Yes, we have a shortage of viable options for message review. I am currently using a commercial appliance that is approaching end of life, and I don’t know how I will be able to replace it:
- Declude, Declude Reboot have no web interface,
- the SmarterMail quarantine is woefully inadequate,
- I have been advised that rSpamD’s web interface is not suitable for this purpose,
- Most commercial products are moving from an appliance model to a cloud model, and operate standalone from other technologies. That’s fine if you find their solution to be adequate and affordable, but I do not.
So I am hoping SmarterTools or MailsBestFriend will rise to the occasion. Having seen the limitations of several products, I have a pretty long wish list.
Basic Application Components
An effective message review tool requires these pieces:
- An index of in-scope messages, so that message metadata can be presented in list form on a web page. The index needs to contain message metadata, SMTP session data, and a link to the archived EML file when available.
- An archive of in-scope messages, so that the administrator can drill into the message and view both EML contents and formatted contents.
- A user interface that permits the administrator to search for the subset of messages which are of interest.
Metadata of Interest
This is a list which combines message metadata tracked in the two products that I use regularly.
- Internal Record# or MessageID use to identify the message
- Filtering host (particularly for multi-host configurations with load sharing)
- Reception Timestamp
- SMTP Mail From address
- SMTP Rcpt To address list
- Server HELO name
- Server Reverse DNS Name
- Server IP address
- Server GeoLocation from MaxMind or similar source
- Incoming message size
- Spam Filtering results, which may involve two to four data elements that explain the spam conclusion.
- Message From address (which may be a list in rare circumstances)
- Message To address list
- Message CC address list
- Message Subject
- Message ID
- Message intended disposition (e.g. approved for delivery)
- Message current status (e.g. approved but not yet delivered)
- Delivery timestamp
- Delivery host IP
- Delivery host HELO
- Delivery host Reverse DNS
- Delivery result (SMTP Response Code, SMTP Extended Status Code, explanatory text)
- Inbound Encryption status
- Outbound Encryption Status
The size of this list shows that all of this data cannot easily fit on a computer screen, which leads to the next design problem.
How to manage screen real estate?
Each message has more interesting metadata than can fit across a single screen, so the application and the user need to work together to maximize the available space. There are multiple ways to economize on space:
- Let the user choose which columns are displayed, and shrink text box size to make everything fit.
- Provide a one-line and two-line display option.
- For messages with multiple recipients, let the user choose whether to display a single row for each message or a single row for each recipient.
- For To, CC, Reply-To, and any other address lists, let the user decide whether to display an address count, the first address only, or a list box.
- For any email address field, allow the user to choose whether to display the full address, the domain name only, or the organizational domain only (as taken from the public suffix list used for DMARC.)
- Similarly, for any host name field, allow the user to choose whether to display the full host name, the parent domain name, or the organizational domain.
Index and EML Archive Scope
Message review should support all three review tasks:
- Review quarantined messages for immediate disposition of the message.
- Review allowed messages to detect messages that should not have been allowed.
- Review blocked messages to detect messages that should not have been blocked.
Old data is not useful for these purposes, so the tool should automatically purge index data and EML files that are expired (such as more than 90 days old).
Full EML Data is needed on all messages, not just active quarantine. It is nearly impossible to identify incorrect dispositions without the ability retrieve full message contents as needed during the review.
Integration
If SmarterMail becomes the quarantine review tool, we need an upgrade to the results feedback part of the interface. A single code is sufficient for triggering a disposition action, but the message review process needs to understand the nuances of how that score was constructed. This often includes a category and one or two subtopics:
(category=Malicious URL, value=badguys.com)
(category=Authentication, value=”DMARC Fail”, details: “policy reject”)
Filtering on the specific type of spam results is often useful for limiting the result set to items of interest. A single numeric score does not achieve that purpose.