Over the last few months, we’ve released several new features, including:
- Faster conversion of mailboxes to aliases
- Easier transfer of domains between admins
- Inline image loading in message preview
- Splunk integration without need to use the remote syslog functionality
- Basic sensitive data protection
Faster conversion of mailboxes to aliases
Previously, converting a mailbox to a mailbox alias (e.g. perhaps an employee has left a customer, and their mail should now be redirected to someone else’s mailbox), involved two steps: removing the mailbox, and adding the alias. This is now possible as a single action (the outcome is exactly the same as doing each step separately).
Simply use the new “convert mailbox to alias” action in the mailbox list:
And then enter the mailbox name that the alias should be attached to in the dialog that appears:
Easier assignment of domains to admins
It’s important to ensure that domains are appropriately assigned to admins so that you can more easily administer them (e.g. apply settings to the entire admin to apply admin level rules). In the past, unless you were a super-admin, to transfer a domain, you had to know the exact name of the admin you wanted to transfer it to. This is now much simpler, with a new “Transfer internally” action:
When transferring internally, you’ll see a list of all of your admins, so that you can easily complete the transfer.
If you need to transfer a domain to an admin outside of your account, then the old functionality is still available under the new “Transfer externally” name.
Inline images in email preview
When viewing a queued, quarantined, or archived message in the app preview, we’ll now display any inline images that were included inside of the message. Note that if the image was added as an attachment, rather than inline, it will still show as an attachment, and if the image is loaded remotely rather than included inside of the message, it will not be displayed.
In some cases, it’s much simpler to identify whether a message is or is not wanted if you can view these images. In the past, you would need to download the email or image and view it on your device, so having this visible in the preview should save considerable time in these situations.
In their own words:
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.“About Splunk”, https://www.splunk.com/en_us/about-splunk.html, retrieved June 16th, 2022
At N-able, we’re fans of Splunk, and we know many of our partners are as well. SIEM tools like Splunk rely on users providing the tool with the right data to be able to achieve observability goals and take action when needed. Email is a huge part of most businesses, so data about the email flowing through to and from your customers needs to be available in your SIEM solution. We’ve had the ability to send data to SIEM tools for a long time, via a “remote syslog” feed, but we’ve upped the game with this release, for Splunk users, with a dedicated integration that’s so simple to get started with that we’re confident that all our partners using Splunk will be jumping on board immediately, and those that aren’t using Splunk will be thinking about checking it out.
Configuring SpamExperts to send message audit logging to Splunk is simple. Navigate to the “SIEM logging integrations” page, enter the hostname and port of your Splunk server and a token for the HTTP Event Collector, and activate the feed. You can also send a test event to Splunk to verify that everything is working correctly – we recommend that you do this and then locate the event in Splunk to ensure data is received (note that right now it’ll be sent to the default index for the token, rather than the one specified, but this will be fixed in an upcoming release). You may also optionally choose an index that Splunk should use for the data – if this is left blank, then the default index for the token (as configured in Splunk) will be used.
Unlike the remote syslog feed, there’s no need to configure a template for the data – it’s sent in a structured format to Splunk, so Splunk will automatically take care of indexing the data appropriately.
Once your message audit logs are flowing into Splunk, you have all the power that Splunk offers to build insights into the mail and mail-borne threats that your customers are receiving and sending.
Splunk will automatically surface interesting fields and show you event volume and patterns, even when just querying the index:
It’s trivial to have Splunk produce charts – for example, showing where your traffic originates (based on the sender IP address):
If you want charts showing how much mail is blocked, broken down by classification, with more flexibility than available inside the SpamExperts app, Splunk has you covered:
More complex queries are also possible, like this chart showing the most common top-level domains across mail:
In Splunk, you can save queries, generate alerts based on queries, and build dashboards based on the SpamExperts data, such as this simple accuracy dashboard:
Remote Syslog Feed
As part of introducing integration with Splunk, we’ve renamed the navigation menu item from “Remote Syslog Feed” to “SIEM logging integrations”. The remote syslog functionality is still present, under the new “Custom logging” tab. We’ve made some minor adjustments to the layout of this page, but the underlying functionality is unchanged and your existing feeds will continue to work with no adjustments required.
