the Virus Protection Module is enabled, the PPS needs to know how to process a message that
is virus free. By default, the Continue disposition is configured for the Messages Not Infected
condition. Typically, you should not change this disposition.
Messages Infected
You can create rules to determine how the Virus Protection Module handles messages that are
infected with any virus, or how messages with a specific virus are handled. By default, the Virus
Protection Module is configured to quarantine and discard any message containing any virus.
You may want to handle messages with a specific virus differently. You can create a rule identifying
the specific virus and the action to take when this virus is detected. This is done in the Messages
Contain Specific Virus section of the Messages Infected condition. By default, this option is not pre-
configured.
Messages with Scan Errors
When the condition is Messages with Scan Errors, it means the message is corrupt or is missing
information, preventing further analysis. By default, the Virus Protection Module discards the original
message, places a copy in the Quarantine and annotates the subject line. This default behavior can
be changed by editing the Messages with Scan Errors rule.
The Virus Protection Module can be configured to ignore messages with Scan Errors and allow them
to continue to filter through the other PPS modules. This setting can be found under Virus Protection
Options when navigating to Virus Protection > Settings > General.
Messages with Password Protected Attachments
When the condition is Messages with Password Protected Attachments, by default the Virus
Protection Module discards the original message, places a copy in the Quarantine and annotates the
subject line. This default behavior can be changed by editing the Messages with Password Protected
Attachments rule.

Virus Protection
The Virus Protection Module can be configured to ignore messages with password protected
attachments and allow them to continue to filter through the other PPS modules. Users must rely on
desktop virus protection software for virus detection in protected messages. This setting can be found
under Virus Protection Options when navigating to Virus Protection>Settings>General. Messages
that are not filtered by the Proofpoint Protection Server contain "Not Virus Scanned" in the message
header.
Messages Containing Riskware or Spyware
Messages that contain riskware or spyware are discarded. Copies of these messages are sent to the
Quarantine with a new subject header.
This default behavior can be changed by editing the Messages Contain Riskware/Spyware rule.

Student Notes
The "outbound" policy is a catch-all policy: it takes everything which does not get another policy applied,
and you can deduct this is mostly all outbound traffic. It slightly differs from the inbound policy as we
consider an outbound virus as a major event and suggest to send an email warning to a central address
(security, help-desk) for immediate action.

Virus Protection
Student Notes


Lesson 12: Impostor Email
Introduction
Impostor Email (phishing, spear phishing, Business Email Compromise) often involves social engineering
to trick users into performing an action that results in the loss of corporate funds, confidential information,
or other items of value.
This lesson provides an overview of strategies to guard against impostor email and counter this type of
threat.
259

Impostor Email
Student Notes
Business Email Compromise (BEC) often starts with an email in which the attacker poses as someone the
target trusts or “actually becomes” that person by compromising his/her account. Attackers use social
engineering to trick or to threaten their victims into wiring money, sending sensitive data and more.
Because there is no malicious payload, BEC attacks are hard for legacy gateways that only rely on
reputation and malware sandboxing to detect.
• Phishing attack typically aimed at company executives
• Communication to victim is crafted to look like it is from a fellow company executive
• Messages usually contain no malicious URL or attachment payload
• Resemble valid business email
• Engage in informal conversation and establish rapport
• Call to action may come after rapport is established – examples
• CEO to CFO requesting execution of money transfer
• CEO / VFP to HR requesting release of W-2 or other confidential HR information
• Impostor email attacks generate a low volume of email messages
Impostor email threats (also known as email fraud or CEO fraud) are identified as inbound messages from
the Internet where the sender is spoofed to appear like it is coming from the company’s domain.
According to the FBI, this type of scam has siphoned more than $2.3 billion from more than 17,000
victims—and those are just reported incidents.

Student Notes
It detects and blocks the most sophisticated supplier fraud attacks by dynamically analyzing messages
for numerous tactics associated with supplier invoicing fraud, such as:
• Reply-to pivots,
• Use of malicious IPs
• Use of impersonated supplier domains
Words or phrases commonly used in these supplier fraud attacks

Impostor Email
Student Notes
Many messages will be quickly recognized by recipients as phishing and discarded. But the small few
that succeed can yield millions of dollars in fraudulent transfers.
Impostor emails succeed for three primary reasons:
• They look and feel legitimate
• They do not include a malicious link or malware attachment
• They do not arrive in high enough volumes to raise red flags in most anti-spam tools
Because these threats do not use malicious attachments or URLs, impostor emails can evade solutions
that look for only malicious content or behavior. That’s why they require a different approach. An effective
solution must dynamically analyze the attributes of all email as it arrives and detect anomalies that point to
an impostor.

Student Notes
Reply-to Spoofing: The Header From: and the Header To: are legitimate, but the Header Reply To: is the
impostor’s email address.
This type of spoofing is commonly used to spoof email from executives and partners. It accounts for 80%
of Impostor Email.
For example:
header To: Lee@techcompany.com
header From: Jessie@techcompany.com
header Reply To: Jessie@gmail.com
Remember that the headers are not seen by the average user when opening and reading email.

Impostor Email
Student Notes
Sender Display Name Spoofed: The name of the spoofed executive is in the “From” field of the message,
but the actual address is an outside email account that belongs to the attacker.
This type of spoofing accounts for 21% of impostor Email
• Example 1:
header From: “Jessie Smith” Jessie@gmail.com
• Example 2:
header To: lee@techcompany.com
header From: “Jessie Smith <jessie@techcompany.com>” Jessie@gmail.com
In this second example the hacker took an extra step to fool Lee by including the characters
<jessie@techcompany.com> in the header From field.

Student Notes
Lookalike Domain (also known as “typo squatting”): The attacker’s “From” address is close enough in
appearance to the impersonated executive’s to fool busy recipients.
This type of spoofing accounts for <1% of Impostor Email.
For example:
Header To: Lee@techcompany.com
Header From: Jessie@teckcompany.com
The attacker owns the address Jessie@teckcompany.com. If Lee does not look closely, she will reply to
this message and it will go to the attacker.

Impostor Email
Student Notes
Payday: The header From and header Reply To are legitimate but the attacker has supplied malicious
instructions. The attacker does not want a reply. Instead, the message sent by the hacker is usually some
type of request, such as a wire transfer order.
This type of spoofing accounts for 2% of Impostor Email.
For example:
Header From: Jessie@techcompany.com
Header Reply To: Jessie@techcompany.com
Message Body: “Hi Lee. Please wire transfer $1,000,000 to acme.com (account number 987654321)
immediately so that we may close on invoice #123456.”
The account number is actually owned by the attacker, not acme.com.

Student Notes
Mitigating Impostor Attacks
There are four ways your PPS can protect you from the damages caused by Impostor Email.
• Deploy DMARC (in Email Authentication)
• Deploy Impostor Classifier in Spam Detection Rules
• Implement Impostor Display Names
• Deploy the pre-defined Anti-Spoof rule

Impostor Email
Student Notes
Impostor email threats (also called business email compromise and CEO fraud)
Enforcing DMARC is an effective way to prevent domain spoofing on inbound email.
However, we realized that only few of you are actually enforcing DMARC at your gateway.
Some of the reasons why companies are reluctant to enforce DMARC is because:
• Don’t know what DMARC policies to enforce
• Trusted sources sometimes fail DMARC
• High risk of blocking legitimate email

Student Notes
The Spam Detection default policy includes a rule with a classifier for impostor email. The rule requires
that a message get a score of 80 or higher. But how will your PPS recognize a message as impostor email
in order to give the message a score? For this feature to work you must enable SCSS (described above)
by navigating to Spam Detection > Settings > General. When first enabled your PPS will go into an
impostor learning state. During this time no impostor scoring occurs. Your traffic is modeled so that
typical traffic can be characterized by the PPS before looking for anomalies. As more and more traffic is
modeled your PPS will get better at recognizing impostor email and begin scoring the messages.
To move out of learning state the following thresholds must be met:
• Minimum learning time of 9 days to two weeks
• At least 2000 messages must be analyzed

Impostor Email
Student Notes
This feature of the Spam Detection module allows administrators to create a repository of display names
and legitimate external or personal email addresses for users in their Organization who are most likely to
be targeted for an impostor attack – for example, high-ranking executives. This feature requires you to
enable SCSS (the Stateful Composite Scoring Service).
The Impostor Display Names repository provides input to the Impostor Spam classifier to pay more
attention to inbound messages from names on the list – many other factors beyond this list are
considered to determine the Impostor Spam score. Legitimate messages from “Johnna Dutt” will be less
likely to be classified as Impostor Spam, and inbound messages from impostors of “Johnna Dutt” will be
more likely to be classified as Impostor Spam.
For example, if the user “Johnna Dutt” is added to the list because she is an executive who is likely to be
targeted by an impostor, inbound messages from “Johnna Dutt” will be more likely to have a higher
Impostor Spam score. Since Johnna may also send legitimate messages to the Organization from her
personal email address (for example, jdutt29@gmail.com), you should include those addresses for her in
the repository so the detection engine is less likely to erroneously score those messages with a high
Impostor Spam score. If you enter a display name for "Johnna Dutt" and no external email addresses for
her, messages from "Johnna Dutt" are likely to have a higher Impostor Spam score.

