Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2757
Views
0
Helpful
3
Replies

Policy Quarantine - not spam quarantine

Go to solution
The-Messenger
Level 1
Level 1

‎07-26-2015 07:33 AM

I would like to send emails with compressed file attachments to a quarantine, not spam quarantine, then notify the recipient that an email has been quarantined.

 

Can I create a text resource, include a link to a quarantine - one that is NOT the spam quarantine?

Is there any way for a user to access a quarantine, other than the spam quarantine, and release a message?

 

thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎07-26-2015 07:44 PM

Hello The-Messenger,

 

I'll address your second query first;

On the ESA device, the only end user-accessible quarantine is the spam quarantine. We can force emails to go into the spam quarantine under the conditions of compressed file with attachment to give the end user access to these emails quarantined if needed.

This is done by adding the action "Send to Alternate Mail Host" and selecting the spam quarantine with 'the.euq.queue'

 

As per your initial query to send a notification to the recipient when an email gets quarantined (assuming it will go to the policy quarantine which is only administrator accessible). The notification cannot provide a link to a direct quarantine, as Policy quarantine is only administrator accessible. The text resource will notify the End user of the email going to the Policy quarantine with the custom message sent, but no URL or access.

 

Please create the text resource (GUI > Mail Policies > Text Resources) once done, create or edit your content filter action. Add a Notify action and tick Envelope Recipient.


Select the notification template.

Submit and commit this.

 

I hope this helps.


Matthew

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎07-26-2015 07:44 PM

Hello The-Messenger,

 

I'll address your second query first;

On the ESA device, the only end user-accessible quarantine is the spam quarantine. We can force emails to go into the spam quarantine under the conditions of compressed file with attachment to give the end user access to these emails quarantined if needed.

This is done by adding the action "Send to Alternate Mail Host" and selecting the spam quarantine with 'the.euq.queue'

 

As per your initial query to send a notification to the recipient when an email gets quarantined (assuming it will go to the policy quarantine which is only administrator accessible). The notification cannot provide a link to a direct quarantine, as Policy quarantine is only administrator accessible. The text resource will notify the End user of the email going to the Policy quarantine with the custom message sent, but no URL or access.

 

Please create the text resource (GUI > Mail Policies > Text Resources) once done, create or edit your content filter action. Add a Notify action and tick Envelope Recipient.


Select the notification template.

Submit and commit this.

 

I hope this helps.


Matthew

0 Helpful

Go to solution
The-Messenger
Level 1
Level 1
In response to Mathew Huynh

‎07-27-2015 05:37 AM

Thanks for the help – much helpful.

 

I currently setup my rule to go to the spam quarantine by inserting a header with "X-Ironport-Quarantine", "Quarantine".  This works fine, the same rule also notifies the recipient and has a link to the login for our spam quarantine.  My problem using the spam quarantine is that it’s confusing to users, they will think they have the same functionality with emails containing zip files as they do spam – for example they’ll think they can release and white-list an email with a zip file. Also, I want to more emphasis on the risk with emails and zip file attachments, separating them from general spam would help that. 

 

What I have works,  I was hoping that I had missed something and that it would be possible to link to a quarantine, other than spam, to separate these files. 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to The-Messenger

‎07-27-2015 02:45 PM

Hello The-Messenger,

 

As the spam quarantine action does not happen immediately, the email would still go through the other scanners and content filter, perhaps running an additional filter or action to check if the X-Ironport-Quarantine header exists with Quarantine as the value is true AND email contains a compressed attachment. Have a Notify action to the recipient with the potential hazardous nature of the email to allow them understand the nature of the email prior to release.

 

However we cannot seperate them as the other quarantines are administrator restricted.

 

Regards,

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents