When an email message is received by the UCT mail gateways, within seconds, the message passes through a number of security checks before being delivered to your mailbox. These checks help to minimise the amount of spam coming into the organisation.

UCT deals with spam aggressively because higher education institutions are one of the most spammed sectors in the world. However, sometimes these spam controls prevent legitimate messages from getting through to your mailbox. There are a number of reasons that this happens, but to help you retrieve those messages, UCT has enlisted the services of the Mimecast online email management tool for all UCT email addresses. The Mimecast service is available for @uct.ac.za and @myUCT.ac.za email addresses (i.e. UCT staff, third parties, students and post-doctoral fellows).

You can now also manage suspicious emails directly in Outlook via the Mimecast Essentials for Outlook add-in.

 

Spam filtering process used on email servers

Mimecast-filters

Phase 1:
Anti-Spoofing

Spoof attempts are blocked, (i.e., where legitimate UCT email addresses are impersonated by non-UCT users). In this way, if a spammer falsifies their sending address to masquerade as an internal domain address, the email will be rejected.

Phase 2:
Blocked Senders

This phase restricts messages to or from specific email addresses or domains.

Phase 3:
Permitted Senders

All spam checks (reputation-based and content-based), except anti-virus checks, are bypassed. If an email address or domain is in both the Permitted Senders and Block Senders phases, the Blocked Senders phase will be applied first and the email will be rejected.

Phase 4:
Auto Allow

When an internal user sends an outbound email, the system captures the recipient's email address and adds it to a database known as Auto Allow. When the same recipient sends an inbound email to a UCT user, the recipient's email address is checked against the Auto Allow database. If a match is found, the inbound email will be allowed through without applying additional spam reputation checks and content checks – similar to a Permitted Sender – although virus checks are still applied.

Phase 5:
IP Reputation Checks

Real-time Blackhole List (RBL), which contains the IP addresses of known malware senders, is applied. Other IP reputation check functions as a global network outbreak detection system, both known and unknown. This reputation service temporarily defers connections if they are suspected to have a bad reputation.

Phase 6:
Greylisting

Compliance checks are applied to the sender's mail server for all connections not previously seen by the system. It returns a busy signal, which prompts the sending server to retry the email delivery after one minute. If the sender's mail server retries the connection, the email is processed. If the email is not retried within 12 hours, the email connection is dropped and rejected.

Phase 7:
Recipient Validation

Prevents inbound emails with invalid recipient addresses from being delivered.
 

Phase 8 and 9:
Emails moved to the scanners

  1. Spam scanning: Multiple content-based, heuristic scanning engines are used. These engines examine the content of emails and look for key phrases and other identifiers commonly used by spammers. These include content-matching rules and DNS-based, checksum-based and statistical filtering definitions. Depending on the policy configured, if a match is found, the email is held for review.
  2. Virus scanning: Malware protection software combined with intelligence gathered from millions of commercial and freeware users is employed. This includes signature and heuristic detection technologies.

Phase 10: Definition Based policy

These are any additional policies that UCT has specifically configured in the Mimecast environment.

 

Common reasons emails are rejected

When an external email is sent to a @uct.ac.za or @myuct.ac.za email address, it goes through the numerous filters listed above, until it is declared safe to be sent to your mailbox. If it fails any of these filters, Mimecast will do one of the following:

  • Reject it: You will not be notified of the message, and you cannot access it at all.
    or

  • Put it in quarantine: You will be notified of the message, and you can then process it.

The most common reasons for messages being blocked at UCT are listed below:

Impersonation attacks

There has been an increase in spear phishing attacks – where cybercriminals impersonate senior UCT staff, including the Vice-Chancellor, to get your attention.

These attacks are constantly evolving, and different email addresses are used. One of the main tell-tale signs that it is a scam is that even though the email appears to come from a UCT staff member, a non-UCT email address (e.g., @gmail.com) is used.

It is highly unlikely that the Vice-Chancellor or a senior UCT staff member will send you an email asking you to do them a favour, such as buy them items like gift cards or vouchers. If you get such an email, do not respond to it. Verify it by directly contacting the individual using their officially listed UCT contact details on Outlook instead of those provided in the message.

Outlook desktop client

Outlook on the web

  1. Create a new email message then click To
  2. Enter the name in the Search field then click the arrow outlook-arrow3.
  3. All the applicable names will appear in the list below.
  4. Double-click the person you’re wanting to contact then click OK.
  1. Create a new email message then click To.
  2. Select Default Global Address List from the left column.
  3. As you start typing the name in the search field, the applicable names will appear below.
  4. Click the + sign next to the individuals names you would like to add as recipients.
  5. Click Save.
  6. Their name(s) will appear in the To field of your email message.

The Mimecast Impersonation Protection service also uses a range of filters to detect such emails.

 

Real-time Blackhole List (RBL)

These directories have lists of email servers, IP addresses and domain names that are associated to spam or malicious attacks. If an IP address has more than five RBLs linked to it, it will be automatically rejected. You will also not receive any notifications for such emails.