Student Notes
• Ensure appropriate domains are filled in
• Preferably all mail domains are included. If you have too many domains, focus on the top
domains
• Deploy in audit mode to confirm impact
• Establish exceptions under the "pp_spoofsafe" policy route
• This can be a HUGE challenge
• Consider scenarios such as Marketing partners sending mail on the customers behalf and other
trusted partners
• Examples
• Sender IP address equals 150.140.130.120
• Sender hostname equals smtp1.mymarketingfirm.com

Impostor Email

Lab 12-1: Deploy the Anti-Spoof Rule
Scenario
You will begin mitigating Impostor email by deploying the Anti-Spoof rule. Other options you plan to use
to protect your enterprise from Impostor email include
• DMARC
• Impostor Classifier
• Impostor Display Names
• Enabling Email Warning Tags
Objectives
• Mitigate Impostor email
• Enable the pp_antispoof rule
• Configure the pp_antispoof rule
• Find the message in the Spoofed quarantine folder
• Disable the pp_antispoof rule
Instructions
1. Enable the pp_antispoof rule.
b. Click on the pp_antispoof rule; then configure the rule as follows
• Enable: On
• Remove internalnet from Disable processing for selected policy routes
• Remove all policy route restrictions
2. Configure the pp_antispoof rule.
a. For the condition, click Advanced
b. Click Envelope Sender Email Address is in domain “example.com”; then do the following:
• Change the Value to ex.proofpoint.com
• Click Save Changes.
c. Click Message header “from” contains “example.com”; then do the following:
• Change the Value to ex.proofpoint.com
• Click Save Changes
d. Set the Delivery Method to Discard
e. Save the changes to the rule by clicking Save Changes
3. STOP: Wait for your instructor to send a spoofed message to your server with subject Direct Deposit
Verification. This may take a few minutes.

Impostor Email
4. Find the Direct Deposit Verification message in the Spoofed quarantine folder. This may take a few
minutes.
5. Go to Email Firewall > Rules and disable the pp_antispoof rule; then click Save Changes.


Lesson 13: Email Warning Tags
Introduction
This lesson describes email warning tag precedence. It also demonstrates how to configure and enable
email warning tags.
277

Email Warning Tags
Student Notes
This feature allows administrators to add a tag to inbound messages to warn or inform users that an
incoming message may be dangerous. Tags are added to an incoming message based upon results from
the content scan engines. The tags provide users with a visual indication that they should check the
message carefully.

Student Notes
External Sender
• This tag informs the recipient that the message was sent from outside your Organization.
Unknown Sender
• This tag informs the recipient the message was sent from a sender with whom the recipient has not
previously corresponded, as indicated by the Stateful Composite Scoring Service (SCSS) Circle of
Trust score. (Spam Module CLX)
Impersonating Sender
• The sender may be an impostor – this tag informs the recipient that the message may have come
from an impostor, as indicated by the Stateful Composite Scoring Service (SCSS) Impostor score.
This typically applies to executives or a small sub-category of users who are frequently targeted by
impostor.
Mixed Script Domain
• This message may contain links to a fake website – this tag informs the recipient that the message
may contain a URL or link to a malicious website that is counterfeiting a legitimate website by use of
lookalike characters in the URL.
Newly Registered Domain
• The message was sent from a domain that has been recently registered and could be for the purpose
of sending spam or malware. (90 Days)
DMARC Authentication Failure
• Proofpoint's Verified DMARC feature has determined that the message was verified from a domain
that is known by Proofpoint and the DMARC result is Reject. This tag informs the recipient that even
though the message is delivered, it failed DMARC authentication and may be unsafe.

Email Warning Tags
Student Notes
The Policy Routes parameter allows you to apply the Email Warning Tag feature to specific Policy Routes.
The default configuration with default_inbound in the Require Any Of Policy Route list.
If you want to restrict message tagging to specific Policy Routes, or disable message tagging for specific
Policy Routes, select the Restrict processing and Disable processing check boxes and move the available
Policy Routes to the Require or Disable fields.
Tag Options
• Insert tag and attach original message (when unable to insert tag inline) - for HTML messages in a
recognized format that the module can modify, the tag will be inserted inline, with the original
message body below it. For certain complex HTML messages, all plain text messages, and encrypted
messages, the module is unable to insert a tag inline. When this option is enabled, if a tag cannot be
inserted, the messages will have the original message body replaced with a tag. The original email
message will be attached, so the recipient must open the attachment to view the original message.
• Do not insert tag for non-English users - tags are written in English. If the Language attribute you
selected is other than English for the Organization, Sub-Org, Group, or User, you can disable tags by
selecting this option. No tags will be inserted for non-English users. If you do not select this option,
tags will be inserted in English regardless of what language the recipients use. See Services
Attributes for more information about the Language attribute.
• Enable Report Suspicious Button for all Email Warning Tags - this option is only available if your
Organization is licensed for Proofpoint Security Awareness Training (PSAT). If enabled, when an
incoming message has a tag inserted, it will also contain a Report Suspicious button in the message.
Copies of messages that are reported by recipients as suspicious will be sent to Proofpoint for
analysis.

Student Notes
Informational Tags
• External Sender - inserts the following tag:
This Message Is From an External Sender. This message came from outside your organization.
• Unknown Sender - inserts the following tag:
This Message Is From an Untrusted Sender. You have not previously corresponded with this sender.
Warning Tags
• Impersonating Sender - inserts the following tag:
Be Careful With This Message. The sender may be an impostor.
• Mixed Script Domain - inserts the following tag:
Be Careful With This Message. This message may contain links to a fake website.
• Newly Registered Domain - inserts the following tag:
Be Careful With This Message. The sender's email domain has been active for a short period of time
and could be unsafe.
• DMARC Authentication Failure - inserts the following tag:
Be Careful With This Message. The sender's identity could not be verified and someone may be
impersonating the sender.
Enable Text Insertion To Tags
• When enabled, you can add custom text to every message that has an Email Warning Tag inserted
into it. If a message does not include an Information or Warning tag, it will not include the custom text,
even if you enable it. For example, you might want to add a tag that explains to users why they are
seeing tags in their messages.

Email Warning Tags
• You can enter a maximum of 250 characters into this field. You can use HTML in the field as long as
you begin the text with the <body> tag and end it with the </body> tag. For information about HTML
tags that are not allowed in this field, see the Annotating the Message Body section in Delivery
Options.
Config Settings
• Exclude messages cryptographically signed - when a tag is added to an email message, it changes
the content of the message body. As a result, messages that are cryptographically signed have their
signatures invalidated, giving the recipient the impression that the message is not from a trusted
sender. Administrators can exclude cryptographically signed messages from warning tags

Student Notes

Email Warning Tags
Student Notes

Student Notes
In many cases, a message may match the conditions for more than one Email Warning Tag. For example,
the content scanning engines may find that a message is from an External Sender and an Impersonating
Sender.
The following precedence takes place:
• Only one Email Warning Tag is added to the message.
• Warning tags take precedence over Informational tags.
• When there are multiple matches, the first one on the list is applied.
• For Warning tags, this is the hierarchy:
• Impersonating Sender
• Mixed Script Domain
• DMARC Authentication Fail
• Newly Registered Domain
• For Informational tags, this is the hierarchy:
• Unknown Sender
• External Sender

Email Warning Tags

Lab 13-1: Enable Email Warning Tags
Scenario
Email Warning Tags provide users with a visual indication that they should check the message carefully.
You will configure Email Warning Tags to alert a user with an informational message.
Objectives
• Enable and configure the Email Warning Tags Module
• Send a message to verify your configuration
• Open the message in the mail.ex user’s inbox to view the Warning Tag
Instructions
1. Enable the Email Warning Tabs module.
• From the Email Protection tab, navigate to Email Warning Tag > Insert Tag
• In Insert Tag Settings
• Enable Module: On
• In Tag Options
• Plain Text Email Options: Convert plain text email to HTML and add Email Warning Tag
inline (recommended)
• HTML Email Options (When unable to insert tag inline): Off
• Click Save Changes
2. Send a test message from the mail2 user to the mail.ex user.
• In the To field, enter mail.ex_user@ex.proofpoint.com
• In the Subject field, enter External Sender Message
• In the body, enter any text
• Click Send
3. Check for the message in the mail.ex user’s inbox.
• Go to the browser tab for your mail.ex user’s webmail client
• Click Refresh
• The message should be in the mail.ex user’s inbox with an Informational Tag on the top of the
message,
4. Disable Email Warning Tabs module
• From the Email Protection tab, navigate to Email Warning Tag > Insert Tag
• In Insert Tag Settings
• Enable Module: Off

Email Warning Tags


Lesson 14: Targeted Attack Protection
Introduction
Targeted Attack Protection is comprised of three components: URL Defense, Attachment Defense, and
Threat Insight Dashboard. Once enabled, URL Defense protects organizations against incoming
malicious URL links by potentially rewriting them and directing them to Proofpoint’s cloud-based service.
This lesson explains the operation of URL Defense, demonstrates how to configure URL Defense, and
how to analyze its results.
291

Targeted Attack Protection

Student Notes
In order to calculate the final URL disposition in the URL Defense redirector service, various techniques
will be used. The first technique will be URL reputation score calculated by Proofpoint. Besides how often
we have seen the URL in our honey points (the reputation score), the age of the domain will also be
considered. Another technique will be public available URL block lists. The final technique is deep-content
inspection in which the content of destination URL will be loaded into a sandbox on the URL Defense
redirector service and analytics will be performed to detect any malicious content.
When URL Defense is enabled, the URL Defense site will run its processes when there is a message that
contains a URL, during the following events:
• During message processing, the URL Defense site performs these steps:
• Inbound messages are scanned for known malicious URLs
• If any URL is malicious, the message containing the URL is quarantined
• The message’s URLs are rewritten to point to the URL Defense site
• During a click, the URL Defense site performs these checks:
• When clicked, the URL Defense site checks the link’s reputation again
• If malicious, the user’s access to the malicious site is blocked
• If unknown, the user is transparently redirected to the site
• After a click, the URL Defense site performs does the following:
• Unknown URLs are checked for malicious intent using Proofpoint sand-boxing technology
• If malicious software is found, the URL is condemned
• Threat notifications are sent out via email to any organizations whose previous clicks were
unblocked
The URL Defense site does not block messages, only the PPS blocks messages.

Student Notes
Predictive Sandboxing before the click
• Outside of the (5) minute time frame in which the last click took place
• Not within the (24) hour period in which the URL was previously condemned
URL Defense impact mail tracking solution and we advise for customers to exempt those URLs from
rewriting if they are concerned about UD skewing their mail tracking statistics
The classification source field indicates which part of our threat detection infrastructure detected the
threat. Mostly, this shouldn't be of great interest to a customer.
• Classification Source: sandbox-analysis– result from a sandbox scan, in response to a URL being
clicked or an attachment being sent for scanning
• Classification Source: user– result from a manual condemnation by a spam analyst
• Classification Source: phishtank – result from a 3rd party, PhishTank
• Classification Source: spam/domainrep– result from an automated spam system which condemns
low reputation domains
• Classification Source: sandbox-preemptive– result from a sandbox scan, in response to a URL being
selected for scanning by observing customer email traffic patterns

Student Notes
When URL Defense blocks a web site, if they click on the link in the email, users will see the message
shown above in their web browser. The text in the message informs the user as to why the web site has
been blocked.
The Blocked Site message branding is customizable.