Basic Sensitive Data Protection
We’ve added a new match type in the custom filtering rules functionality: sensitive data. This will currently check for credit card numbers; Canadian, Danish, Dutch, French, German, Irish, Italian, Malaysian, Mexican, Romanian, Spanish, Swedish, Turkish, and US national personal identifiers; Aotearoa (New Zealand) and UK health identifiers; and IBAN bank account numbers.
This can be used in the “simple” filtering rules mode, where you simply choose “sensitive data” and then select the type of data you wish to block:
This can also be used in the “advanced” version of the rules editor, where you have more flexibility on the type of match, e.g. matching bank accounts and credit cards but not personal or health identifiers:
Note that we will match against the most common formats of these types of data – for example, a VISA credit card might be “4012888888881881”, or “4012-8888-8888-1881”, or “4012 8888 8888 1881”. However, it will always be possible for someone determined to bypass these checks to do so, e.g. with “my credit card is 4012 then eight eights in a row then 1881”. This functionality is intended to protect against accidental exposure rather than malicious intent..
It’s also now possible to add rules that match against the hash of message attachments, so that you can block messages that contain specific attachments. You can use MD5, SHA-224, SHA-256, or SHA-384, or SHA-512 hashes. Note that it is relatively simple to force hash collisions with older hashing functions (e.g. MD5) – in the context of blocking mail this should not be an issue, but if you have a unusual rule like “you can only email this mailbox if you include this specific attachment” then please ensure you use a secure hashing function.
To add a rule, simply use the “attachment hash” option when adding a rule, select the type of hash you have used, and enter the hash as the expression to match. Note that this match type is currently only available when using the “advanced” version of the filtering rules.
Sub-addressing, or Plus-addressing
Sub-addressing, often called “plus-addressing” after the common practice of using a “+” as the separating character, allows addition of a ‘tag’ to a mailbox. For example, the mailbox firstname.lastname@example.org could be used as email@example.com, firstname.lastname@example.org, and email@example.com, as well as the plain firstname.lastname@example.org. Mail systems that understand plus addressing (such as Microsoft 365, Google, and others) will deliver the mail to the primary email@example.com mailbox and make the tag available, e.g. for filing or sorting purposes.
SpamExperts can now log, archive, and quarantine plus addresses under the primary mailbox name, and this is also the mailbox that will appear in usage calculations. Delivery will still be done to the full address, so that the tag is available for use at the destination server.
This functionality is not yet exposed via the app. If you wish to activate it, please reach out to support.
We’ve also fixed the following issues:
- MMA-6576, #1975. Fixed “right away” and “at specific time” Email Scout Reports not finding all results in some situations.
- MMA-6396, #1962. Fixed a case where some cookies could be set twice for a single page load.
- MMA-6282, #1982. Fixed an issue where the Email Scout Preview would wrongly require a template choice.
- #2049. Fixed an issue where the statistics charts could miss block listed or allow listed messages from the counts, after the language update in the previous update.
- MMA-6496, #179. Fixed an issue with Lets Encrypt certificate renewal.
- MMA-6674. Fixed an issue that could cause the wrong results to be included in an Email Scout Report, using the “since last scheduled” timeframe, when the timezone of the report was significantly different from central Europe.
- #3711, #3628. Fix an error that could occur when an API call needed to query a very large number of servers.
- #3629. Fix a race condition that could occur when executing a log search.
- MMA-6625. Fix an issue loading TLS requirement options in rare situations.
- MMA-6724. Fix exporting to CSV mailbox lists where the “use recommended” option is selected.
- #3655. Fix an error with renewing TLS certificates when information was missing from the certificate.
- MMA-6701. Decrease the chances of a very long-running logging rebuild failing.
- MMA-6906, #3705. Fix an issue with report actions where editing the available actions could cause all actions to become unavailable.
- MMA-6576, #3767. Require a description field when creating API keys.
- MMA-6962, #3858. Fix software API documentation page actions.
- MMA-7018, #3835. Fix removing Protection Reports sent to mailboxes with non-ASCII characters in the mailbox name.
- MMA-7093, #3889. Fixed a rare condition where outgoing filter messages would not appear in the log search.
