Sophos Email Appliance Policy Message Workflow

Each email that the appliance receives from external mail relays (1) is processed to determine how it will be handled. Messages are processed in the following order:

(2) Perimeter Protection: Denial of Service and Directory Harvest Attack protection, and rate control occurs at the Mail Transfer Agent (MTA) layer. You can configure this in Filtering options.

Recipient verification is also performed at the MTA level. This is done either by synchronizing a list of valid recipients from a Directory Server, or verifying recipient addresses at the relevant downstream mail server. A message sent to an invalid recipient will be rejected during the SMTP connection, so that the message is never accepted or stored on the Sophos Email Appliance.

(3) Sender Genotype: Sender Genotype filtering uses data from SophosLabs to block email from known bad senders. When enabled, this improves overall performance by reducing the number of spam messages processed. Sophos Sender Genotype filtering is responsible for blocking and rejecting anywhere from 70-85% of unwanted email before it even reaches the Sophos Spam Engine.

(4) Threat Protection: The Threat Protection feature tests both content and reputation of a message. If a virus, encrypted attachment, unscannable attachment, or SophosLabs suspected attachments is found, the message will be discarded or quarantined by default. Threat protection also does DMARC, SPF and DKIM checks to validate the authenticity of a message, Sandstorm analysis and Time-of-Click scanning.

(5) Data Control: Next, messages are checked against your Data Control policies to prevent data leakage.

(6) Additional Policy: A message is next checked against content policy. The content policy identifies and takes appropriate action on messages based on administrator-configured rules around corporate governance or compliance. Additional Policy can be configured to check messages for:
  • Mail sent or received from specific users or groups.
  • Offensive language.
  • Specific keywords.
  • Specific attachments or file types.
  • Specific hostnames or IP addresses.
Additional Policy rules can also be used to:
  • Add banners to messages.
  • Enforce appropriate use policies.
(7) Allow/Block Lists: Allow/Block lists can significantly improve the performance of the appliance. Messages from Allowed Hosts/Senders will bypass anti-spam filtering, while messages from Blocked Hosts/Senders are blocked without being scanned for spam.
Note Allow List entries override conflicting Block List entries.

Messages are processed in the following order:

  1. Allowed hosts/senders (Global)
  2. Blocked hosts/senders (Global)
  3. Allowed senders (per-user)
  4. Blocked senders (per-user)

This ensures that Global settings always take precedence over end-user settings.

(8) Anti-Spam Policy: Finally, a cumulative spam score is assigned to each scanned message based on results of anti-spam tests. This score determines the relative likelihood that a message is spam and classifies messages in one of three ways: not spam, medium probability of being spam, or high probability of being spam.

Within each Policy section, individual rules are processed in the order in which they are listed. Depending on how each policy rule is configured, a message may be placed in the quarantine (9), delivered to the appropriate recipient(s), or it may be discarded.