Student Notes
Your users are going to notice a few changes with TAP running. The first thing they’ll notice is that the
URLs behind their email links may be much longer. The link text will look the same, but when they mouse
over to see the URL, they’ll see something much longer than usual. A URL like this, starting with
urldefense.proofpoint.com, is a link that’s been re-written by Proofpoint. If a user clicks on this link, they’ll
first go to Proofpoint’s server to evaluate whether or not a threat exists with the site they want to visit.

Student Notes
Under the URL Defense tab, you can see where you have the option to either rewrite URLs in all
messages, Proofpoint recommends that you rewrite all URLs.
(Note, as of Feb 13, 2015 the option to rewrite URLs based on score has been deprecated and has no real
affect as all messages will be rewritten in all cases. The UI will be changed in a later release of PPS.)
v2 Details
u The original URL. The URL is unencrypted, but it is encoded. URLs can be
decoded using a URL decoder.
d Debug information. Includes information about the encoding used in email, specif-
ically the mime-type, the content-transfer encoding, and the character set.
c (name change): Base64 encoded and encrypted cluster id.
r Base64 encoded and encrypted recipient (full unhashed address). Encrypted with
a per-customer key.
m Base64 encoded and encrypted message GUID.?Encrypted with a per-customer
key.
s Signature of the URL, recipient, and message GUID. It is mixed with per-customer
encryption key to prevent tampering of any part of the rewritten URL.
e Always blank, used to validate that the URL has not been truncated.

Student Notes
The first option is “Replace Label Text.” Let’s say that you have a sentence in email like the one displayed
here, encouraging you to try out a new security report. You just have to click on the word “here,” and the
report will be yours. If you have Replace Label Text turned on, then the label text for the link, in this case
the word “here,” will be appended with the URL that it links to, like this.
Now it’s easy to see that clicking on this link would not take you to a report on a Proofpoint site.

Student Notes


Lab 14-1: Configure URL Defense
Scenario
Turn on URL defense, set and test URL rewrite for all messages
Objectives
• Configure URL Defense
• Enable URL Defense
• Change the Default Options to
• Rewrite Commonly Clickable Text: On
• Rewrite in Body: Text and HTML
• Remove proofpoint.com from domain exceptions
• Send a message to your mail.ex_user to test the URL Defense configuration, include the following
URLs in the body:
• http://www.yahoo.com
• www.yahoo.com
• yahoo.com
• webmail.yahoo.com
• Open the mail.ex user’s inbox to see which URLs were rewritten
• Set Rewrite Commonly Clickable Text to Aggressive
• View the mail.ex user’s inbox to see which URLs were rewritten now
Instructions
1. Modify URL Defense settings.
a. From the Email Protection tab, navigate to Targeted Attack Protection > URL Defense >
Settings; then do the following:
• Enable: On
2. Configure URL Rewrite.
a. Go to URL Defense > URL Rewrite Policies; then do the following:
• Select Default
• Rewrite Commonly Clickable Text: On
• Rewrite in Body: Text and HTML
b. Under Exceptions, remove proofpoint.com from the Domain, Hostname, or IP Address List
3. Test the URL Defense configuration.

a. Send a message to your mail.ex_user by doing the following:

b. Select Options > Plain Text in the Compose window.
c. Enter the following URLs in the message body:
• http://www.yahoo.com
• www.yahoo.com
• yahoo.com
• webmail.yahoo.com
d. Click Send
4. Open the message in the recipient’s inbox to see which URLs were rewritten.
5. In the Default URL Rewrite Policy, set Rewrite Commonly Clickable Text to Aggressive. Save
Changes then repeat Step 3.
6. Check the recipient’s inbox to see which URLs were rewritten with the Aggressive configuration.
7. Repeat Step 3 but send the email message in regular HTML, do not choose the Plain Text option.
8. In the Default URL Rewrite Policy set Append Domain in HTML Options to On.
Save Changes then repeat Step 3, but send the email message in regular HTML, do not choose the
Plain Text option..
9. From the System tab, navigate to End User Services > Filters > General.
10. Toggle radio button off for Enable Score Range.
11. Click Save Changes.
12. Wait for Instructor to send two messages.
Message with subject SPAM 100 will include URLs that will be classified as Spam-Definite.
Message with subject PHISH will include a URL that will be classified as Phish
13. Navigate to User Management > Users.
14. Search for your mail.ex_user. Select the check box next to their name.
15. From the Generate drop-down list, select Generate Digest.
16. Access your mail.ex_user’s mailbox and locate the Digest.
17. Click Release on SPAM 100 and Phish messages.
18. Access new messages in your mail.ex_user’s inbox.
19. Click on links in each message and note they are blocked by the TAP Dashboard.


Student Notes
AP Attachment Defense is enabled on the page shown above.
TAP Attachment Defense delays the delivery of email messages with attachments while it performs its
processes. The message is delayed until a verdict on the attachment’s status is provided or until a
maximum scanning time threshold is reached. This is an overview of the TAP AD solution:
• Process
• Inbound messages are scanned for supported attachments.
• If any attachment contained within the message is malicious, it is quarantined.
• Otherwise, the attachments are uploaded to cloud malware service for judgment.
• PPS
• Performs the action of blocking the message.
• Performs query lookup and also sends actual file to be sandboxed.
• Customer must determine how long PPS waits for verdict.
• Data Center
• Data Center-based malware scanning for email attachments.
• Uses combination of static analysis, virtual machine-based behavioral analysis, and traffic pattern
analysis to detect malware.
• Scans business-critical, but commonly exploited, file types.

Student Notes
The following file formats are currently scanned for malware by the Attachment Defense Module:
contact, csv, dmg, doc, docm, dot, docx, dotm, dotx, hta, htm, html, iqy, mam, mht, odp, pdf, pot, potx,
potm, ppa, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, pub, rtf, slk, swf, txt, vcard, vcf, vcs, xht, xhtml, xla,
xlam, xlm, xls, xlsm, xlsb, xlsx, xlt, xltx, xltm, xps, wmv, iso, img, vhd, odt, ods.

Student Notes

Student Notes
• Pre-filtering is supported only for PDF files
• The PPS can quickly ascertain if a PDF file contains active content
• If a PDF file contains only text and no active content, it cannot be used for an exploit, so it is not
submitted to the Attachment Defense service
• If active content is found, the PDF file may contain an exploit, so it must be sandboxed in the
Proofpoint Cloud

Student Notes
The following file formats are currently scanned for malware by the Attachment Defense Module:
contact, csv, dmg, doc, docm, dot, docx, dotm, dotx, hta, htm, html, iqy, mam, mht, odp, pdf, pot, potx,
potm, ppa, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, pub, rtf, slk, swf, txt, vcard, vcf, vcs, xht, xhtml, xla,
xlam, xlm, xls, xlsm, xlsb, xlsx, xlt, xltx, xltm, xps, wmv, iso, img, vhd, odt, ods.

Student Notes
Attachment Defense doesn't unpack the archive itself. PPS opens the archives and hands unpacked
documents to the Attachment Defense module.

Student Notes

Student Notes

Student Notes
If the scanning time for any attachment exceeds the timeout threshold: 30 minutes - if messages
submitted for scanning are delayed while the analysis is in progress, this parameter allows you to specify
the threshold after which a message will no longer be delayed, even if an analysis result has not yet been
returned. A "timeout" header is added to the message. Administrators need to balance security with
productivity. The timeout threshold also applies if there is a communication breakdown between your
Organization and the cloud scanning service. If the Scanning Mode for the Attachment Defense Policy is
set to Check reputation only, this rule is ignored.
Analysis for any individual document typically takes only a few minutes, but could take longer on
occasion. If you lower the scanning timeout threshold, be aware that attachments containing malware can
potentially be delivered to the user community. Proofpoint recommends a 30 minute timeout threshold.


Lab 14-2: Configure Attachment Defense
Scenario
You need to prevent email attachments containing threats.
Objectives
• Enable TAP Attachment Defense
• Change the Timeout Threshold value in the “If the scanning time for any attachment exceeds the
timeout threshold” rule to 5 minutes
• Use WordPad to create a unique file containing at least three (3) lines of random text and save it to
your home directory as test_file.rtf
• Send a message with test_file.rtf attached; then watch the ADQueue in the Status Pane for it to be
delivered (in about 5 minutes)
• In Log Viewer search for log entries by putting UNKNOWN in the Find field and mod=sandbox in
the Highlight field
• Select the first 10 to 20 characters of the hexadecimal hash next to sha256=, copy/paste it to the Find
field, enter tap_result= in the Highlight field, and Search with Order: Descending
• Note the changes in timestamps, session IDs, and TAP results, then disable Attachment Defense
Instructions
1. Enable TAP Attachment Defense.
a. From the Email Protection tab, navigate to Targeted Attack Protection > Attachment Defense >
Settings
b. Set the Enable option to On
2. Adjust the timeout threshold for the scanning time rule.
a. Go to Targeted Attack Protection > Attachment Defense > Rules
b. For “If the scanning time for any attachment exceeds the timeout threshold rule,” click Edit Rule
c. Change the Timeout Threshold value in the rule to 5 minutes
3. Create an rtf to use as an attachment.
a. Using WordPad, create a unique file containing at least three (3) lines of random text.
b. Save the file to your home directory as test_file.rtf.
4. Test the Attachment Defense configuration.
a. Send an email to your mail.ex user with the test_file.rtf file attached
5. Find log entries generated by the test message.

a. From the System tab, navigate to Logs and Reports > Log Viewer
b. In the Find field, enter UNKNOWN
c. In the Highlight field, enter sha256=
d. Click Search
This search should find an entry in the log that looks similar to this example.
[2018-05-01 01:37:02.249871 -0700] info s=2hmmchr0px m=1 x=2hmmchr0px-1 attachment=0
file=test_file.rtf mod=sandbox cmd=run
sha256=996c5ca90d6c2146e439b93a60a202719110d7db8665084c9b72316657c01979
size=39109
6. Select the first 12 digits of the hexadecimal hash next to sha256=, copy/paste it to the Find field, enter
tap_result= in the Highlight field, and Search with Order: Descending.
7. Note the changes in timestamps, session IDs, and TAP results.
8. Go to Targeted Attack Protection > Attachment Defense > Settings and disable Attachment
Defense.

