Inbound Shield™
  2. Home
  4. Docs
  6. Inbound Shield™
  8. Configuration & Customization
  10. Threat Prevention Rules

Threat Prevention Rules

Trustifi’s “Threat Prevention Rules” are a set of instructions on how to handle different types of emails and threats that are scanned by Inbound Shield.

To view and edit these rules, first click on the “Inbound Management” section on the left-side navigation panel. Then, click on the “Inbound Shield” page. Then, click on the  “Threat Prevention Rules” tab at the top.

Setting up rules

Threat prevention rules allow you to configure the correct response for each of the following categories of emails:

    • Malicious: Emails that have been sent for malicious purposes and/or contain malicious contain that may harm the recipient such as phishing, spear-phishing, ransomware, spoofing, viruses, or zero-day attacks.
    • Suspicious: Emails that are suspected of being incorrectly configured/registered, or that its information/content has not been properly verified (bad certificates, DNS issues, etc.). This kind of email may be dangerous, but not necessarily malicious.
    • Spam: Emails where the sender and/or email content has been identified as spam.
    • Graymail: Marketing emails or newsletters that may be useful for some, but could also be considered spam for others.
    • External/unfamiliar: Emails that originate outside of your organization or trusted network.

For each type of email, you can decide the primary action by clicking on the first menu under “Action“. You can decide if each type of email should be released or quarantined.

You can also Choose additional responses for each type of email by clicking on the menu under “Secondary Actions“.  You can choose any of the following:

    • Notify Recipient: A notification will be sent to the recipient of the email, explaining the detected threat(s) and which actions were taken on the email.
      Note: by default, recipients cannot review or release their own quarantined emails.
    • Notify Reviewer: A notification will be sent to all reviewers, showing a detailed report of the detected threats and allowing the reviewer to review the email and take actions on it.
    • Allow Recipient Control: When this is selected, the recipient notification will also allow the recipient to take actions on their quarantined emails (such as releasing them).
    • Add Warning Label: Will add a warning label (banner) to the top of the email. Warning labels can be customized for design and content.
    • Add Subject Text: Will prepend the email subject with text of your choice.
    • Keep Record: The email record will be added to the “Quarantined Emails” page.
      Note: For emails set to be quarantined, this option cannot be de-selected.
Modifying warning labels

If you chose to add a warning label to any email, you can click on “Modify Label” to customize it.

This will open a pop-up with different customization options for the warning label:

    • Customize the color and hue of the banner
    • Edit or add your own text
    • Edit the text font size and attributes
    • Edit the warning label as HTML
    • Allow Reporting“: this will add reporting buttons to allow users to report an email as safe or malicious. Note: this option is only available if you are also connected to Trustifi’s outbound email relay.

You can click on the “Preview” button to see how the warning label will look like. Once you are done, click on “Apply” to save the changes.

Modifying the warning label
Skip warning label for email/domain

If you selected adding warning labels to certain emails, you may choose to exclude adding this label to emails from specific domains or senders.

To do this, click on the “Configure” button in the section “Skip warning label for email/domain“.

This will open a pop-up where you can add the domains/emails to be excluded.

Apply “Scanned by Inbound Shield” footer

By default, all emails that have been scanned by Inbound Shield will display an indicative footer. If you wish to disable this footer for all users, simply click on the toggle next to this setting.

Monitor Mode

Trustifi offers a “Monitor Mode” setting that configures all Threat Prevention rules to be released and to keep a record of the email in the “Quarantined emails” list.

This setting is recommended for new clients in the process of a Proof of Concept, or if you want to see how Trustifi can analyze and categorize emails without blocking any email traffic.

Note: choosing “Monitor Mode” means Trustifi will only keep a record of received threats, it will not block them.

To enable this, simply click on the “Monitor Mode” button (in yellow) above the threat prevention rules.

Retention period

Admins and reviewers can choose how long Trustifi should retain records for each type of email category – malicious, suspicious, spam, graymail, and external. The default retention period for each category of email is 365 days, with the exception of external emails, for which retention is set by default to 14 days.

To modify the retention period for a category of emails, simply click on the number of days to the right of the category.

A pop-up window will open where you can set the new retention period and confirm your selection.

 

How can we help?