- MMA-7029, #3861. Fixed an issue where using non-ASCII characters in the remote syslog template would cause message events to not be sent.
- MMA-7053, #2355. Technicians would incorrectly show in some admin lists, such as assigning a template.
- #2346. In the new Private Label tooltips, fix displaying the brand name when it is inherited from a higher level.
- Delays in message audit log entries (and updates to entries, such as from later delivery attempts) should be significantly reduced. A change in a TLS library used in late August 2021 caused periodic degradation in the queue processing system, resulting in regular delays, particularly during peak traffic periods. Now that the underlying issue has been resolved, we are focusing on improving our processes so that we are able to resolve issues like this far more quickly.
- MMA-7086, #3884. Fixed an issue that could cause the “Unrecognised Domains Log” page to display an error when used.
- MMA-7153. Fixed an issue preventing creating new (deprecated) Protection Report templates.
- MMA-7121, #2440. Some strings in the app were not being translated even though translated versions were available.
- 63029aa. Fixed a bug introduced to the Software API api_set_sender_whitelist method when setting the allow list to non-default values that would cause the API call to fail.
- MMA-7230, #2482. We now send the Splunk test event to the specified index.
- MMA-7221, #4134. On-demand Email Scout Reports properly reflect the ‘use standard branding’ toggle.
- MMA-7231, #4119. Fix an issue with sending some events to Splunk.
- MMA-7244, #4140. Fixed an issue where custom filtering rules using the language match create in “simple mode” would not properly work.
- MMA-6685, #2511. Fixed an issue viewing the mailboxes page when logged in as a non-ASCII domain user.
We’ve also made the following improvements:
- Clarify the “report actions” page text so that it’s clearer that the selection applies to Email Scout Reports as well as Protection Reports.
- MMA-5912, #1753. Removed several old pages and actions relating to retrieving quarantined messages, redirecting to newer pages where relevant.
- #1342. Adjust the “select all results on all pages” wording so that it’s clearer that all items will be selected.
- MMA-6377, #2023. Updated the component used for auto-fill list choices.
- MMA-6561, #2014. Removed the old “archive recipients” page.
- #2048. Removed the brand name from the page (HTTP) title.
- MMA-6607. Added .xxe support in the “hidden executable” check.
- MMA-6422. Decreased the time required for the weekly maintenance window.
- #2082. Improve the speed of the Domains Overview page, particularly when there are a very large number of admins.
- #2163. Remove an out-of-date entry from the CSP security header.
- #3731. Work around an issue introduced in macOS where suspicious empty attachments are sometimes added to messages.
- MMA-6429. Widen the email template editor dialogs to make better use of screen sizes.
- MMA-5486. Include the actions menu both below and above search results.
- #3770. Scan .pub files for macros.
- MMA-2668. The branding page now correctly detects when Lets Encrypt is in use. Note that if you provide a Lets Encrypt certificate yourself, then we will attempt (and fail) to renew it. Please either let us generate the certificate, or use a different certificate provider.
- #2160. Replace the old “telnet tool” link from the Domains Overview page with a link to the SMTP tool in the Network Tools page.
- MMA-6773, #3807. Always redirect HTTP requests to the app to HTTPS.
- MMA-6434, #2299. The “Private Label” option is now more clearly identified as branding support, and the differences between Private Label options are explained in tooltips.
- MMA-6909, #3710. Delivery retries will more consistently use the same IP address, to avoid issues with downstream greylisting.
- MMA-7060. The example links in the control panel API documentation now use https rather than http.
- MMA-7176, #2460. Restored the additional information on the “Custom Logging” (formerly “Remote Syslog Feed”) page that explains how to use templates.
- MMA-7129, #2439. When editing Email Scout Report templates, it’s now simpler to add the “view()” method with different sets of actions (in the resulting Email Scout Reports) enabled.
- #2473. Improved speed of loading the login page by caching duplicate calls.
- Updated German, Spanish, French, Dutch, and Brazilian Portuguese translations.
- #2506. The “g=*” string has been removed from the suggested DKIM DNS record. This is the default value (so does not change behaviour), and the latest RFC recommends to not use it any more.