ReceiveGUARD is an intelligent mail firewall device that can preemptively respond to Advanced Persistent Threat (APT) attacks efficiently. Once the device is installed in the server room, you can immediately begin utilizing the ReceiveGUARD services it offers.
ReceiveGUARD is an appliance device, which means it may have a finite operational lifespan. While there isn’t a predefined duration for the device’s lifespan, you can replace the storage space (HDD) inside the device as necessary, ensuring its continued functionality.
ReceiveGUARD is an appliance device, and installation is straightforward. Once the device is installed in the server room and connected via a LAN line, the installation process is complete. Basic configuration typically takes around 30 minutes, after which you can commence using ReceiveGUARD’s services. The learning period for ReceiveGUARD to properly filter emails spans about two weeks, and once completed, you will only receive safe emails.
The SCM 117 model of ReceiveGUARD is capable of managing daily email volumes spanning from 800,000 to 1 million emails. Even when faced with a substantial influx of emails, it can process them in real-time without any issues. In fact, many large enterprises, such as H Corporation and L Corporation, are currently using ReceiveGUARD for real-time email delivery.
ReceiveGUARD incorporates a Virtual Area (VA) in which it can analyze emails and stores it after encrypting the data. Through this VA, the device can automatically generate filtering criteria for the next-received emails based on the analysis of previous data. This function is what distinguishes it as an intelligent-learning mail firewall device.
We provide reports through the admin account of ReceiveGUARD. These reports include statistics on why emails were blocked, the frequency of such blocks, and other relevant information to assist you in more effective email management.
The Virtual Area (VA) within ReceiveGUARD directly examines malicious code files, and its configuration environment is entirely distinct from that of a regular PC. Consequently, opening malicious code files within the VA poses no risk of infecting the device with a virus whatsoever.
ReceiveGUARD conducts direct inspections of executable files and attachments in emails through the Virtual Area (VA) to assess their safety. This approach ensures a high level of accuracy when inspecting attached files in emails. Furthermore, it can detect viruses such as ransomware by utilizing regularly updated antivirus engines.
While ReceiveGUARD is an appliance-based solution, we offer a rental service called R-Cloud for customers who may find purchasing the appliance financially challenging. With this service, you can enjoy ReceiveGUARD’s robust security features at a more affordable price.
ReceiveGUARD employs a fundamentally distinct analysis approach in contrast to other APT devices. Instead of relying on pre-existing filtering data, it analyzes emails in real time, based on accumulated data within the device. This approach enables various unique analyses that other devices cannot perform, such as URL endpoint tracking, attachment forgery analysis, and the reliability level testing.
The initial settings require you to enter the IP address and password for security reasons, but you have the option to switch to the automatic authentication method. When your company administrator changes the login authentication method to automatic authentication in [Settings > System Settings > Undelivered Reports], all subsequent Undelivered Reports will be automatically connected without the need for manual entry.
This setting can only be set by your company’s administrator. If you wish to make changes, please request your company’s administrator to do so in [Settings > System Settings > Undelivered Reports > Undelivered Reports Sending Time].
For security reasons, you can establish a connection to ReceiveGUARD through the most recently received Undelivered Report. By clicking “Check Blocked Mail” in the most recent Undelivered Report, it will synchronize with ReceiveGUARD, and the entire email will be displayed.
This issue could arise if Undelivered Reports are disabled in your settings. If you wish to receive Undelivered Reports, you should contact your company’s administrator and request them to enable Undelivered Reports in the settings under [Settings > System Settings > Undelivered Reports].
This occurs because there are no blocked emails in your settings. Undelivered Reports are sent when there are blocked emails to report.
ReceiveGUARD employs a fundamentally distinct analysis approach in contrast to other APT devices. Instead of relying on pre-existing filtering data, it analyzes emails in real time, based on accumulated data within the device. This approach enables various unique analyses that other devices cannot perform, such as URL endpoint tracking, attachment forgery analysis, and the reliability level testing.
Both SpamGUARD and ReceiveGUARD serve as inbound email security devices. SpamGUARD is designed to block promotional emails, while ReceiveGUARD is specifically employed to block fraudulent and hacking emails. While many email systems typically rely solely on SpamGUARD, incorporating ReceiveGUARD introduces a two-step filtering process. This involves first blocking promotional emails and then blocking fraudulent and hacking emails, ultimately ensuring that you only receive safe emails.
Most malware is discovered and registered on sites like VirusTotal a few days after its detection. Known malware is accompanied by detailed information, but newly emerging malware patterns are not yet registered, making detection challenging using conventional methods. Such cases are classified as novel or new malware.
