32Guards

32Guards is on the one hand a filter that influences the calculation of the spam confidence level, and on the other hand an action that can directly reject threats temporarily or permanently.

The evaluation of emails by 32Guards is based on the evaluation of a number of indicators. This evaluation results in a final assessment of the email. Examples of such indicators are suspicious file names or the frequent occurrence of new or unknown URLs in a very short time.

This action/filter ensures that metadata on email attachments and URLs is collected and uploaded to the NoSpamProxy cloud. File contents are neither collected nor accessed. With 32Guards, attacks through spam and malware can be detected and defended against faster and more reliably. Based on this metadata, 32Guards creates a threat assessment, which in turn is used as a basis for further actions in NoSpamProxy.

Only the following metadata is collected by NoSpamProxy:

Attachments

  • File name
  • File size
  • Details of the first ten files within archives/to a maximum of 50 files in nested archives (sorted by file type): file name, hash value, size, number, size without compression
  • SHA-256 hash value
  • TLSH hash value
  • MIME type (as detected by NoSpamProxy)
  • Information about whether malware was found in the attachment

URLs

  • The complete URL
  • URL classification (spam, phishing, malware)

Emails

  • Source IP of inbound emails
  • Authenticated domain and source (DKIM/SPF/S/MIME)
  • Salted hash of the local part of the header-from domain and MAIL FROM domain of inbound emails
  • Salted hash of the local part of the Rcpt domain and To/CC header domain of outbound emails
  • Message ID
  • Whether it is an automatically generated email
  • Status of the chain of custody within the framework of Authenticated Received Chain (ARC)
  • Status with regard to the Certified IP List of the Certified Senders Alliance (CSA)
  • TLS certificate including validity, trust status, thumbprint, domain name and issuer
  • Transaction ID
  • Information about whether the email was inbound (trusted/untrusted) or outbound
  • Version of the NoSpamProxy client
  • Version of the applied 32Guards data model

From each of the areas mentioned (attachments, URLs, emails), only the worst rating is included in the calculation. Ratings from different areas are added up.

Updates to NoSpamProxy 14 and higher

When updating from older versions to NoSpamProxy 14 and higher, the filter 32Guards is automatically added to a rule if the following two conditions are met before the update:

  • The action 32Guards is configured as part of a rule and
  • on the tab Filter the option Check the email with the filters specified below is selected.

See also

Reporting false negatives and false positives

Configuring filters

Configuring actions