Scoring Adjustments

In certain cases you might want to adjust trust scores that Fortra Cloud Email Protection (CEP) has assigned to a given message or to URLs associated with the message.

For example you might find a message that is scored as a Brand Name Display Name Imposter (BDNI) attack but that you know is actually not malicious. In that case you can make manual trust scoring adjustments that take immediate effect and help ensure that all similar messages reach your organization. 

In another scenario, a message might not be scored as a malicious BDNI attack but you know that the message is in fact malicious. In that case you can make a adjustment to score it as a BDNI attack.

Similarly, a message might not be scored as a malicious Individual Name Imposter (IDNI) attack but you know that the message is in fact malicious. In that case you can make a adjustment to score it as an IDNI attack.

URLs

Another feature allows you to either allow or block specific URLs embedded in emails. You can allow or block URLs based on the entire URL, the domain, or the subdomain.

In this guide we use positive to mean identified as malicious, and negative to mean identified as not malicious.

These are the types of messages involved in scoring adjustments:

BDNI False Positive A non-malicious message scored as a malicious BDNI attack.

BDNI False Negative A message that is a malicious BDNI attack but is scored as non-malicious.

IDNI False Negative A message that is a malicious IDNI attack but is scored as non-malicious.

We walk through all of these scenarios in the following tutorial.

Scoring adjustment: BDNI false positive

In this walk-through you identify a message that was scored as a threat and make an adjustment to score it as a non-threat.

1. Locate a message identified as a Brand Display Name Imposter (BDNI).

   

2. Click the message to open the message details window. In this example, you can see by examining it that while this message has been scored as a BDNI attack, in fact it's a benign message that you sent to yourself.

   

3. Click the plus sign under Show More to expand the screen and show the Scoring Analysis.

   

4. Click the Adjust link. A window opens displaying scoring options.

   

5. Select the button next to The sender is not the brand but is using the brand legitimately. You can enter a comment in the field below, for example "This is from my Gmail account". When you are finished, click Save Adjustment.

   Now that you have created the adjustment, messages from the sender and display name combination will still be scored based on all other risk factors, but they will not be scored as BDNI attacks.

   NOTE: Scoring adjustments that you make take approximately five minutes to take effect.

6. To see all of your scoring adjustments, click on the Adjustment <adjustment number> link, for example shown here as Adjustment 38902 .

   

7. Select your adjustment from the list of adjustments. A new window appears where you can modify the comment and re-save the adjustment, or delete the adjustment.

   

   If you deleted the adjustment, messages from that sender and display name combination will again be subject to evaluation and classification as BDNI attacks.

   NOTE: Deleted adjustments do not appear in the Adjustments index. The Audit Log contains a record of adjustment deletions.

Scoring adjustment: BDNI false negative

In this walk-through you identify a message that was scored as trusted and make an adjustment to score it as a threat.

1. Locate a message identified as a potential Brand Display Name Imposter (BDNI) but determined to not be malicious and given a high score.

   

2. Click the message to view the message details, and find the Scoring Analysis, where you can see the reason that the message was not scored as a BDNI attack.

   

3. Click the Adjust link to open the adjustment details. If you think this message is in fact malicious, you can select one of the included reasons or select Other and include the reason by typing in a comment.

   

   When you are finished, click Save Adjustment.

Scoring adjustment: IDNI false negative

The steps for making an IDNI false negative scoring adjustment are the same as the steps for making BDNI scoring adjustments. In these cases you identify messages scored as non-malicious, and using the steps described above, make your scoring adjustments as needed.

The message above has been identified as suspicious but scored as authentic. You can click Adjust to change this scoring, as shown below. For details, follow the steps for BDNI scoring above.

Block or allow URLs

You can block or allow any URLs embedded in messages based on the entire URL, the domain, or the subdomain. To do this, first locate a Message Details page for a message that had a URL embedded in it. (If a message had no embedded URLs, this feature will not appear in the Message Details).

1. Open the Message Details page and scroll down to the label URLs.

   

   To adjust whether to block or allow the URL, click Adjust. In the screen that opens, you can select whether to block or allow the URL. Let's select Block.

   

2. Click the URL that you want to block. There might be a list of URLs to choose from, in this case we just have one.

   

3. Select one of the three blocking options.
   • Block the exact URL
   • Block any URL from the domain
   • Block any URL from subdomains
4. As an example let's select Block any Subdomains.

   

5. Scroll down in the Adjust URL panel to see additional options, and when you've selected what you want, click the Block Subdomains button.