WEBVTT 0:00:02.100000 --> 0:00:06.200000 In this video, let's talk about some of the ESA processing rules. 0:00:06.200000 --> 0:00:11.000000 As far as when emails are coming in or going out of the ESA, what specifically 0:00:11.000000 --> 0:00:15.000000 it's looking for and the order in which it's looking at those particular 0:00:15.000000 --> 0:00:19.020000 things. So to start with, I'm just going to do a brief overview of the 0:00:19.020000 --> 0:00:23.540000 ESA deployment, where it fits within your topology. 0:00:23.540000 --> 0:00:27.720000 And then we'll look at incoming email and outgoing email, ESA processing 0:00:27.720000 --> 0:00:33.920000 rules. So let's do a review of where the ESA fits within the scope of 0:00:33.920000 --> 0:00:39.740000 your topology. So once again, the ESA only acts on SMTP. 0:00:39.740000 --> 0:00:43.500000 It does not understand POP3 or IMAP messages. 0:00:43.500000 --> 0:00:50.180000 As such, the three components of email are the mail submission agent, 0:00:50.180000 --> 0:00:53.940000 which is where when you're sending outgoing email, that's the very first 0:00:53.940000 --> 0:00:58.380000 email server within your corporation that the email from your laptop is 0:00:58.380000 --> 0:01:02.020000 going to. It's going from your laptop directly to the mail submission 0:01:02.020000 --> 0:01:07.400000 agent. The mail submission agent then hands that email off to the mail 0:01:07.400000 --> 0:01:11.700000 transfer agent. That's the devices in charge of pushing that email out 0:01:11.700000 --> 0:01:15.060000 of your organization out into the internet. 0:01:15.060000 --> 0:01:20.160000 That email will then go via SMTP to the next mail transfer agent, which 0:01:20.160000 --> 0:01:25.740000 is the destination, the mail transfer agent at the destination company. 0:01:25.740000 --> 0:01:30.480000 There it will go to the mail delivery agent and it will wait there. 0:01:30.480000 --> 0:01:34.580000 And the mail delivery agent is where the email sits in storage until the 0:01:34.580000 --> 0:01:39.660000 remote user brings up their email application and using IMAP or POP, request 0:01:39.660000 --> 0:01:42.020000 their email and ask to download it. 0:01:42.020000 --> 0:01:47.740000 So as we can see here, because the ESA is designed to only speak SMTP, 0:01:47.740000 --> 0:01:52.900000 which is a TCP port 25 protocol, it takes the place of your mail transfer 0:01:52.900000 --> 0:01:56.200000 agent. So whatever you're using currently as a mail transfer agent, which 0:01:56.200000 --> 0:01:59.780000 is probably some sort of Windows or Linux server, you would strip that 0:01:59.780000 --> 0:02:04.860000 out and replace it with the Cisco email security appliance. 0:02:04.860000 --> 0:02:10.140000 Okay, so now let's talk about as an email is coming in. 0:02:10.140000 --> 0:02:15.760000 So let's say that an email is coming in this way. 0:02:15.760000 --> 0:02:20.060000 And now our Cisco ESA, now we're going to assume that there's some sort 0:02:20.060000 --> 0:02:21.940000 of a firewall right here. 0:02:21.940000 --> 0:02:26.420000 And the firewall has just received the email on the outside interface, 0:02:26.420000 --> 0:02:30.780000 which is a very insecure interface leading to the email, leading to the 0:02:30.780000 --> 0:02:34.740000 internet. And the firewall has been configured at, hey, when you receive 0:02:34.740000 --> 0:02:40.080000 incoming SMTP on that very insecure interface, your outside interface, 0:02:40.080000 --> 0:02:44.500000 you should forward that to the Cisco ESA. 0:02:44.500000 --> 0:02:47.420000 Now that the ESA gets it, what's it going to do? 0:02:47.420000 --> 0:02:49.960000 What's the order of processing that's going to do? 0:02:49.960000 --> 0:02:53.540000 And that's what I'd like to talk about next. 0:02:53.540000 --> 0:03:03.000000 So this is a new monic that I came up with when I was studying for my 0:03:03.000000 --> 0:03:07.080000 Cisco CCNA security exam, and I had to memorize this chain of events as 0:03:07.080000 --> 0:03:09.660000 pipeline here, I came up with this. 0:03:09.660000 --> 0:03:14.180000 Reliable messages are always considered optimal. 0:03:14.180000 --> 0:03:21.240000 And where does that come from? 0:03:21.240000 --> 0:03:23.560000 So let's go through each one of these. 0:03:23.560000 --> 0:03:29.280000 So step number one, when the ESA receives the incoming SMTP, this is for 0:03:29.280000 --> 0:03:34.740000 incoming mail, first thing is reputation filters are invoked, which means 0:03:34.740000 --> 0:03:40.500000 that it looks at the source IP address of the last mail exchange server 0:03:40.500000 --> 0:03:44.320000 that sent this email to you, to the ESA. 0:03:44.320000 --> 0:03:49.920000 The ESA says, where did this email come from? 0:03:49.920000 --> 0:03:56.300000 That sender a known source of bad stuff, of malware, of viruses. 0:03:56.300000 --> 0:03:58.920000 So the reputation filter gets invoked first. 