The ultimate goal of malware is to control or disrupt the operation of a user’s computer. Zero-day malware is characterized by engaging in malicious activities such as unauthorized access to memory, deletion and creation of files, and data manipulation, all without the user’s permission, in order to achieve these objectives.
Our ReceiveGUARD solution detects malware through the utilization of virtual machine technology for file execution and behavioral analysis. This technology addresses delay issues when dealing with a large volume of inbound emails and enhances efficiency by appropriately allocating resources based on the type of file inspection.
The ITU-T X.1236 standard emphasizes a multi-layered inspection approach rather than relying on specific technologies. Initially, the first-stage antivirus inspection detects malicious files, ransomware, and other attachments in emails. As undetected attachments may potentially contain novel malicious files, the second-stage behavioral analysis inspection analyzes the behavior of attachments in a Windows environment, identifying any attempts to forcibly install within specific folders or alter system settings. This multi-step inspection approach evaluates malware from multiple perspectives, enhancing detection rates and effectively utilizing the resources of virtual machine technology.
The ‘URL Endpoint Tracking’ feature examines all links within received emails to detect malicious code. With an increase in attacks hiding malware not only in the email body but also within attachments or large compressed files, it has become crucial to open and inspect all inactive links within emails to identify any suspicious behavior. This is the core functionality of the URL endpoint tracking feature.
Typically, endpoint tracking functionality is considered implemented when links up to the 30th iteration are examined. While the technology for inspecting malicious behavior in virtual environments has rapidly advanced, there are still limitations. The number of links to be inspected can exponentially increase as multiple redirections may be concealed within a single link. Therefore, checking up to the 30th link is generally deemed to provide a sufficient level of security in most situations.
A representative secondary security measure involves converting links within the email body into images.
Recently, there has been an increase in time-gap attacks where hackers initially send benign emails and later link them to malicious code before users open the emails. The post-URL inspection feature is designed to prevent such time-gap attacks. This ensures that even if an email is received safely initially, connecting malicious code when the user opens it can be prevented.
First, an initial URL endpoint tracking inspection is conducted on the received email, and legitimate emails are delivered to the mailbox. Subsequently, every time a user opens the email and clicks on a link, post-URL inspection is performed on that specific link. If any suspicious behavior or malicious activity is detected, it plays a role in blocking the email or link, or notifying the user of potential issues.
‘URL Endpoint Tracking’ inspects the links in the email body for malicious behavior when the email first arrives. In contrast, ‘Post-URL Inspection’ continuously verifies the safety of specific links each time a user clicks on them, even after the email has entered the mailbox. It examines all links, not just when receiving the email but also after it has entered the mailbox, aiming to prevent users from being exposed to malicious code.
A ‘Look-alike Domain’ refers to a domain that has been crafted to closely resemble a legitimate one. Hackers modify the domain slightly to create an address that appears trustworthy, aiming to confuse and deceive users. In this manner, hackers send emails containing realistic content, such as requests to verify quotes, in an attempt to trick users into clicking on links or opening attachments within the email. Consequently, users may become vulnerable to attacks by malicious links or attachments embedded in the email.
The criteria for determining look-alike domains are subjective, and using a single criterion can lead to a high false positive rate or, conversely, a low detection rate. Therefore, when assessing look-alike domains, employing various criteria to differentiate the level of risk can reduce false positives and enhance the ability to detect actual threats. This multilayered approach enables more accurate detection of look-alike domains, ultimately strengthening the security of both users and organizations more effectively.
Within the company, each user utilizes a unique email address, and the email addresses used for communication are also distinct for each user. Look-alike domain attacks occur when users are deceived by addresses that resemble their familiar email addresses, leading them to open malicious emails or click on links. Therefore, it is essential to categorize the risk level for each user to implement customized security measures, constituting a crucial factor in providing more effective protection against security threats. A user-centric approach considers and offers effective methods to address the risks faced by each user for prevention.
Forged Header’ is a hacking technique where the attacker forges the sender’s email address to deceive the recipient. In this type of attack, the hacker typically manipulates either the username or domain part of the original email address when sending emails. Through this, the hacker disguises themselves as someone else or as a reputable entity, aiming to trick the recipient into trusting the email. Forged header is a form of social engineering attack commonly used to impersonate businesses, financial institutions, government agencies, or other trusted organizations. In more sophisticated forms, recent variations include intelligent techniques where the attacker’s address changes when the recipient clicks the reply button.
The primary method for checking forged header involves verifying compliance with email communication regulations during email transmission. To achieve this, sender authentication methods such as DMARK (Domain-based Message Authentication, Reporting, and Conformance) and DKIM (DomainKeys Identified Mail) are used. However, relying solely on checking regulatory compliance may still leave room for some types of attacks to bypass detection. Therefore, in ITU-T X.1236 standard, efforts are made to differentiate various types of sender attacks, enabling the utilization of specialized email security features tailored to each type.
