What does the system do?

The email security system (Mimecast) filters emails before they arrive in your inbox. It carries out the following checks:

• Validates the sender details and checks against known blacklists
• Checks the sender against our permitted and blocked senders list
• Scans for Spam
• Checks any attachments and links for suspicious content

If it thinks something is dangerous, it won't deliver that email, and instead your email will be 'held' for review.

Why do we do this?

Spam, phishing, ransomware and other email security issues are significant threats to institutions like Sussex. These attacks are often clever and well-coordinated, making it difficult to find protection which isn't too invasive or disruptive. Mimecast has been chosen as the best solution to protect our students, staff and researchers.

Mimecast carries out a number of checks on incoming mail and will put a hold/block on any mail that fails the checks.  The most common causes for this are:

• Messages with a high Spam ‘score’ are blocked
• Message contains malware
• Attachment has been blocked/stripped due to dangerous file types or contains suspicious links. 
• Content of message contains profanity
• DMARC failure – This is due to incorrect configuration by the sending server and is often an out-of-office message. For more information please visit this DMARC FAQ.
• Anti-Spoofing policy – if you are trying to email from an external source using a sussex.ac.uk address. Mimecast will reject the message unless specifically configured. 

How do I know that one of my emails is being held or blocked?

You’ll know one of your emails is being held when:

• You receive an email from Postmaster@sussex.ac.uk with the subject 'You have new held messages'. This message will list any emails that have been held.
  
• If you have the Mimecast plugin for Outlook (installed on Sussex Windows PCs), you will see an alert message, and you can access your ‘online inbox’ at any time.

You can log in to the Mimecast Personal Portal and see your list of held messages.

How can I release held items?

You will receive up an email when any messages have been held for review and instructions on how to release it. If you think one of these held items is genuine, click on the relevant link in the digest and that message will be released to your inbox. You can also login to the Mimecast Personal Portal and release items.

You will have three options for each held message:

• You can Block them, removing the message and adding the sender to your personal block list.
• You can Release them, which will send the message to your inbox but continue to intercept messages from the same sender.
• You can click Permit, which will deliver the email to your inbox AND mark future messages from this sender as safe.

Held messages will be deleted after 14 days if you don’t release them.

Some messages can only be released by an administrator – this will be stated in the Mimecast block notification. If you require an Administrator to release an email or attachment please log a ticket via the IT Service Desk and include a copy of the relevant notification from Mimecast.

The Mimecast client for Outlook

If you use Outlook on a Sussex PC, you'll see a tab called Mimecast. This tab allows you to:

• see your held messages
• report spam
• access your personal list of blocked senders.

If you use a Sussex PC, you'll find the plugin installed in Outlook. If you don't see it please log in to your Mimecast Personal Portal using the button on the right. This will give you the same options as the Windows plugin for Outlook.

Link re-writing

If an email you receive contains a link to a website, the security system will re-write the URL.

If you hover over a link in an email, you might see a URL that begins with https://protect-eu.mimecast.com and ends with domain= followed by the original URL of your link.

For example, a link to bbc.com would become https://protect-eu.mimecast.com/s253462825?domain=bbc.com

If you see a URL like this, it isn't a phishing attack, it's just the security system trying to keep you safe. You should still look out for suspicious URLs that don't follow this format.

Clicking on the link will work as normal. If the system thinks that the web page is dangerous, you'll see a warning message when you follow the link.

 

What can I do to prevent messages being held?

Whilst the majority of blocked emails are legitimate there may be times when the filters consistently block genuine messages.  There are a few things you may want to consider:

• If you are implementing an external system that will send emails looking to come from sussex.ac.uk please log a ticket with IT Service Desk so that we can review the Anti-Spoofing element
• If you trust the sender you can add them to your permitted senders list in the Outlook plug-in or Mimecast Personal Portal
• DMARC failure – if you wish to advise the sender of the reason their messages are being blocked visit this DMARC FAQ.

Can I request an adjustment to our security policies?

As a general rule we would not consider adjusting our policies to accomodate an address as this leaves us at risk if the sender account is compromised.  However, if there is a legitimate business need could consider bypassing selected policies if this is deemed appropriate and would not pose any significant risk to do so.

Please complete the Mimecast Allow Request Form log a request with the IT Service Desk with details of the mail address you would like us to consider.