Quarantine

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

Quarantine Overview

Spam Blocker, Spam Blocker Lite, and Phish Blocker sometimes determine an email is spam or phish and the email should be dropped. However, just dropping an email can be dangerous as perhaps it is a "false positive" and is actually an important email. In this case, dropping the email would be very bad.

The quarantine action in these applications exists so that important emails don't get lost. The quarantine action will silently send email to the user's quarantine. All the suspected spam/phish email sits in the quarantine and the user is free to review quarantined email to verify nothing important was quarantined.

If something legitimate was quarantined (called a false positive) the user can Release the email to their inbox.

Quarantine Web Application

Each day, users/emails with new email in their quarantine will be sent an Quarantine Digest email with a link to their quarantine. Alternatively, users can request a Quarantine Digest email by accessing "https://NGFW_IP:HTTPS_PORT/quarantine/".

After clicking on the Click here to access your spam quarantine link, the user can view the Quarantine web application which allows them to manage their quarantine and their safe list.

Quarantine Web App
Quarantine Web App

Quarantined Messages

The Quarantine Messages tab shows the list of messages currently in the quarantine. To release messages to the inbox simply check the message(s) and click on Release to Inbox. To release a message and automatically add the sender to your safe list click on Release to Inbox & Add Senders to Safe List. To delete message select the message(s) and click on Delete. Note it is not necessary to delete messages, messages will automatically be purged from the quarantine after the configured time elapses.

Safe List

This tab configures your safe (trusted) email addresses. Email from the listed address will not be scanned to determine if they are spam or phish. If a user's email is falsely determined to be spam, their email address can be added to this list to determine it does not happen again.

Forward or Receive Quarantines

Often mailing lists or aliases will receive Quarantine Digests. This is annoying as all users on the list will receive the Quarantine Digest email. To avoid this you can forward the quarantined mail to a another user's quarantine, like the email list's administrator. Email will still be quarantined and released like normal, but the administrator can do it via their quarantine.

Forward Quarantined Messages To configures where quarantined messages will be placed.

Received Quarantined Messages From shows any other addresses you are receiving quarantined messages from.

Quarantine Settings

The quarantine behavior can be configured via the administration UI in Config > Email > Quarantine.

  • Maximum Holding Time (days) configures how long email will be held in a quarantine before it is automatically deleted.
  • Send Daily Quarantine Digest Emails configures if daily emails will be sent to users with new mail in their quarantine.
  • Quarantine Digest Sending Time configures when the daily digests will be sent, if enabled.

User Quarantines

This shows a list of currently existing user quarantines. User quarantines are created dynamically when an email is quarantined for an email address. There is no need to delete quarantines, this will happen automatically when there are no messages.

To release or purge (delete) a user's entire quarantine select the appropriate row(s) and click on the Purge Selected or Release Selected button at the top.

To view a user's quarantine, click on the Show Detail icon on the appropriate row. This will display a window showing all the existing messages in that user's quarantine. Messages and can purged (deleted) or released by clicking on the message(s) and clicking on the Purge Selected or Release Selected button at the top.

Quarantinable Addresses

This is a list of emails that will have quarantines automatically created on their behalf.

Sometimes you want to assure that quarantine is not an option for some scanned mail. As such you can put "*@mydomain.com" and only "@mydomain.com" email addresses will have quarantines created dynamically. If an email is scanned for another address and the action is quarantine but it is not a quarantinable address it will be marked instead.

IMPORTANT: this should almost always be a list with one entry of "*". This means all emails will have quarantines created for them if spam/phish is caught for them. This is the default and suggested value. Most of the time this is used to compensate for some other misconfiguration like it scanning email it should not be scanning (like outbound email). Changing this setting is not suggested.

Quarantine Forwards

As discussed above, it is often desirable to have distribution lists or aliases for their quarantined email to an administrator's email quarantine so the entire lists does not receive quarantine digest emails. You can view/add/delete forwards in this table.

Example: you may wish to forward quarantined mail for the distribution list "everyone@mycompany.com" to "itadmin@mycompany.com" so that only "itadmin" will get messages about spam to the distribution list. "itadmin" can then manage spam to "everyone@mycompany.com" in their own quarantine.