Analyze Incoming Email Traffic

Fortra Cloud Email Protection provides insight into your organization's incoming email traffic, insight that includes where email messages are coming from (IP, Domain) and the risk associated with those messages and their senders.

The Classic Dashboard page is a unique visualization of Risk Overview of your organization’s inbound email traffic. Every inbound message received by the Cloud Email Protection Sensor receives a Trust Score and is plotted in terms of:

  • Message Authenticity – is the message really from who it claims to be from?
  • Domain Reputation – is this domain reputable, that is, someone with whom I have a credible business relationship?
  • Sender Legitimacy - is the sender IP address, evaluated by IP Reputation Score, legitimate?

Trust Score

A Trust Score is calculated for every inbound message delivered to an organization’s users. It answers the basic question: How much should I trust this message? The Trust Score is used to separate the email into three groups: Untrusted, Suspicious, and Trusted. Messages are scored on a scale from 0 - 10, where 0 is the lowest trust and 10 is the highest.

The Trust Score takes into account the Domain Reputation score, the Authenticity score of the message, and per-message features, as well as any scoring adjustments you have made. See

TIP: The body of the message is not a factor in the Trust Score. The exception to this is if you have URI analysis enabled (see Enable Attachment and URI Analysis), in which case URIs extracted from message bodies are scored for potential maliciousness.

  • High Authenticity score from a sender with a low Domain Reputation score = suspicious.
  • High Authenticity score from a sender with a high Domain Reputation score = trusted.
  • Low Authenticity score from a sender with a high Domain Reputation score = suspicious, especially if a domain does Authentication correctly and frequently.
  • Low Authenticity score from a sender with a low Domain Reputation score = usually bulk email or zero-day domains.

Each circle in the Overview page represents a sending domain and the circles are sized based on the relative amount of traffic they sent within the selected time period. Reputable, high-volume, good messages are represented by green circles in the upper right. You should see the names of familiar senders in this quadrant. The top 200 domains are shown in each quadrant. Hover over a circle to see the number of messages from that sending domain.

Less trustworthy senders are lower and to the left.

Quadrants on the overview page.
Quadrants on the overview page

You can filter the results, limiting them to just one of the basic attack types by clicking on any of the smaller boxes to the left of the quadrants display. Use this feature to quickly identify potential problem messages and senders.

To return to the original traffic view, click the Messages filter.

The Messages filter
The Messages filter

Zooming In

Click on the empty space inside one of the quadrants to zoom in on that quadrant. It should be easier to see the bad senders. Hover over a circle to see the sending domain. For example:

A zoomed-in quadrant
A zoomed-in quadrant

Click on the empty space again to zoom back out.

Quick Domain Search

You can also use the search box on the main visualization page to quickly classify the authenticity of the mail you receive from a specific domain.

For example, type "gmail.com" into the search box. You may see a pattern that looks like this:

Searching for mail from the domain gmail.com.
Searching for mail from the domain gmail.com

This says that Cloud Email Protection has analyzed 104 legitimate messages from the gmail.com domain in the past 7 days; hovering over the smaller circle shows that 6 messages may warrant further investigation because they have a lower authenticity score.

Clear the search box to return to the original view.