Proofpoint

Overview

Proofpoint is an email server solution utilized by the Texas A&M Technology Services to provide email relay services on campus as well as spam and virus protection. It provides these functions via a combination of domain filtering and attachment signature recognition. Proofpoint can also provide protection against phishing attempts by comparing URLs in messages to lists of known phishing sites.

How It Works

Proofpoint provides anti-spam, anti-phishing and anti-malware protection for email throughout the email process.

1. When a message is first send to a Texas A&M email address, Proofpoint first checks the sending domain. If the sending domain is a known sender of malicious email, the message is dropped and will not be delivered to the recipient.  Additionally, the sending email address may be on a blocklist of known spam or phishing addresses and also be dropped.

2. If the message is accepted by the server, it is then automatically scanned by the Proofpoint servers for signs of viruses, phishing, malicious links, or other types of malware. If known malicious content is detected, the message is dropped and not delivered to the recipient.

3. If the Proofpoint server detects a message that may be malicious, but which is not known to be malicious, the server will hold the message for approximately fifteen minutes (this time will vary based on overall email traffic at the time). The server then checks with a central repository maintained by Proofpoint to check against recently discovered malicious messages or malware. If the query indicates that the message is known to be malicious, the message is dropped and not delivered to the recipient. If the query indicates that the message is likely not actually malicious, or if a pre-determined length of time passes without an indication that the message is malicious, the message is released. Messages that are released due to the query's time limit expiring will  have a copy retained by the server for further analysis.

4. If a message does not contain any known malware, or was held and then released, it is then checked for spam. Proofpoint checks for spam by analyzing the message headers and structure, images, email sender reputation, and other aspects of a message. If the message appears to be spam, it is held in quarantine. Proofpoint sends quarantine notifications to recipients at 9:00 AM and 3:00 PM with a list of messages addressed to them that are being held in quarantine. Recipients can then view the message if they believe it may be legitimate or add the message to an allowed sender list allowing messages from that sender to be delivered without being quarantined in the future.

5. If a message that was previously held by the server while being checked for malicious content is later determined by Proofpoint to have actually contained malicious content, TAMU Technology Services Security is notified by Proofpoint of the newly-discovered threat along with a list of recipients to which it had delivered the message. Technology Services Security will then notify the customer of the issue and instruct them on steps for resolution. This is an example of a security notification:

 

MALWARE ALERT EMAIL

Subject: Alert: FIRSTNAME, Texas A&M detected malware on your computer

FIRSTNAMELASTNAME (UIN ending in XXXX):

Texas A&M Technology Services has identified potentially harmful malware on your computer. Please contact Help Desk Central at 979.845.8300 so our techs can help you remove the malware from your computer. Failure to contact Help Desk Central will result in loss of access to TAMU WiFi and the Texas A&M network.

What we detected:

- Your NetID: NetID

- Malware: Trackware

What it does:

Trackware is a type of spyware that tracks your actions, such as what you do with your computer, the programs you run and the websites you visit, and uploads the results to companies or hackers. The most common variant of trackware that we see on campus is "securestudies." Malwarebytes or Spybot Search & Destroy may be able to remove this spyware from your computer.

About your infected device:

- Device Type: Win 7

- Network: TAMU WiFi Wireless

- Your MAC Address: 78-XX-XX-XX-XX-XX

- Your IP Address: "165.91.XXX.XXX" 

- Detection Time: 2016-04-17T14:19:29


If you have concerns about the validity of this message should you receive one, please contact Help Desk Central at helpdesk@tamu.edu.

Proofpoint Quarantine Accounts

Each Texas A&M campus member that has an active TAMU emailing address will also have a unique Proofpoint quarantine account where suspicious messages sent to their TAMU address are stored upon arrival to TAMU's email servers. Within these accounts, campus members have the ability to manage their quarantined emails, edit Allowed and Blocked Sender Lists, and adjust their End User Digest messages settings. By default, each campus member will receive an End User Digest message from the Proofpoint system (spam-quarantine@tamu.edu) when a new message arrives in their quarantine.

Accessing a Proofpoint Account

To access your Proofpoint account:

  1. In your TAMU email, locate a message that contains "End User Digest" in the subject and open it.
  2. Inside of that message, locate the "Manage My Account" URL text on the right-hand side of the email. Click/tap on the text. (If you do not see the "Manage My Account" text, click/tap on the "Request Safe/Blocked Senders List" URL text instead. This will run a command that will generate a new email in which the "Manage My Account" URL text  should appear
  3. After selecting "Manage My Account," your Proofpoint account should appear in a new tab. You verify it is your account by viewing the username displayed near the top of the page.
  4. When you are done editing the account, you can simply close your tab/browser.

Adding an Address to the "Safe Sender List"

The Proofpoint Safe Sender List contains any email addresses or domains that, upon delivery of a new message from them, will bypass Proofpoint quarantine and arrive directly to the inbox. There are two methods to add new addresses or domains to this list.

Method 1

  1. In your "Spam - Quarantined" folder in your Proofpoint account, locate an email from a sender that needs to be added to the Safe Sender List and click/tap its corresponding check box.
  2. At the top of the same page, click/tap on "Allow Sender." To release the same message to your inbox, you will need to also click "Release."

Method 2

  1. In your Proofpoint account, click/tap on "Lists" at the bottom-left corner. This should already open your Safe Sender List.
  2. At the top of the same page, click "New."
  3. In the box that appears, input the address or domain (Ex. @abc.com) to be added to the list and then click/tap on "Save."

URL Rewriting

To protect against phishing, Proofpoint uses a solution called URL Rewriting, or URL Defense. URLs in messages processed through the Proofpoint mail servers will be rewritten to include https://urldefense.proofpoint.com in front of the the URL originally included in the message. For example, if a message sent that contains the URL http://connect.servicenow.com, it would be rewritten as https://urldefense.proofpoint.com/v2/url?u=http-3A__app.connect.servicenow.com.

When you click on the link, you will be directed first to the proofpoint.com URL. If the original URL is determined to be safe, you will then be taken to the original link destination. However, if the URL is known to be malicious, such as a URL used for phishing, identity theft, malware distribution, etc., then you will be directed to a page indicating that the URL is malicious.

Thumbnail of redirect page - click for full size

For questions regarding URL Rewriting, please contact Help Desk Central at helpdesk@tamu.edu.

Was this helpful?
0 reviews
Print Article

Related Services / Offerings (1)

The "Security Support and Tools" Service Offering allows requests for encryption services, endpoint protection (EDR), vulnerability scanning, and penetration testing.