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes

Student Notes
Normalized URL is URL without query params or an anchor. Anchor meaning '#'

Student Notes
Allows both customer administrators and Proofpoint product managers to determine which email
addresses should be incorporated into a list of exclusions so as to ensure that known/common sources of
noise as well as false alarms are excluded from dashboard reporting.
Prevents:
• Generating email alerts
• Affecting the attack index
• Appearing in a "Top Recipients" report


Lab 14-3: Detect and Analyze Threats in TAP Dashboard
Scenario
You need to interpret output on the TAP Dashboard
Objectives
• View the TAP dashboard trapping a spam message
• As mail.ex_user, attempt to access rewritten link
• As mail2_user, locate malware messages directed to mail.ex.user
• As mail2_user, conduct analysis on malware message destined to mail.ex user
Instructions
1. As the PPS admin send the mail.ex_user a digest.
2. As the mail.ex_user, release the message from the digest.
3. As the mail.ex_user, click on the rewritten link. It is blocked.
4. As the mail2_user, log on to the dashboard. [It may take 15 minutes for the event to appear]
5. As the mail2_user, find the malware messages for the mail.ex_user and performs some analysis.
6. Examine other content available on the dashboard, such as, people, activity days to view, specific
URLs blocked, etc.


Lesson 15: Proofpoint Encryption
Introduction
Proofpoint Encryption provides a mechanism for maintaining the confidentiality of an email message from
the source to the destination by way of email encryption.
This lesson explains Proofpoint encryption including how to configure and use Proofpoint Secure Reader
to read and respond to encrypted email.
333

Proofpoint Encryption
Student Notes
Proofpoint Encryption (PE) is a licensed service within Proofpoint Protection Server (PPS) that does the
following:
• Encrypts outbound messages and sends it encrypted all the way to the recipients mailbox
• Sends encrypted messages across an open channel
• Decrypts the message using Proofpoint’s Secure Reader
Benefits of Proofpoint Encryption:
• There’s no way to know ahead of time if the receiving MTA supports TLS
• Message stays encrypted until recipient authenticates
• With TLS, no control over what happens between receiving MTA and recipient
• If multiple messages are sent to multiple recipients, no guarantee all domains support TLS
• It has audit features after message has been sent

Student Notes

Student Notes

Student Notes
If PPS Cloud Access is licensed and configured, the user simply clicks on the link in the message which
redirects their browser window to the PE Cloud Authentication user interface.

Student Notes
1. Filter engine retrieves a response profile associated with the rule from the Profile API
2. Filter engine calls the Crypto API to encrypt the message
3. Crypto API generates a 256-bit key and calls the Proofpoint Key Server API to store the key using
HTTPS
4. Proofpoint Key Server authenticates the call with PPS credentials then stores the message with the
cluster-specific database and returns status to Crypto API
5. If the status is successful, the message is encrypted and returned to the Filter engine
6. If Decrypt Assist is enabled, a copy of the message is saved in the Encryption folder
7. The encrypted message is delivered to the recipient

Student Notes
1. User opens the SecureMessageAtt.html in the email to read the message
2. Secure Reader launches
a. If Decrypt Assist is enabled, Secure Reader retrieves the encrypted message from the Encryption
folder
3. Secure Reader opens the encrypted message and a login dialog appears in the user’s web browser
4. User enters credentials
5. Secure Reader validates the user’s credentials with the Authentication Server
6. Secure Reader calls the Proofpoint Key Server to retrieve the key
7. Proofpoint Key Server authenticates the call using PPS credentials and returns the key
8. Secure Reader decrypts the message, then it appears in the user’s web browser

Student Notes
The Decrypt and Encrypt modules are licensed separately to allow for encrypted messages to continue to
be decrypted if the Encrypt license is allowed to lapse.

Student Notes

Student Notes
The Secure Reader Proxy is a mailbox that stores secure messages that cannot be decrypted by users
receiving encrypted messages. It is used when email clients modify the HTML attachment to a message,
For example: OWA 2007 and some mobile devices
Secure messages follow this path: PPS to Secure Reader Proxy to EncryptionProxy folder to URL to
Secure Reader.
The message is fetched from the Secure Reader and the HTML attachment is not modified.
The Decrypt Assist feature automatically stores a copy of every secure message in the EncryptionProxy
folder. It provides a link to the secure message that is valid for a default period of two days. Administrators
can modify the duration on the page shown above.


Lab 15-1: Configure Subject-line Encryption
Scenario
• Prove that Proofpoint Encryption works
Objectives
• Your users need to send encrypted messages by putting [encrypt] in the subject field
Instructions
1. Configure your server to use Secure Reader.
a. From the Information Protection tab, navigate to Encryption > Settings > General
b. Select the Use custom radio button; then enter the fully qualified host name of your server (for
example, vs-xx.training.proofpoint.com)
2. Configure the subjectline_encrypt firewall rule.
b. Locate the subjectline_encrypt rule; then click the Edit Rule button
c. Enable the rule
d. Deselect Disable Processing for selected policy routes
With this rule configured, PPS will encrypt any message that contains [encrypt] in the subject line. An
encrypted message will arrive in the recipient’s inbox as an attachment that can only be viewed by
accessing the Secure Reader.
3. Test the rule by sending a test message to your mail.ex user.
a. Put [encrypt] in the subject line along with New content
b. Put Hi It’s me in the message body (do not leave the body blank)
4. View the attachment in Secure Reader Inbox.
a. Open the mail.ex user’s inbox; then open the test message and you should see the following:
b. Click on the Click here link.

Log in to read your secure message
• Username: mail.ex_user@ex.proofpoint.com

• Password: train
5. View the attachment in Secure Reader.
a. Open the mail.ex user’s inbox; then open the test message
b. From the Attachments line, click 3 attachments
c. Click SecureMessageAtt.html; then select Download
You will see the file being downloaded by Firefox.
d. Open that downloaded file and a web page should load.
e. Click the Click to read message button
f. You may need to log in to read your secure message
• Username: mail.ex_user@ex.proofpoint.com
• Password: train
You can only view a single encrypted message using Secure Reader.


Lab 15-2: Configure Auto-Encrypt for PCI
Scenario
• You need to make sure that messages containing confidential information are auto-encrypted when
they are sent
Objectives
• Configure the pci_auto_encrypt rule
• Configure a new rule to automatically encrypt messages that contain credit card numbers
Instructions
1. Make sure Regulatory Compliance is enabled.
a. From the Information Protection tab, navigate to Regulatory Compliance > Settings
b. If the Enable Module setting is Off, select On, and then click Save Changes
2. Configure a new rule for automatically encrypting messages that contain credit card numbers:
a. Go to Regulatory Compliance > Rules
b. Click Clone Rule; then configure the following:
• Enable: On
• New Rule Name: pci_auto_encrypt
• Clone Rule From: pci
3. Add a condition to the pci_auto_encrypt rule.
a. Scroll down to the pci_auto_encrypt rule; then click its Edit button
b. Click Add Condition; then click the And condition radio button
c. From the Condition drop-down menu, select Triggered Rule
d. Set the Operator to Does Not Equal
e. In the Rule ID field, type sub; then select module.access.rule.subjectline_encrypt
f. Click Add Condition
g. For the Delivery Method, select Secure; then click Save Changes
4. Test the pci_auto_encrypt rule by sending a message to your mail.ex user with the following:
• Subject contains: credit card
• Message body contains: credit card number(s)
When testing your rule, use the credit card numbers included in the Credit Card Numbers file
found in the local Documents folder.
a. Open the mail.ex user’s inbox; then open the test message
The encrypted message will arrive as an attachment.

b. From the Attachments line, click 3 attachments

c. Click SecureMessageAtt.html; then select Download
The “Opening SecureMessageAtt.html” dialog appears.
d. Make sure Open with Firefox (default) is selected; then click OK
e. Click the Click to read message button
f. Enter the password: train
The test message appears in the Secure Reader web page.
6. Disable the pci_auto_encrypt rule.

Student Notes

Student Notes

Student Notes


Lab 15-3: Configure Auto-Encrypt for Groups
Scenario
• You need to make sure that messages sent from members of a certain group are auto-encrypted
when they are sent
Objectives
• Configure automatic encryption for all members of a group
• Name the group restrict_encrypt
• Verify that a message sent from agroup member is encrypted
• Disable autoencrypt_restrict rule when done
Instructions
1. Create the restrict_encrypt group.
a. From the System tab, navigate to User Management > Groups
b. Click Add
c. Name the group restrict_encrypt; then click Add Entry
2. Add the mail2 user to the restrict_encrypt group.
a. Go to User Management > Users
b. Find your mail2_user in the User List; then click on mail2_user@training.proofpoint.com
c. Select the Membership tab; then add the restrict_encrypt group to your user’s Member Of list
3. Create the restricted response profile.
a. From the Information Protection tab, navigate to Encryption > Response Profiles
b. Click Add; then configure the following:
• Name: restricted
• Reply tab > Enable Reply: Off
• Forward tab > Enable Forward: Off
c. Click Save
4. Clone the autoencrypt_restrict Email Firewall rule from the subjectline_encrypt rule.
b. Click Clone Rule; then configure the following:
• Enable: On
• New Rule Name: autoencrypt_restrict
• New Rule Description: Group trigger to send encrypted messages
• Clone Rule From: subjectline_encrypt


5. Edit the autoencrypt_restrict rule.
a. Scroll to the bottom of the rules list; then click autoencrypt_restrict
b. Click Delete All Conditions > OK
c. Click Add Condition; then configure the following:
• Condition: Envelope Sender Belongs to Group
• Groups: “restrict_encrypt” (use the Select Group... button)
d. Click Add Condition
e. Leave delivery method set to Secure
f. From the Response Profile drop-down, select restricted
g. Deselect Change message headers
h. Click Save Changes
6. Send a message from the mail2_user to the mail.ex_user
7. Check the mail.ex_user’s inbox
The message should be encrypted. Any message sent by the mail2 user will be encrypted.
9. Disable the autoencrypt_restrict rule.

