Add SMTP Scanning Policy

This feature requires a subscription in Sophos XG Firewall. It can be configured but cannot be enforced without a valid Email Protection subscription.

The SMTP Scanning Policy page allows you to configure scanning policy to detect incoming and outgoing Spam in Email traffic and take appropriate action.

  1. Go to Device Configuration > Protect > Email > Policies and click on Switch to Legacy Mode.
  2. Click Add Policy and select SMTP Spam Scan.
  3. Specify Name for SMTP Scanning Policy.
  4. Enter Email Address/Domain Group details.
    Sender

    Specify Email Address(es) of the Sender(s). You can select from the variants:

    • Contains:Specify keywords to be matched with Sender Email Addresses. Policy applies to Address(es) containing those keywords. For example, if keyword "mail" is specified, Policy will apply to Sender Email Addresses john@hotmail.com, sophosmail@sophos.com, etc.

    • Equals:Specify the exact Email Address(es) of the Sender(s).

    You can also add RBLs, list of Email Addresses or keywords using Create New link.

    Recipient

    Specify Email Address(es) of the Recipient(s). You can select from the variants:

    • Contains:Specify keywords to be matched with Recipient Email Addresses. Policy applies to Address(es) containing those keywords. For example, if keyword "mail" is specified, Policy will apply to Recipient Email Addresses john@hotmail.com, sophosmail@sophos.com, etc.
    • Equals: Specify the exact Email Address(es) of the Recipient(s).

    You can also add RBLs, list of Email Addresses or keywords using Create New link.

  5. Select the Filter Criteria.
    Inbound Email is

    All the Emails that are received by the users in their inbox are referred as Inbound.

    On configuring Inbound Spam, all the Emails received by the users are scanned for spam and viruses by the Device.

    Specified action will be taken if the Device has identified the Inbound Email to be one of the following:

    • Spam
    • Probable Spam
    • Virus Outbreak
    • Probable Virus Outbreak
    Outbound Email is

    Emails that are sent by the user in the network to a remote user on another Email system, are referred as Outbound.

    On configuring Outbound Spam, all the Emails sent by the local users are scanned before being delivered to other users on the Internet for spam and viruses by the Device.

    Specified action will be taken if the Device has identified the Outbound Email to be one of the following:

    • Spam
    • Probable Spam
    • Virus Outbreak
    • Probable Virus Outbreak
    Source IP/Network Address

    Specify IP/Network Address, action will be taken when the Email sender IP Address matches the specified IP/Network Address.

    Destination IP/Network Address

    Specify IP/Network Address, action will be taken when the Email recipient IP Address matches the specified IP/Network Address.

    Sender Remote Blacklist

    Select Remote Blacklist (RBL), action will be taken when the sender is listed in the specified RBL Group.

    Message Size

    Specify Message Size, action will be taken when the Email size matches the specified size.

    Message Header

    Specified action will be taken if the message header equals or contains the specified text.

    • Contains:Specify keywords to be matched with Message Header. Policy applies to Header(s) containing those keywords.

    • Equals: Specify the exact Header(s) to be scanned.

    You can scan message header for Spam in:

    • Subject: Specified action will be taken if the header contains the matching subject.
    • From: Specified action will be taken if the header contains the matching text in the From address.
    • To:Specified action will be taken if the header contains the matching text in the To address.
    • Other: Specified action will be taken if the matching text is found in the headers.
    Data Control List

    Specified action will be taken if message contains data matching with the configured Data Protection Policy. You can create Data Protection Policies from Device Configuration > Protect > Email > Data Protection Policies.

    None

    Select to create a Policy between specific sender and recipient without any conditions. You can set actions for SMTP mails only on the basis of sender and recipient.

  6. Select the action.
    Action:
    Select action to be taken for the SMTP traffic. Available Options:
    • Reject:Email is rejected and rejection notification is sent to the Email sender.
    • Accept(Not available for Outbound Spam): Email is accepted and delivered to the intended recipient. Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encypted.
    • Change Recipient:Email is accepted but is not delivered to the intended recipient for whom the message was originally sent. Email is sent to the recipient specified in the spam policy.
    • Prefix Subject(Not available for Outbound Spam): Email is accepted and delivered to the intended recipient but after tagging the subject line. Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encypted.
    • Drop:Email is rejected but rejection notification is not sent to the Email sender.
    Tagging content is specified in To field.
    • You can customize subject tagging in such a way that the recipient knows that the Email is a spam Email.
    • For Example

      Contents to be prefixed to the original subject: ‘Spam notification from the Device –' Original subject: ‘This is a test’.

      Recipient will receive Email with subject line as: ‘Spam notification from the Device - This is a test’.

    SPX Template (Legacy): If action is selected as Accept or Prefix Subject, select the SPX Template to be applied on the Email. You can create SPX Templates from Protection > Email Protection > SPX Encryption.
    Quarantine:If enabled, does not deliver Email but copies the Email to the quarantine file list. You can view the Email details like sender and recipient of the Email in the quarantined file list.
    Select action to be taken for the POP-IMAP traffic.
    Available Options:
    • Accept:Email is accepted and delivered to the intended recipient.
    • Prefix Subject:Email is accepted and delivered to the intended recipient but after tagging the subject line.Tagging content is specified in spam policy.You can customize subject tagging in such a way that the recipient knows that the Email is a spam Email. For Example Contents to be prefixed to the original subject: ‘Spam notification from the Device – ‘Original subject: ‘This is a test’ Recipient will receive Email with subject line as: ‘Spam notification from the Device - This is a test’.
    Figure: Add Content Scanning Policy
  7. Click Save.