‘Look-alike Domain’ and ‘Account Take-over (ATO)’ attacks share the similarity of forged header, but there is a difference in the displayed sender’s email address visible to the recipient. In ‘Look-alike Domain’ attacks, the attacker creates a similar email address using a legitimate domain to deceive the recipient. On the other hand, ‘ATO’ attacks involve the attacker gaining access to the actual sender’s email account and using it to send emails. In other words, both attacks often lack malicious elements in the email, making them challenging to detect, unlike header spoofing attacks.
Generally, a ‘Sender Location Change’ implies the registration of the IP address on a blacklist. In targeted email attacks, email addresses or senders deviating from the usual pattern of exchanging emails can be considered as potential risks for users. For instance, if a user regularly exchanges emails with business partners in Country A and suddenly receives an email from the same address but originating from Country B, the email sender’s IP address from Country B may be perceived as a deviation from the usual pattern, raising concerns as a potential risk for that specific user.
The sender’s IP address, email server, and email transmission route are crucial pieces of security information that can be utilized to detect attacks such as user account hacking or email server tampering. Importantly, these criteria can categorize a sender as a potentially risky source for specific users while being considered normal for others. Therefore, to defend against targeted email attacks, personalized email security technologies should be applied, taking into account individual user characteristics and patterns.
First, a basic inspection is conducted to verify the user registration status and blacklist registration of the email sender. This helps identify malicious or untrusted sources. Subsequently, a comparison between the current email sender information and previous sender information is made, and if a pattern difference is detected, measures such as blocking the email or issuing a warning are implemented. This helps prevent email fraud attacks and safeguards against potential risks such as the unauthorized disclosure of important information or incorrect fund transfers. Additionally, features are provided to facilitate effective management of risky senders by users or security administrators, considering factors like overseas business trips or global network issues.
No, there are no complex requirements. You can receive the service by simply modifying the DNS information of your existing mail server. If you are planning to set up a new email infrastructure, implementing ReceiveGUARD alongside with SECUMAIL can significantly enhance your email security.
Spam-prevention appliance is widely used, and ReceiveGUARD is designed with the assumption that organizations (enterprises) already have such appliances in place. Hence, we strongly recommend the adoption of ReceiveGUARD for its services. Additionally, other APT appliances may operate on distinct security principles compared to ReceiveGUARD, so while using ReceiveGUARD alongside them can enhance security, ReceiveGUARD on its own offers comprehensive email security with its full range of features.
ReceiveGUARD operates before reaching the mail server. As a result, it does not impact any of the emails that are currently in use, ensuring uninterrupted email communication.
ReceiveGUARD detects look-alike domains that are difficult to distinguish with the human-eye, and it provides warnings to both administrators and users. When replying to received emails, it can detect forged headers and issue warnings to the administrators and users. Moreover, it maintains records of the recipients when receiving mail from the same account, and if there’s a change in the sender, it alerts both administrators and users.
ReceiveGUARD stands out from other APT devices in several ways. While other APT devices primarily focus on detecting network APT and are limited to inspection in attachment files within emails, ReceiveGUARD is specifically designed for email security. It does not only inspects attachments, but also examines emails that do not contain malicious files. It adopts a machine learning approach to understand emails from organizations or enterprises that lack standardized filtering, allowing it to develop a customized filtering system for them. In addition, the file inspection method of other APT devices may often bypasses inspection if a queue is generated due to frequent undelivered emails. In contrast, ReceiveGUARD efficiently performs inspections to facilitate flexible data sharing.
The Cube engine operates using AI learning. It acts as an ‘attachment and URL inspection device’ and performs initial virus detection (vaccine check) on files. If no issues are found during the vaccine check, the files then undergo behavioral analysis inspections. These inspection areas cover attachment files, URLs in the email body (download inspection), and URLs within attached documents. It directly accesses the maliciousness of URLs to up to their endpoints. Moreover, it executes files downloaded from URLs to verify their maliciousness.
The email block could occur due to various filtering rules such as different IP addresses, sending routes, look-alike domains, or look-alike email addresses that led to the blocking. In other words, there may be a possibility of forgery or modification. To address this, you have the option to use the “Send and Allow” buttons at the top of the blocked email report. This allows you to re-learn and deliver the email to the intended recipient. However, if a malicious URL attachment is detected, it will be blocked once more and noted in the Undelivered Report.
Pressing the “Allow” button triggers the email-learning process, but does not automatically deliver the email to the recipient. If you wish to both receive the email and have it recognized as ‘legitimate’, you should use the “Send and Allow” button. Subsequently, if emails with the same information are received afterwards, they will not be blocked as they are then considered as legitimate emails.