Student Notes

Student Notes
Another feature of Proofpoint encryption is message revocation for the end user. Admins can make key
management available to the end user interface where the end user can manage their own keys. End
users can see if a message has been accessed prior to revoking to ensure that the message has not been
read.
This illustration shows a user sending an encrypted message:
1. Once he sends the message he realizes that it was sent to the wrong person.
2. He then goes into the encryption server and deactivates the key.
3. When the recipient tries to log in to see the message, she will receive a message that says the server
was unable to decrypt the message.Revoke Specific Message

Student Notes
This illustration shows the end user message revocation interface. The end user can target specific
recipients for the entire message, see how other recipients were affected and also see if the message has
been accessed.


Lab 15-4: Revoke an Encryption Key
Scenario
• Your users need to be able to revoke encryption keys. Ensure users are allowed to manage
encryption keys
Objectives
• Configure authentication to the Web Application to use the ldap_profile
• Authenticate to the Web Application as the mail2 user
• Revoke an encryption key from a message recipient
• Go to the mail.ex user’s inbox and find the Credit Card message
• Try to use Secure Reader to open the message
Instructions
b. From the Authentication Source drop-down, select ldap_profile.
2. Access the Web Application.
a. Open a new browser window and enter the URL to the End User Web interface
https://vs-xx.training.proofpoint.com.
b. Log in by entering: mail2_user@training.proofpoint.com
Password: train
3. (If necessary) Allow users to manage encryption keys.
a. From the System tab, navigate to End User Services > Web Application
b. Enable Show Encryption Key Management
4. Revoke a key from the encrypted message recipient.
a. Go to the Web Application browser tab; then refresh the browser by pressing F5
The list at the bottom of the left pane now includes the Encryption module.
b. Select Encryption
A list of encrypted messages sent by this user is shown in the main window.
c. Click on the entry for the credit card message
The encryption key management pane for this message appears at the bottom of the window.
The status for the encryption key is shown as Active.

d. Check the box to the left of Active

e. Click Revoke Recipient
The status now says Revoked.
b. From the Authentication Source drop-down, select ex_ldap_profile.
6. Verify the encryption key has been revoked.
a. Open the mail.ex user’s inbox; then open the credit card message
b. From the Attachments line, click SecureMessageAtt.html
c. Click Download; then click OK
d. Click the Click to read message button
The message says Decryption Not Authorized.


Lesson 16: Data Loss Prevention
Introduction
This lesson explains how to configure and use the Data Loss Prevention (DLP) Dashboard, Folders, and
Incidents to capture forensic details regarding possible unauthorized data disclosures. It also
demonstrates how to configure PPS to respond automatically when unauthorized data disclosures occur.
Enabling the DLP Dashboard requires the licensing of Regulatory Compliance and Digital Assets
modules.
363

Data Loss Prevention
Student Notes
The Dashboard is where Administrators can view the current state of compliance (or non-compliance).
The dashboard lists incidents, provides an graphical representation of the incident, and has filter settings
for setting the graphical display.
The DLP Dashboard is not visible without licenses for both
• Regulatory Compliance
• Digital Assets
Data Loss Prevention (DLP) is a data security technology that detects potential data breach incidents by
monitoring data. Data breach incidents can occur in the following places:
• In-motion (network)
• In-use (endpoints)
• At-rest (storage)
Data Loss Prevention drivers include:
• Compliance with national, state, or industry rules and regulations
• Digital Asset Protection – confidential company information

Student Notes
• Date: Date of the event
• Severity: Set by the rule to High, Medium, or Low
• Rule Id: Rule that triggered the event
• Sender: Who sent the message
• Recipients: List of those who received the message
• Subject: Message subject
• View: Click the link to view incident details

Student Notes
The DLP Summary Dashboard displays the following reports:
• Dashboard Trend Reports are widgets
• Can add to, change layouts, or delete report widgets
• Default widgets include
• Top Regulatory Violation Senders
• Regulation Rule Trends
• Encrypted Message Trends by Rule Type
• Encrypted Message Trends

Student Notes
This shows what you see after clicking the View link from the Dashboard for a specific incident.

Student Notes
Option How to Manage

All Select checkbox to view all incidents
Folder Click text box drop arrow to view incident folders. Click Folder drop arrow to select folder
options.
Delete Click to remove selected incident. If none selected, delete asks to Delete All.
Move Move the incident to a different folder
Release Release to recipient, remove from incident folder, put in deleted incident folder
Redirect Deliver copy of message to someone other than original recipient
Resubmit Resubmit incidents queued to PPS for another filtering pass
Options Scan for virus, download to CSV file
Status Add/Update incident status with optional comment

Student Notes
DLP has many system-defined folders. In the Folders page, the Messages column shows the current
number of incidents in each folder
Options available to administrators are to:
• Add more folders
• Delete added folders but not system folders

Student Notes
More often than not, outbound violations are unintentional. Smart send gives the end user the opportunity
to take corrective action on their own when they trigger a smart send rule. Its often used to take back a
message that was accidentally sent. The end user is given 3 options: send it anyway, discard it or send
encrypted. Because of the configurability of smart send, administrators have full control over rules,
groups, users and the process of message auditing. This results in benefits to the company as a whole
and frees up resources.


Lab 16-1: Report Data Loss
Scenario
• You need to report messages containing credit card numbers and prevent them leaving your
enterprise
Objectives
• Configure data loss reporting of messages containing credit card numbers
• Create new rule: report_cc_messages, cloned from pci
• Test your rule
• View your test messages
• Disable the resport_cc_messages rule when done
Instructions
1. From the Information Protection tab, navigate to Regulatory Compliance > Rules
2. Make sure the pci_auto_encrypt rule is disabled.
3. Click Clone Rule; then configure the following:
• Enable: On
• New Rule Name: report_cc_messages
• Clone Rule From: pci
4. Click Save Changes
5. Configure the report_cc_messages rule to report messages that contain credit card numbers by
doing the following:
a. Make sure Copy to the Incident queue is selected and the Folder is set to PCI
b. For the Delivery Method, select Discard
c. Deselect Change message headers and select Reply to sender based on detected language
(include appropriate Subject and Message text)
6. Test the report_cc_messages rule by sending 3 or 4 messages containing credit card numbers to
your mail.ex user.
7. Go to DLP Summary > Dashboard; then open the Compliance Incident Manager to see the test
messages containing credit card numbers (it may take a few minutes).
The Rule ID column will show report_cc_messages as the rule that was triggered and that sent the
messages to the incident queue.
8. Check the mail.ex_user’s in box to make sure the messages were not received.
9. Disable the report_cc_messages rule.


Lesson 17: Regulatory Compliance
Introduction
Organizations must comply with a wide variety of regulations that vary from country to country, state to
state, and among industries. In 2018, company compliance efforts may be dictated by the European
Union’s General Data Privacy Regulation (GDPR) which makes companies responsible to data owners.
Data owners are individuals providing data. Any failure to comply results in heavy fines.
Unauthorized data disclosures of any nature can result in negative publicity, damaged reputations, hefty
fines, and even imprisonment, in the event company executives are found negligent for failing to
implement adequate protective controls.
This lesson focuses on how to use PPS to mitigate the risks of accidental or intentional unauthorized
information disclosure via email. It explains how to configure rules to detect regulated data in email
messages, and when detected, automatically respond.
375

Regulatory Compliance
Student Notes
The Regulatory Compliance module is available in the PPS to help your enterprise comply with legal
regulations. These are laws that require you to prevent activities that can be done using email, ranging
from corrupt practices to exposing private financial or health information. Non-compliance with these
regulations can subject your enterprise to penalties.

Student Notes
Following are examples of legal regulations this module is designed to help you to comply with:
• FCPA – Foreign Corrupt Practices Act
• GLBA – Gramm-Leach-Bliley Act, US Financial Services Modernization Act
GLBA requires financial institutions – companies that offer consumers financial products or services
like loans, financial or investment advice, or insurance – to explain their information-sharing practices
to their customers and to safeguard sensitive data.
• GDPR – General Data Privacy Regulation (European Union and companies that store information
about European citizens)
• HIPAA – US Health Insurance Regulations
HIPAA stands for Health Insurance Portability and Accountability Act and covers health insurers,
providers (doctors, nurses, and similar). It is a federal law that required the creation of national
standards to protect sensitive patient health information from being disclosed without the
patient’s consent or knowledge. It is not a healthcare regulation, per se.
• PCI – Credit card industry data security standards
Payment Card Industry Standards (PCI Security) is credit card industry specific standards, not a
regulation/law, although any business that processes payments by credit/debit cards must meet the
standards.
• State privacy laws, such as:
• Massachusetts 201 CMR 17
• Nevada NRS 603A
• Industry specific regulations, such as:
FDA regulations for pharmaceutical companies

Student Notes
• Define technical requirements
• What data elements need to be detected and then blocked?
• Social Security Numbers
• Credit Card Numbers
• Medical Record Numbers
• Custom/Business specific data
• Document and get organizational sign-off
• Implement the technical solution
• Test: Set up rules to quarantine/continue
• Analyze: Organizations review test results
• Adjust: Tweak the technical solution based on the data
• Repeat: Until false positives/negatives have largely been addressed