 

Blocked sender

If UCT has blocked a specific domain (e.g., @gmail.com, @yahoo.com), no emails from that organisation will be delivered to your mailbox. The same rule applies if you previously blocked an email address. You will no longer receive emails from that sender.

You can manage blocked senders via the Mimecast portal.

 

DMARC

UCT’s Domain-based Message Authentication Reporting and Compliance (DMARC) policy ensures that only UCT-authorised vendors can send emails to campus on behalf of UCT departments or groups. External organisations also have their own DMARC policies, which UCT has agreed to abide by.

If the external organisation says that your email must be put on hold or rejected, then UCT must abide by those rules.

 

Wording that could trigger spam filters

Mimecast applies a global policy which states that when certain words are used numerous times in an email, that email is automatically rejected. The message won’t even reach the UCT email servers because Mimecast filters will block it. Some of these words include but are not limited to:

  • Invoice
  • Payment
  • Credit card numbers

We therefore recommend that you inform contacts who would normally use such wording that their emails may be blocked due to stricter security measures. They should then contact you if they don’t get a response from you after a few days.

It is also important that you add these types of contacts to your permitted senders list, so that their emails are not blocked unnecessarily.

 

Manage permitted and blocked senders’ lists

  1. Navigate to Mimecast and click LOGIN > Access my email.

  2. Enter your UCT email address and click Next.
  3. Leave the default option as Domain, enter your UCT password, and click Log In.
  4. You may be presented with a screen that says Mimecast Personal Portal or Mimecaster Central. Select Mimecast Personal Portal.
  5. In the left column, click:
    • Blocked: Contains the list of blocked senders. You can either click Add Blocked to add a new email address, Permit to allow the sender to email you again, or Remove, which means that you will receive an email from Postmaster again and will need to indicate if the sender should be permitted, or if the email should just be released.
    • Permitted: Contains email addresses that you previously permitted. You can either Add additional email addresses, Block those listed, or click Remove. When you remove an email address, you will receive an email from Postmaster when that sender contacts you via email. You will then need to indicate if the sender should be blocked, or the email just released.
    • Auto Permitted: These are external email addresses that you sent emails to in the last 120 days. They are automatically added to your permitted senders list.

 

Choose what action to take for emails blocked by Mimecast

If the Mimecast tool suspects that a message is spam, instead of removing it from the system, you will receive an email telling you that a message has been placed in the Mimecast On Hold queue. This gives you the opportunity to either Release, Block or Permit the message.

  • Release: allows the message to be delivered to your mailbox, but does not automatically allow any other messages from the same sender to reach you.
  • Block: rejects the message and blocks this sender from sending emails to you in future.
  • Permit: delivers the message to your mailbox and you allows this sender to email you in future.

You will only receive an email if there are spam messages in your Personal On Hold queue. Hopefully over time you will receive less and less spam as the system "learns" what you do and don't allow through.

 

Action emails blocked by Mimecast

Every time an email is blocked, Mimecast will send you a notification so that you can take the necessary action. It is important to note that these notifications are only sent every hour.

So, if you're expecting an email – such as a password reset email or confirmation for a new account you created – log on directly to Mimecast to check if the message is being held up:

  1. Navigate to Mimecast and click LOGIN > Access my email.
  2. Enter your UCT email address and click Next.
  3. Leave the default option as Domain, enter your UCT password, and click Log In.
  4. You may be presented with a screen that says Mimecast Personal Portal or Mimecaster Central. Select Mimecast Personal Portal.
  5. In the left column, click Blocked.
  6. Click Permit next to the email address you would like to unblock.

 

Manage suspicious emails using Mimecast Essentials for Outlook

It’s common to receive suspicious emails nowadays – even ones that look like they come from colleagues (but are actually sent from a non-UCT email address such as Gmail). When this happens, you can now immediately report suspicious emails to Mimecast at the click of a button in the Outlook desktop client, Outlook for web, and the Outlook mobile app. 

The Mimecast add-in is visible on all incoming emails in Outlook. If it doesn’t appear in messages that you receive: 

  1. Open an email in your mailbox and click Get Add-ins. If this option does not appear in the email, in your Outlook mailbox menu, ensure that the Home tab is selected and click Get Add-ins
  2. In the pop-up box, search for Mimecast and select Mimecast Essentials for Outlook
  3. Click Add
  4. The various Mimecast buttons will now appear in all emails you receive. 

When clicking the Report Phishing or Report Spam buttons, the email is sent to your Outlook Junk Mail folder, and the sender is added to your Blocked Senders list. A copy of the email is also sent to the Mimecast Security Teams for investigation. Mimecast then uses this information to update their scanners so that similar phishing attempts can be detected in future. 

It is important to note that a call isn't automatically logged with the IT Helpdesk when using this option. You will still need to follow the standard method of reporting a phishing attack

You can also view your Permitted and Blocked Senders lists, via the Manage Senders button and view messages that are currently waiting for you to release, permit, or block. You may be required to enter your UCT email address before these lists appear in the right-hand column.  
 

 

Additional resources

Mimecast now has a dedicated website containing everything you need to know about the platform. To learn more, access the knowledge base articles on managing your account as well as the community forum.