Skip to content

Based on the comprehensive resources provided, I have designed a detailed "Beginner to Master" video course curriculum for Email Security using the Proofpoint Protection Server (PPS). Since I am a text-based AI, I cannot generate a video file, but I have created the complete script and structure for this video below.

  • Following the course, I have provided the 5 specific examples for identifying phishing and spam as requested.

Mastering Proofpoint Protection Server (PPS)

  • Course Objective: To configure, manage, and troubleshoot email security, moving from basic SMTP concepts to advanced threat protection and encryption.

PART 1: THE BASICS (Beginner Level)

Scene 1: Understanding Email Infrastructure & SMTP

  • The Lifecycle of an Email: Email does not go directly from client to client. It travels from a Mail User Agent (MUA like Outlook) to a Message Transfer Agent (MTA),.
  • The SMTP Process: Simple Mail Transfer Protocol uses a three-part process:
    1. Connection: The sending server telnets to port 25.
    2. Envelope: The sender issues HELO, MAIL FROM (sender), and RCPT TO (recipient).
    3. Data: The body and headers (Subject, To, From) are sent. Note that the "Envelope Sender" can differ from the "Header From" address,.
  • Relaying: "Relaying" is moving a message from one system to another. PPS will only relay mail if the recipient is in a configured "Inbound Domain" or the sending IP is in the "Allow Relay" list,.

Scene 2: PPS Architecture and Filtering Order

  • Script:
  • Module Hierarchy: PPS processes messages in a specific order to save resources. The order is:
    1. Email Firewall (Connection management)
    2. Virus Protection
    3. Zero Hour
    4. Spam Detection
    5. Digital Assets
    6. Regulatory Compliance
    7. Targeted Attack Protection (TAP),,.
  • Why order matters: If a message is blocked by the Firewall (Priority 0/First processed), it is never scanned for Spam,.

PART 2: CORE CONFIGURATION (Intermediate Level)

Scene 3: User Management and Admin Roles

  • LDAP Integration: To avoid managing local passwords, create an LDAP profile (System > User Management). Map the "SAM Account Name" and domain to allow admins to use corporate credentials.
  • Admin Roles: You can create granular roles, such as "Help Desk." You can restrict these roles to specific modules (e.g., Smart Search) and specific quarantine folders (e.g., allow viewing "Zip Attachments" but not sensitive financial blocks).

Scene 4: Spam Detection and Policies

  • Inbound Policy: Create a policy named "Inbound." You can enable rules for Malware (Score 50), Phishing (Score 80), and Definite Spam (Score 100),.
  • Bulk Email: Newsletters are "Bulk," not necessarily spam. You should enable the Bulk rule to allow users to see these in their digests,.
  • Safe vs. Block Lists:
    • Organizational Lists: Global allow/block. Limited to simple criteria like IP or Sender Address,.
    • Custom Rules: More flexible. Use these when you need exceptions (e.g., allowing "mailchimp.com" only if the sender is "marketing@company.com"). This prevents a global whitelist of a shared vendor,.
  • End User Digests: Enable digests to let users release their own quarantined spam. Configure the "Digest From" address so users recognize the sender,.

Scene 5: The Email Firewall & Recipient Verification

  • Purpose: The firewall filters based on connection and envelope attributes.
  • Recipient Verification: This prevents "Directory Harvest Attacks." PPS checks if a recipient exists before processing.
    • Audit Mode: Quarantine invalid recipients to a folder to ensure you aren't blocking valid mail due to directory sync issues.
    • Block Mode: Once verified, switch to "Reject" (Error 550 User Unknown) to save system resources.

PART 3: ADVANCED SECURITY & AUTHENTICATION (Advanced Level)

Scene 6: Authentication (SPF, DKIM, DMARC)

  • SPF (Sender Policy Framework): Verifies the IP is authorized to send for the domain. By default, PPS doesn't enforce this on inbound mail. To enforce, create a rule to "Quarantine" or "Reject" SPF Failures.
  • DKIM: Checks if the email was altered in transit using a digital signature.
  • DMARC: Relies on SPF and DKIM.
    1. Create a "DMARC Failures" folder.
    2. Start in Audit Mode (Quarantine & Continue) to monitor traffic.
    3. Move to "Reject" only after confirming legitimate traffic is passing.