Student Notes
Many Regulatory Compliance rules use complex conditions, which means proximity match can be a very
powerful tool when combining Smart Identifiers and dictionaries. Rule dispositions are similar to email
firewall and other modules, but these rule dispositions include severity levels for reporting.
Proofpoint recommends that new rules are implemented using the “Quarantine and Continue” method to
be sure the rule performs as wished.
• General rule conditions
• Dictionary Scores
• Triggered Rule
• Unique rule conditions
• Attachment metadata
• Extracts from MS Office and PDF only
• Proximity match
• 1 Smart ID + 1 Dictionary
• Smart identifier
• Score
• Match term
• Match data

Student Notes
In the regulatory compliance module, you can add custom and static dictionaries. However, static
dictionaries, for example drug codes, can be difficult to manage because they are constantly changing.
The regulatory compliance module includes protected health information, HIPAA, and personal
information, GLBA or PCI dictionaries and dynamic updates ensures the dictionaries contain the most
updated data. Additional dictionaries can be created that are specific to your organization as well as
Helper dictionaries increase accuracy. For example, certain printers may have serial numbers that trigger
a social security number smart identifier. Because it is highly likely that the printer name will give a false
positive, you can create a rule not to fire if the helper dictionary containing the printer is within a set
proximity of the smart identifier trigger. Using the quarantine to help audit messages will allow you to see
what triggered where and highlight matches. The Regulatory Compliance module includes several default
dictionaries, which are static in their content.
Many of these are helper dictionaries, such as:
• SSN Terms
• Credit Card Terms
• ABA Terms


Lab 17-1: Implement a Dictionary
Scenario
• You need to ensure credit report information is not being released in outbound email
Objectives
• Enable and configure a Regulatory Compliance dictionary
• Create and configure a rule named credit_report
• Send a test message containing a credit report term; then check to see rule was triggered
Instructions
1. Enable the CreditReport-Term dictionary.
a. From the Information Protection tab, navigate to Regulatory Compliance > Dictionaries
b. Click CreditReport-Term; then make a note of a credit report term in the dictionary.
This word will be used in the body of the test message.
c. Enable the dictionary
2. Add a new Dictionary rule for credit report terms.
a. Navigate to Regulatory Compliance > Rules
b. Click Add Rule; then configure the rule as follows:
• Enable: On
• ID: credit_report
• Condition: Dictionary Score
• Dictionary: CreditReport-Term
• Operator: Greater Than
• Score: 0
c. Click Add Condition
d. Configure the rule dispositions as follows:
• Select Copy to the Incident queue
• Folder: Regulation
• Delivery Method: Discard
• Discard Option: Reply to sender based on detected language (include appropriate Subject
and Message text)
e. Click Add Rule
3. Send a message to test the rule.

a. Use a credit report term from the dictionary in the message body
b. Verify that the rule was triggered by checking the Incidents dashboard and by going to DLP
Incidents > Folders > Regulation
This might take a few minutes.

Student Notes
Additional dictionaries can be created, such as custom dictionaries that contain business-specific terms.
Weighting of dictionary terms can be a helpful option, but is not always necessary, for example, with a
credit reports dictionary.
Custom dictionaries can be uploaded via CSV files.

Student Notes
To view the list of words, in a custom dictionary, click on the dictionary. The screen shot above shows a
new custom dictionary that is ready for entries
To add a single term, click Add. To add terms from a CSV file, click Import.

Student Notes
When adding words to a custom dictionary, keep the following mind:
• The Case Insensitive Match condition is appropriate in most cases
• Case Sensitive match or regex match, if needed
• Enter the word or regular expression
• Enter a numeric Weight value to influence the score based on the number of instances of the word.
• Weight is a required value. The value must be between 1 and 10. When assigning weight to
terms, be careful that your dictionary rules don’t generate false positives and impact legitimate
traffic.
• Click Add Entry to save your entry, or Add and New to enter another term.

Student Notes
Smart identifiers find information beyond the basic pattern matching performed by dictionaries. Smart
identifiers go beyond a simple regular expression which only looks for basic pattern matching. Smart
identifiers use a check sum with a formula to increase accuracy because it looks for a specific piece of
information. Examples of this are how Credit numbers use the Luhn algorithm to identify potential valid
numbers and social security smart identifiers use the social security administration high group list. You
can also make up your own using perl with the 3 files that make up a smart identifier; the prescript, the
config and the manifest that populates the variables.
Smart Identifiers can be used to find items such as the following:
• Credit Card numbers can be found using the Luhn Algorithm
• Social Security Numbers
• ABA Routing numbers
• CUSIP number
Custom Smart Identifiers can be created but these require engaging with Professional Services.

Student Notes


Lab 17-2: Implement a Custom Smart Identifier
Scenario
• You need to add a custom smart identifier to prevent personal information from leaving your
enterprise
Objectives
• Enable and configure Custom Smart Identifiers
• Create and configure a rule named ip_address
• Send a test message containing IP addresses; then check to verify rule was triggered
Instructions
1. Import a smart identifier.
a. From the Information Protection tab, navigate to Regulatory Compliance > Smart Identifiers
The Smart Identifiers selector page is displayed:
b. Click Import Identifier to open the Import Smart Identifier dialog
c. Browse to the home directory and select the ipaddress2.zip file
d. Click Import Identifier
Note the Technical category has been added to the Identifiers list. If you don’t see it, press F5.
2. Create a rule to use the newly imported IP addresses.
a. Go to Regulatory Compliance > Rules; then click Add Rule
b. Configure the new rule as follows:
• Enable: On
• Rule ID: ip_address
• Condition: Smart Identifier Score
• Operator: Greater than
• Score: 0
• Smart Identifier: scroll to the bottom of the Smart Identifier categories, to the Technical
category, and select IP Address
c. Click Add Condition
d. Configure Dispositions as follows:
• Select Copy to the Incident Queue
• Folder: Regulation
• Delivery Method: Discard
• Discard Option: Reply to sender based on detected language (include appropriate Subject
and Message text)

e. Click Add Rule

3. Test the ip_address Smart Identifier rule by sending a message.
a. Enter any valid IP Address into the body of the message
b. Verify that the rule was triggered by checking the Incidents dashboard and by going to DLP
Incidents > Folders > Regulation
This might take a few minutes.
4. Test the ip_address Smart Identifier rule again by sending a message with an invalid IP address
For example, 208.86.203.256.
Was the ip_address Smart Identifier rule triggered?
_____________________________________________


Lab 17-3: Implement Proximity Match
Scenario
• You need to Enable and configure a rule that helps maintain compliance with GLBA regulations
Objectives
• Implement and test proximity match
• Enable the glba_trading rule and configure it to reply to sender
• Enable the Trading-Term dictionary
• Select and copy a 9-digit CUSIP number
• Send a test message containing the CUSIP number; then check to verify rule was triggered
Instructions
1. Configure the glba_trading rule.
a. From the Information Protection tab, go to Regularity Compliance > Rules
b. Click glba_trading; then Enable the rule
Note that this rule uses a smart identifier to look for “cusip” terms that are within 20 characters of
words in the Trading-Term dictionary.
c. Check Reply to sender based on detected language; then configure
• Subject: Not Allowed
• Message: The information you shared is out of policy
d. Select Save Changes
2. Enable the Trading-Term dictionary.
a. Go to Regularity Compliance > Dictionaries
b. Click on Trading-Term
c. Click On
d. Make a note of one of the words in the Word column
3. Select a cusip.
a. Use Notepad to open the CUSIP.txt file from the Documents folder
b. Copy one of the 9-digit CUSIP numbers
4. Test the glba_trading rule by doing the following:
a. Compose a message to your mail.ex_user
b. Put any text in the subject field
c. In the message body, paste the CUSIP number; then add text to the message that uses a
glba_trading word
Make sure the word is within 20 characters of the CUSIP number.

d. Send the message

e. Wait for the reply with the subject “Not Allowed”
f. Find the message in DLP Incidents > Folders > GLBA

Student Notes
Business partners are domains where emails are secure and may not need to be blocked. These can be
used as exemptions or requirements for a rule. Messages to business partners are usually encrypted and
by default and are added to the tls list which provides gateway to gateway encryption. You can also you
Proofpoint encryption or route messages to an smtp queue to be encrypted elsewhere.

Student Notes
When it comes to using Regulatory Compliance for inbound mail, consider the following:
• Most Information Protection use cases do not require DLP scanning of inbound messages
• You can disable the Regulatory Compliance module for the default_inbound policy route in Settings >
Regulatory Compliance Options
• Improves performance and avoids inadvertent triggering of rules
• Necessary for outbound-only implementations
Secure Reader replies containing sensitive content could trigger Regulatory Compliance rules
that would encrypt messages to internal users
• You can disable the Regulatory Compliance module for the tls policy route
• Proofpoint Encryption is not intended for configurations where TLS is forced for Business Partner
domains
• This traffic does not require scanning for sensitive message content


Lesson 18: Digital Assets
Introduction
This lesson describes how to configure PPS to monitor email for messages containing sensitive corporate
data and automatically respond when sensitive, confidential, or regulated information is detected in an
email message.
399

Digital Assets
Student Notes
Digital Assets is a key module in PPS that keeps internal corporate assets and valuable information from
being disclosed to unauthorized individuals. Digital Assets uses pattern matching to:
• Analyze and classify your confidential documents
• Monitor for confidential information in the outbound message stream
• Pro-actively stop security breaches

Student Notes
Term Description
Document Repository A collection of documents that your organization wants to protect from
accidental or deliberate distribution by email or HTTP traffic
Document Processor Controls details of how users use email to populate the Document
Repository
WebDAV Data Connector Uses WebDAV protocol to access external file servers to create and
store signatures for documents found in specific directories on these
servers
Match Threshold Defines the point at which the content of an email message is defined
as suspect and would therefore trigger a rule
Categories Allow administrators to organize the documents in the repository into
groups and apply settings to the entire group of documents
Negative Case Category A category of documents that contain text that should not be used to
match to trigger a rule

Digital Assets
Student Notes
The Digital Assets module, requires that the following two System Settings are enabled:
• Inspect Compressed Archives and PE Encrypted Messages, which prevents hiding confidential
information inside a compressed archive.
• Extract Text Content, which permits the scanning engine to scan message content and attachments
The message content is passed through our content extraction engine (Verity). Using this engine PPS will
be able to scan text from the body (html, text) as well as any attachments (like PDFs, Microsoft Word,
Microsoft Excel, PowerPoint etc.)
Fingerprinting Processing Documents
• Document Text Extraction
• Normalize Text (Lower case, remove markup.etc)
• Break up text in fingerprints

Student Notes

Digital Assets
Student Notes

Student Notes
Add Document Category provides:
• Easier management of documents
• Application of expirations
• Application of unique partial match thresholds
Add Negative Case Category:
• Contains information that is not confidential
• Should not include in signature match that would otherwise trigger a rule

Digital Assets
Student Notes
The Document Processor controls how users populate the Document Repository (DR). Configure it to
determine the following:
• Which POP3 server processes the email requests
• Which categories the documents fall into
• Types of documents that are allowed or not allowed to be placed in the DR
The following methods can be used for authenticating to the Document Processor:
Authentication Method Description

Auto detect Use this option if the POP3 server supports encryption, the Document
Processor uses encryption for the login, password, and transmission.
If it does not, the Document Processor uses clear text.
LOGIN protocol Document Processor uses clear text for communication with the POP3
server.
APOP protocol Document Processor uses encryption for communication with the
POP3 server.