This issue is likely due to an incorrect encoding method used by the sender. You should notify the sender and provide them with the EML file for their review and correction.
This issue could be due to incorrect encoding settings in Outlook. Please review the encoding settings and select ‘Unicode’ in the encoding menu for receiving emails in Outlook.
This issue may be caused by errors in the sender’s email configuration, such as an incorrect IP or ID. We suggest contacting the sender to verify if the email has been returned to them, and to request that they resend it with the accurate information.
If an email is not appearing in ReceiveGUARD’s Undelivered Report, it might be due to threat detection and blocking based on filtering rules. You should verify whether the email was categorized as spam by ReceiveGUARD. If necessary emails have been mistakenly blocked, you can contact the administrator to review the spam-blocking settings and request the recovery of these emails. If you continue to encounter problems with receiving emails, you can also request the sender to resend them using the “Send and Allow” button to help train the system and prevent further blocking.
If you’ve received an Undelivered Report, it indicates that a threat was detected in the received email, and ReceiveGUARD blocked it based on filtering rules. To address this, the recipient should review the blocked content from the Undelivered Report received at the set time and, if it’s confirmed that there are no issues, click the “Send” button in the block report to deliver the email. If you wish to continue receiving the same type of email in the future, you can use the “Send and Allow” button to train the system. However, it’s important to note that if subsequent emails contain malicious files, come from different sending IP addresses, or include malicious URL in attachments, they will be blocked again and will be listed in the Undelivered Reports.
Registration is necessary for this process. Please contact the administrator for assistance. You can enter the company’s country name and IP range in the [Settings > GDPR Country Management] section.
To add recipients as GDPR subjects, a separate registration process is necessary. You can manually register subjects by selecting the recipients in the [Settings > GDPR Subject Management] section. Alternatively, you have the option to perform batch registration using Excel/CSV files.
In such cases where the situation extends beyond the country or IP information provided by the EU, it is advisable to contact the administrator for further assistance.
This issue typically arises from incorrect settings on the mail server, leading to the distribution of reports to all recipients. If adjusting the mail server settings does not resolve the problem, you can navigate to [Settings > System Settings > Undelivered Report Management > Undelivered Report Recipient]. There, you can select the actual recipient for sending reports, ensuring that reports will only be sent to the selected recipients.
The RCPT Inspection in ReceiveGUARD verifies the actual email accounts used for receiving mail against the mail server. The issue you are encountering may be due to the incorrect settings on the mail server, causing it to mistakenly consider some unused accounts as active. To resolve this, you should contact the mail server administrator, and have them make the necessary adjustments.
For example, if the email account does not exist, you might encounter an error message as below:
<< RCPT TO:
>>550… No such user
This issue occurs because you have disabled the RCPT (mail account check communication) Inspection . To rectify this, you can change the RCPT inspection setting to ‘Enable’ in the system settings under [Settings > System Settings > Operation Management > Default Operation].
To adjust the delivery time settings for Admin Reports, you can navigate to [Settings > System Settings > Admin Report > Delivery Time] and select the time that suits your preference.
You can configure the warning message for each email domain of the companies. To do this, you can add or delete phrases in the [Settings > Email Phrase Settings] section.
You can request the administrator to adjust the number of IDs managed by ReceiveGuard. If the number of IDs exceeds the contracted limit, you can have the contract terms adjusted accordingly. To do this, contact the administrator and ask for the selection of IDs to align with the contracted number of IDs.
You can modify the settings by marking the ‘Delivered’ checkbox for Filtering in [Settings > System settings > Operation Management > Mail Delivery > Delivery of Filtered Mails].
The Email Security Reporting System provides users with a report that verifies the safety of received emails. In this process, the report is generated based on collected data regarding the email security status of the domain or server. Additionally, the system evaluates the risk level of all emails, regularly offering blocked email information to security administrators and users. If an email with suspected security issues is delivered, a warning message, along with the email subject, prompts the user to exercise caution.
Email security involves not only the system itself but also considerations for the roles of users and administrators. Due to instances where users lack an understanding of email security or fail to recognize security measures, vulnerabilities can arise. Therefore, email security reporting systems play a crucial role in enhancing security awareness and response for both users and administrators. Implementing detailed reports, summary reports, and similar features enables effective awareness and response to security threats.
In one case, a cybersecurity consulting firm effectively utilized email security reporting from a consulting perspective. The firm’s client was targeted in an attempted account takeover attack, but the email security reporting system detected this, allowing for preemptive action to prevent information leakage. Therefore, such cases serve as excellent examples highlighting the importance of email security reporting systems. Effectively leveraging email security reporting systems enables businesses and clients to address a variety of potential threats.