General Order of Evaluation

  1. Sender email address filtering:

    Message sender email addresses and domains go through approved sender and blocked sender list filtering. Sender email addresses are evaluated until the first match is found.

    See Sender Filter Order of Evaluation.

    Messages from allowed sender addresses bypass IP reputation-based filtering at the MTA connection level and content-based filtering at the message level for spam detection, and proceed directly to malware detection. Messages from blocked email addresses are blocked.

  2. IP reputation-based filtering at the MTA connection level:

    Message sender IP addresses go through IP reputation-based filtering. IP addresses are evaluated until the first match is found.

    See IP Reputation Order of Evaluation.

    Messages from allowed sender IP addresses bypass IP reputation-based filtering at the MTA connection level and proceed to spam detection. Messages from blocked sender IP addresses are blocked.

  3. Malware detection:

    All messages are scanned for malware, and other malicious content. Detected messages are marked. All messages proceed from malware detection to content-based policy filtering at the message level.

  4. Spam detection:

    Domain-level policy rules for spam are run. Detected phishing, spam, BEC and social engineering attack messages are marked. Detected graymail messages from sender IP addresses not in the graymail exception list are marked. All messages proceed from spam detection to malware detection.

  5. Content-based filtering at the message level:

    Note:

    Trend Micro Email Security takes action on email messages that pass Email Reputation and custom approved list filtering using the policy rules configured for content-based filters. For example, Trend Micro Email Security may quarantine an infected email message from an address in the approved sender list if you have configured content-based filtering to quarantine malware threats.

    For details, see Configuring Advanced Criteria.