Student Notes
The Digital Assets WebDAV Data Connector:
• Uses the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol to access
external file servers via a URL
• Creates and stores signatures for the documents found in specific directories on these servers
• Checks time stamps on the documents on the file server to ensure that it has used the latest
documents to create the signatures
• Administrators create a source profile for each category of documents for which they want the
WebDav Data Connector to access and create signatures
• You can determine how often you want the WebDav Data Connector to check the source for new
or changed documents

Digital Assets
Student Notes

Student Notes
Digital Assets rule configuration is very similar to Firewall Rule configuration. The difference is in the type
and limited number of conditions.
To get here:
• Navigate to Digital Assets > Rules
On the training system, you will see only one rule: the default Digital Assets rule
• Click the rule as if you are going to edit it.
This screen should appear.

Digital Assets

Lab 18-1: Implement Digital Asset Security
Scenario
• You need to keep documents containing intellectual property from being sent in outgoing mail as
attachments. Configure Digital Asset security to keep documents secure
Objectives
• Enable the Digital Assets module
• Create a document category named source_code
• Add the source code file, gtkxtbin.c, to the new category
• Configure the Default Assets rule as in Step 4 below
• Test the rule twice - once with entire source code file attached and once with only a portion attached
Instructions
1. Enable the Digital Assets module.
a. From the Information Protection tab, navigate to Digital Assets > Settings > General.
b. Enable the module by clicking the On radio button.
2. Create a new document category.
a. Navigate to Digital Assets > Categories
b. Click Add Document Category; then configure the following:
• Name: source_code
• Description: Source Code Files
c. Click Add Entry
3. Add the source code document to the new category.
a. Go to Digital Assets > Documents
b. Click Add; then configure the following:
• Browse to and select the gtkxtbin.c file in your local Documents directory
• Leave the Document Name field blank
• Enter a description for the document
• From the Category drop-down menu, select source_code
c. Click Add Entry
4. Configure the default Digital Assets rule.
a. Go to Digital Assets > Rules; then click on the default rule
The default rule should already be enabled.

Digital Assets
b. In the Conditions section, leave Document Match equal to “any”

c. Select the Extension check box; then enter c in the text box
Do not enter .c (dot c).
d. Leave other conditions at their default values
e. For the Dispositions settings, do the following:
• Make sure Copy to the Incident queue and the Asset folder are selected
• Set the delivery method to Secure
• Select Change subject based on detected language
• Enter Confidential Information ${Subject} in the Subject field.
5. Test the rule by sending a message with the source code file attached.
a. Send an email with the gtkxtbin.c file attached
b. Check the Asset folder in DLP Incidents > Folders for the message
c. Check the recipient’s inbox for a message with the subject of the original message prefixed by
Confidential Information. The attachment should be secured and only viewable from Secure
Reader.
6. Test the rule again by sending a message with only a portion of the source code file attached.
a. Open the gtkxtbin.c file in Notepad
b. Delete about half of the code; then save the file as gtkx.c (be sure to use the All Files option when
saving the file)
c. Send an email with the gtkx.c file attached
d. Check the Asset folder in DLP Incidents > Folders for the message
e. Check the recipient’s inbox for a message with the subject of the original message prefixed by
Confidential Information. The attachment should be secured and only viewable from Secure
Reader.


appendix a: email forensics
Introduction
This lesson teaches you how to analyze the contents of an email header. You will review the chronological
and network analysis of the received header. You will also analyze the headers for DKIM, TLS, other non-
standard email headers.
415
Threat Protection Level2 — Student Guide

Email Forensics
Student Notes
This shows three portions of the email header
Red – Server Relay information
Blue – Message information
Green – Proprietary header information – X-Headers (non-standard portion of header)

Student Notes
This shows some available online tools that allow you to parse the header and provide you with some
good ideas for insight.
Proofpoint does not recommend customers use the Google Apps Toolbox (Message Header), MxToolbox
(EmailHeaders), or Microsoft (Message Header analyzer) for header analysis. These are not considered
safe, as headers get posted to these public websites.
Proofpoint offers E-Mail Header Analyzer (open source) where content can be held locally. With this you
can copy/paste any header into this tool and then organize the header to provide more information.

Email Forensics
Student Notes
This shows the server relay information contained in the header. The next few slides review its contents
line-by-line.

Student Notes
This shows a header with all the relay information presented in a dynamic format.
1. Message received from null with local IP address (127.0.0.1) – not machine/machine delivery,
received by server mail2.training. Proofpoint.com (Postfix). Message delivered ESMTPS protocol
(Extended SMTP with TLS additional security). EC4867C1B1E is the delivery report number for
recipient jhead@ex.proofpoint.com. This shows secure delivery (with TLS) but not authenticated.
Encryption without authentication.
2. This shows delivery to mail2.training.Proofpoint.com (10.25.0.70). Message sent via extended SMTP
to server names vs-66. Here we see the authentication result and note that the recipient never
changes(jhead@proofpoint.com). Header was created by previous server (10.25.0.70). This server
(A) shows authentication results (SPF, DKIM, DMARC).
3. After pps.filterd, the message is processed by Sendmail for delivery.
4. Message processed via SMTP.
5. Message delivered via LMTP.
Return path is difficult to see in the message header. Return-Path is only place to see message sender in
message header.

Email Forensics
Student Notes
Time stamping is important as typical flow on the Internet is one minute. Time Stamping should increase
over time.
Any significant time frame beyond one minute can indicate something that was forged or delayed.
This slide shows the time stamping increasing when looking at lines one through five. You can view in
line1 if this message was originally created a long time ago and then resent at the present time with an
automation tool.
Descriptions of ESMTPA, ESMTPS, ESMTPSA, LMTP, LMTPA, LMTPS, LMTPSA
• ESMTPA - ESMTP with SMTP AUTH extension is also used and authentication is successfully
achieved
• ESMTPS - ESMTP when STARTTLS is also successfully negotiated to provide a strong transport
encryption layer
• ESMTPSA - ESMTP when both STARTTLS and SMTP AUTH are successfully negotiated (the
combination of ESMTPS and ESMTPA).
• LMTP - Local Mail Transfer Protocol RFC 2033
• LMTPA – LMTP with SMTP AUTH extension
• LMTPS – LMTP when STARTTLS is also successfully negotiated to provide a strong transport
encryption layer
• LMTPSA – ESMTP when both STARTTLS and SMTP AUTH are successfully negotiated (the

Student Notes
Network analysis shows the countries that the message has crossed. It also reveals the country of origin
of the message (such as China), which may prove to be a trigger for further investigation.
Line 2 shows the EHLO domain, the PTR Domain, and the IP address. Proofpoint can create rules based on
any of these domains.

Email Forensics
Student Notes
Within the header you can see the various mail protocols used to transmit the message. When message
is first delivered it should be authenticated (ESMTPA), else it could be an open relay server. It is most
common to see user name who compiled the message on the first Received header line.
Email protocols
• SMTP – Simple Mail Transfer Protocol
• ESMTP – Extended SMTP
• ESMTPA - ESMTP with SMTP AUTH extension is also used and authentication is successfully
achieved
• ESMTPS - ESMTP when STARTTLS is also successfully negotiated to provide a strong transport
encryption layer
• ESMTPSA - ESMTP when both STARTTLS and SMTP AUTH are successfully negotiated (the
• LMTP - Local Mail Transfer Protocol RFC 2033
• LMTPA – LMTP with SMTP AUTH extension
• LMTPS – LMTP when STARTTLS is also successfully negotiated to provide a strong transport
encryption layer
• LMTPSA - - ESMTP when both STARTTLS and SMTP AUTH are successfully negotiated (the

Student Notes
This slide presents more detail on Authentication-Results. Authentication-Results presents information on
SPF, DKIM, and DMARC run against this message. Here you can review the header used by DKIM and
DMARC as well as the information used by SPF.
The illustration shows where you can find the authentication header. It shows up on the boundary
machines (Border MTAs) when organizations do not trust one another. They need to authenticate.
The "trust boundary" of an Administrative Management Domain (ADMD) uses reverse lookup" or a "PTR"
record query.
The ADMD enforces Anti-Spam Techniques:
• Strict enforcement of RFC standards
• DNS PTR
• FCrDNS
• Greylisting
• Blocklists
• Safelists
• Content-based solution
• Rate limiting
• Authentication
• Sender Reputation

Email Forensics
Student Notes
This shows the DKIM signature header that is very complex. Here we discuss each of the details in the
DKIM-Signature.
v: application version. Only version 1 exists today so this field should always be set to 1.
a: algorithms used for encryption. It should be rsa-sha256 in most cases. Some senders may use rsa-
sha1 but it's not recommended due to security risks.
c: algorithms used for canonicalization
s: selector record name used with the domain
h: signed header fields that are used in the signing algorithm to create the hash in b= tag
bh: hash of the message body
b: hash data of the headers listed in the h= tag. It's also called DKIM signature
d: domain used with the selector record
Actually this shows two signature bh and b.
Use dig command to go to their own company to view their DKIM header. They can then do the dig query
based on what they see in the header. With dig command you need the selector (s) and the domain (d).
This proves useful for troubleshooting DKIM and DMARC.
More details can be found at:
https://www.iana.org/assignments/dkim-parameters/dkim-parameters.xhtml

Student Notes
This shows Authentication-Results-Original which shows the original domain when the most recent
Authentification-Results show the renamed domain. The graphic shows where the original Authentication-
Results-Original occurs.