Scene 7: Anti-Spoofing and Imposter Protection

  • Anti-Spoof Rule: Create a firewall rule where Envelope Sender is "Your Domain" AND Sender IP is NOT "Your Internal IP." This blocks external actors using your domain.
  • Imposter Repository: High-value targets (CEOs) need extra protection. Add their display names (e.g., "Mary Smith") to the Imposter Repository. If an external email arrives saying it's from "Mary Smith," the Stateful Composite Scoring Service (SCSS) increases the spam score,.

Scene 8: Targeted Attack Protection (TAP)

  • Attachment Defense: Scans supported files (PDF, Office) in a sandbox.
    • Config: Set to "Hold message" while waiting for cloud scan results to ensure no malware slips through.
  • URL Defense: Rewrites links in emails. If a user clicks, they are redirected to Proofpoint first.
    • Config: Select "Rewrite URLs in all messages" for maximum security.
  • TAP Dashboard: Use this to view "Impacted Users" (who clicked) and "VAP" (Very Attacked People).

Scene 9: Encryption

  • Triggering Encryption: Create a firewall rule to trigger encryption if the subject contains "[Encrypt]",.
  • TLS Fallback: Configure PPS to attempt TLS (Transport Layer Security) first. If the connection fails, fall back to Proofpoint Encryption (Secure Reader) instead of sending plain text.

PART 4: MAINTENANCE & TROUBLESHOOTING (Master Level)

  • Smart Search: The primary troubleshooting tool. Search by sender/recipient to trace a message disposition (e.g., Discarded, Quarantined). Note: It takes 5-6 minutes for data to appear.
  • Reading Logs:
    • cmd=run: The rule triggered.
    • cmd=judge: The dispositions being applied.
    • cmd=dispose: The final action taken (e.g., quarantine).
  • Syslog: For long-term retention or SIEM integration (like Splunk), configure Remote Log options to send data to a centralized host,.

Scene 11: Updates and DNS Blocklists

  • Module Updates: PPS checks for spam/virus definition updates every 5 minutes. You can manually force updates in the System > License & Updates module.
  • DNS Blocklists (DNSBL): Subscribe to lists (RBLs) to block IPs known for spam. Crucial: Always add your internal networks to the "Internal Net" policy route first to prevent blocking your own outgoing mail.

---

5 Examples: How to Identify Phishing & Spam Emails

Based on the provided resources, here are five specific scenarios and indicators to identify malicious emails:

1. The "CEO" Imposter (Display Name Spoofing)

  • Scenario: An employee receives an email from "Mary Smith" (the CEO) asking for an urgent wire transfer, but the email address is mary.smith@gmail.com or ceo@external-service.com.
  • Identification Method: Use the Imposter Display Name Repository. The resource explains that if "Mary Smith" is a protected name, an external email using that display name will have a "High Imposter Spam Score" because the SCSS (Stateful Composite Scoring Service) recognizes the display name does not match the authorized internal source.

2. The "Blank" Invoice (Malicious Attachment)

  • Scenario: A user receives an email regarding an "Invoice" with a Word document attached. When opened, the document appears blank or contains gibberish, with a prompt to "Enable Content" or "Enable Macros."
  • Identification Method: This is the Locky Malware behavior. The resource demonstrates that enabling content executes the code that encrypts the user's laptop. Identification relies on Attachment Defense, which sandboxes the file, observes this behavior, and quarantines the message before delivery,.

3. The "Look-Alike" Domain (Spoofing)

  • Scenario: An email arrives from support@proofpo1nt.com (using a number '1' instead of 'i') or vendor@acme-updates.com instead of vendor@acme.com.
  • Identification Method: This is identified via Anti-Spoofing Rules. A firewall rule configured to look for "Is in Domain" or "Lookalike" domains triggers a quarantine. Additionally, DMARC analysis would show that the sending IP is not authorized for the legitimate domain (SPF Fail) or the signature is invalid (DKIM Fail),,.

4. The "Drive-By" Credential Stealer (Malicious URL)

  • Scenario: An email contains a link saying "Click here to update your account." The text looks legitimate, but the underlying destination is a credential harvesting site.
  • Identification Method: URL Defense rewrites the link. If the link is clicked and leads to a malicious site, the TAP Dashboard will log this as a "Credential Phishing" threat. The resource notes phishing is defined as defrauding account holders of financial information,.

5. The "Sensitive Word" Trigger (Policy Violation)

  • Scenario: An outbound email contains words like "Confidential," "Secret," or specific project code names (e.g., "Cobra Project").
  • Identification Method: This is identified using Dictionary Rules in the Email Firewall. The resource shows how to verify this by checking the email headers (e.g., X-Identified-Terms), which will list the specific words that triggered the block and how many times they appeared.