Email Forensics
Student Notes
Is the recipient using TLS encryption? If yes, then you need to check messages from partners to identify if
the message flow was always delivered encrypted. Has the message ever been delivered in clear text?
Check the line in Received to verify TLS encryption:
(version_TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384)
TLS versions prior to 1.2 are obsolete and should no longer be used.
For TLS Confidence Factor test:
https://www.checktls.com/TestReceiver

Student Notes
Authenticated Received Chan (ARC) in authentication headers can be seen with messages received from
Microsoft SMTP servers.
ARC defines three new mail headers:
• ARC-Authentication-Results
• A header containing email authentication results like SPF, DKIM, and DMARC
• ARC-Seal
• Another DKIM-like signature that includes the ARC Signature and the ARC Authentication Results
header information
• ARC-Message-Signature
• A DKIM-like signature that takes a snapshot of the message header information, including the to,
from, subject, and body
DMARC policy may block legitimate emails sent through a mailing list or forwarder.
SPF check will fail due to the unapproved sender.
DKIM signature will be invalidated if the message is modified, such as by adding a subject tag or footer.

Email Forensics
Student Notes
Intermediate system checked DMARC and added its own information. ARC checks information against
intermediate server and consolidates information. With this SPF, DKIM, and DMARC pass.
PPS allows specific intermediary servers to be added to list so then ARC will pass.
ARC should be inserted when:
• Inserting or changing Subject header
• Appending disclaimers and footers
• Stripping attachments
• Content-encoding change
• When the message crosses a trust boundary

Student Notes
Message-ID (also known as Internet message ID or Client ID) is an identifier of emails. Consider it the
fingerprint for the message. It is generated by the sending mail system. Note that this identifier is not
always unique - there might be multiple copies of the same message in more than one folder (or mailbox),
and all of them might have the same Message-ID.
In-Reply-t0: shows message ID of message to which this is replying to. References shows the Message
IDs of all messages contained in previous messages to which this message is replying to.
System compares these IDs automatically but an analyst can go online and perform this analysis
manually if warranted.

Email Forensics
Student Notes
This shows non-standard Email header items that can be customized and sent along with email
messages.
The center section shows a typical Proofpoint header.
Originator in the Generic header contains the domain name and the IP address. This shows the IP
address of the real sender (even if the browser that was browsing and the user then clicked the button),
not the server that received the request to send the message.

Student Notes
This shows typical headers for Google and Microsoft messages.
These are considered non-standard Email header items that can be customized and sent along with email
messages.

Email Forensics
Student Notes

Lab A-1: Track and Investigate Email
Scenario
You need to identify critical content in an email that has been received by your organization.
Objectives
Review the raw email message below and answer the following questions
• What are the From and Return-Path email addresses. Do they match? What are they?
• What is the name of the sending computer or server?
• Where is the sending computer geo-located? OrgName? City? Abuse contact address of the sender?
• How likely is it that this message is spam?
• What was the spam score of the email? Can you explain that?
• What is the Reply-to address? Is it different from the sender?
• Can you see a BCC field? Any comment?
Instructions
Use the information shown below to answer the questions listed after it. Alternately you can click email-
header1.txt to view the actual message.
Return-Path: <www-data@evilscheme.org>
Delivered-To: ncostalopes@se.proofpoint.com
Received: from ucs-mail2.selab.ppslab.net
by ucs-mail2.selab.ppslab.net (Dovecot) with LMTP id bThpKZiQEWK/
IgAAUarcFA
for <ncostalopes@se.proofpoint.com>; Sat, 19 Feb 2022 16:51:36 -0800
Received: from host-1.ncostalopes.ppslab.net (host-1.ncostalopes.ppslab.net
[10.25.47.130])
by ucs-mail2.selab.ppslab.net (Postfix) with ESMTP id 89D967031
for <ncostalopes@ncostalopes.se.proofpoint.com>; Sat, 19 Feb 2022
16:51:36 -0800 (PST)
Received: from pps.filterd (host-1.ncostalopes.ppslab.net [127.0.0.1])
by host-1.ncostalopes.ppslab.net (8.17.1.5/8.17.1.5) with ESMTP id
21K0paWX002133
for <ncostalopes@ncostalopes.se.proofpoint.com>; Sun, 20 Feb 2022
00:51:36 GMT
Authentication-Results: ncostalopes.ppslab.net;
spf=none smtp.mailfrom=www-data@evilscheme.org;
dmarc=none
Received: from smtp-in.ppslab.net (smtp-in.ppslab.net [10.25.0.30])
by host-1.ncostalopes.ppslab.net (PPS) with ESMTP id 3ear78g0cj-1

Email Forensics
for <ncostalopes@ncostalopes.se.proofpoint.com>; Sun, 20 Feb 2022

00:51:35 +0000
Received: from ip-10-253-38-75.us-west-2.compute.internal (ec2-54-214-13-
31.us-west-2.compute.amazonaws.com [54.214.13.31])
by smtp-in.ppslab.net (Postfix) with ESMTP id D009C13DA66
for <ncostalopes@ncostalopes.se.proofpoint.com>; Sat, 19 Feb 2022
16:19:37 -0800 (PST)
Received: by ec2-54-214-13-30.us-west-2.compute.amazonaws.com (Postfix, from
userid 33)
id 919D940C3B; Sat, 19 Feb 2022 23:26:02 +0000 (UTC)
Date: Sat, 19 Feb 2022 23:26:02 +0000
From: "Not A. Badguy" <not_a_badguy@navy.org>
To: ncostalopes@ncostalopes.se.proofpoint.com
Bcc: ceo@evilscheme.org
Subject: attachment threat
Message-ID: <20220219232602.GA665@evilscheme.org>
Reply-To: hacker@evilscheme.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Proofpoint-GUID: nDuSI3v0aCIBKKRBf7ZTeKOJhED5JZOE
X-Proofpoint-ORIG-GUID: ulfEjLwKYG9BabWRk9YHzpy-yqO-f2qn
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513
definitions=2022-02-19_04,2022-02-18_01,2021-12-02_01
X-Proofpoint-Spam-Reason: eusafe
X-Proofpoint-Sandbox-Result: Timeout
--PNTmBPCT7hxwcZjr
1. What are the From and Return-Path email addresses? Do they match? What are they?
______________________________________________________________________________
______________________________________________________________________________
2. What is the name of the sending computer or server?
______________________________________________________________________________
______________________________________________________________________________
3. Where is the sending computer geo-located? OrgName? City? Abuse contact address of the sender?
______________________________________________________________________________
______________________________________________________________________________
4. How likely is it that this message is spam?
______________________________________________________________________________
______________________________________________________________________________

5. What was the spam score of the email? Can you explain that?
______________________________________________________________________________
______________________________________________________________________________
6. What is the Reply-to address? Is it different from the sender?
______________________________________________________________________________
______________________________________________________________________________
7. Can you see a BCC field? Any comment?
______________________________________________________________________________
______________________________________________________________________________

Email Forensics

Lab A-2: Email Header Analysis with Search
Scenario
You need to identify critical content in an email that has been received by your organization.
Objectives
Review the raw email message below and perform the following actions
• Log in using you company credentials.
• Click in the Search page on the menu left bar
• Click in the Search field to see the available search criteria in the drop-down menu. This field
suggests frequently-used search parameters.
• Search for a message that was sent by a user select env.sender Envelope Sender from the list
• Enter the email address for the sender after the colon. For example,
env.sender:ncostalopes@proofpoint.com
• Select the message and click on the Message Tab.
• Click on Download Message or View Message Source
Instructions
1. Log into your Cloud Admin Proofpoint portal.
a. Go to you local computer and open a new tab on your browser https://admin.proofpoint.com.
b. Log in using your company credentials.
c. Click in the Search page on the left menu bar
d. Click in the Search field to see the available search criteria in the drop-down menu. This field
suggests frequently-used search parameters.
e. Search for a message that was sent by a user select env.sender Envelope Sender from the list
f. Enter the email address for the sender after the colon. For example,
env.sender:ncostalopes@proofpoint.com
g. Select the message and click the Message Tab.
h. Click Download Message or View Message Source
2. Analyze the message and describe what you have found.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

Email Forensics


ThreatProtection8.18 StudentGuideRevB

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ThreatProtection8.18 StudentGuideRevB

Uploaded by

Copyright:

Available Formats

Threat Protection

Release November 2022

Threat Protection - Level 2

• Lesson 13 - Email Warning Tags

8 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 9

10 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 11

12 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 13

14 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 15

Lab 1-1: Access the PPS and Mail Clients

16 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 17

Lab 1-2: Configure and Test a New Inbound Mail Route

Recipient Text in Subject

4. View the message headers to determine the flow of the messages

Rule Condition Action

continue subject contains “continue” quarantine, continue to

18 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 19

8. Check for the “reply” message in the mail.ex user’s inbox.

20 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 21

22 Copyright © 2022 Proofpoint, Inc.

24 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 25

26 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 27

28 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 29

30 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 31

32 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 33

34 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 35

36 Copyright © 2022 Proofpoint, Inc.

Lab 2-1: Configure PPS GUI Settings

Copyright © 2022 Proofpoint, Inc. 37

38 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 39

40 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 41

42 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 43

44 Copyright © 2022 Proofpoint, Inc.

46 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 47

48 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 49

50 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 51

52 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 53

54 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 55

56 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 57

58 Copyright © 2022 Proofpoint, Inc.

Copyright © 2022 Proofpoint, Inc. 59

60 Copyright © 2022 Proofpoint, Inc.