0:03:58.920000 --> 0:04:05.020000 Assuming that that's passed and that the sender has no known problems, 0:04:05.020000 --> 0:04:08.740000 then we go to message filters. 0:04:08.740000 --> 0:04:11.780000 Now message filters are optional. 0:04:11.780000 --> 0:04:17.680000 A message filter would be a very complex filter that you would implement 0:04:17.680000 --> 0:04:22.720000 if you're looking for very specific things in the email header. 0:04:22.720000 --> 0:04:27.040000 If you've actually looked at an email header, there's a lot of stuff in 0:04:27.040000 --> 0:04:30.400000 there that we as normal users never even pay attention to, but that's 0:04:30.400000 --> 0:04:32.380000 seen in the background. 0:04:32.380000 --> 0:04:36.280000 Well you can create filters looking for those various things in the email 0:04:36.280000 --> 0:04:40.720000 header, or specific things in the email body, or specific things in the 0:04:40.720000 --> 0:04:42.120000 email attachment. 0:04:42.120000 --> 0:04:46.820000 So using regular expressions and all sorts of complex coding techniques, 0:04:46.820000 --> 0:04:50.780000 you can create very specific filters saying, I'm looking for this. 0:04:50.780000 --> 0:04:54.660000 And if I see that, quarantine the email, or delete the email, or forward 0:04:54.660000 --> 0:04:56.780000 it on, but keep a copy. 0:04:56.780000 --> 0:05:00.060000 So message filters are not in there by default, but you can turn them 0:05:00.060000 --> 0:05:03.860000 on. They're very complicated to configure, and that's probably why it 0:05:03.860000 --> 0:05:07.080000 figures, hey, if someone's going to go through the effort of configuring 0:05:07.080000 --> 0:05:12.820000 a message filter, we want that to be very soon in the email pipeline that's 0:05:12.820000 --> 0:05:17.700000 looked at. Now let's assume for a moment that either you don't have any 0:05:17.700000 --> 0:05:22.560000 message filters configured, or you did, and the email passed through them, 0:05:22.560000 --> 0:05:28.760000 it met your criteria, then we do anti-spam checking. 0:05:28.760000 --> 0:05:32.660000 So here with anti-spam, we're using contextual information to determine 0:05:32.660000 --> 0:05:35.180000 the email sender's reputation. 0:05:35.180000 --> 0:05:38.500000 We take a look at the content of the email, we take a look even at the 0:05:38.500000 --> 0:05:43.520000 structure of the email to determine if it contains spam or not. 0:05:43.520000 --> 0:05:48.580000 Okay, let's say that that's okay, that it passes the anti-spam filter. 0:05:48.580000 --> 0:05:50.900000 Then we're going to go in, we're going to take a look to see if there's 0:05:50.900000 --> 0:05:52.560000 any viruses or malware. 0:05:52.560000 --> 0:05:57.100000 We're going to have anti-virus and anti -malware utilizing Sophos or McAfee 0:05:57.100000 --> 0:06:01.140000 anti-virus to check that out to see if that's okay. 0:06:01.140000 --> 0:06:03.620000 Now let's assume that's okay. 0:06:03.620000 --> 0:06:06.120000 Then we're going to look for content filters. 0:06:06.120000 --> 0:06:10.460000 Now like message filters, content filters are something you have to turn 0:06:10.460000 --> 0:06:13.460000 on manually, you have to configure. 0:06:13.460000 --> 0:06:18.420000 An example of a content filter is when you purchase an ESA, it has several 0:06:18.420000 --> 0:06:20.340000 dictionaries inside of it. 0:06:20.340000 --> 0:06:21.800000 You say dictionary, what does that mean? 0:06:21.800000 --> 0:06:27.000000 Well, for example, let's say that as emails coming into my organization, 0:06:27.000000 --> 0:06:32.360000 I want to filter out any email that in the body of it has profanity, vulgarity, 0:06:32.360000 --> 0:06:35.500000 just language that we don't need to receive, we don't need to see that 0:06:35.500000 --> 0:06:36.960000 here in this organization. 0:06:36.960000 --> 0:06:43.400000 Well, in the ESA there's a profanity dictionary, I could import that into 0:06:43.400000 --> 0:06:47.420000 this particular thing here, and then I could select from within that dictionary, 0:06:47.420000 --> 0:06:50.960000 I could say, hey, all terms within this dictionary, and look for all those 0:06:50.960000 --> 0:06:55.640000 terms in the content or body of the email, or maybe select terms, maybe 0:06:55.640000 --> 0:06:59.440000 I say, oh, you know, heck and gosh and darn, that's okay, but some of 0:06:59.440000 --> 0:07:03.760000 these other words here, I don't want to see that, so pull those words 0:07:03.760000 --> 0:07:09.300000 out of the profanity dictionary and scan any incoming emails for that. 0:07:09.300000 --> 0:07:13.640000 So content filters rely on these sort of broad dictionaries of where you're 0:07:13.640000 --> 0:07:20.620000 looking for certain words, certain phrases, it also can scan the attachments 0:07:20.620000 --> 0:07:23.480000 to see if there's stuff in the attachments that shouldn't be there. 0:07:23.480000 --> 0:07:28.320000 So this is kind of your last line of defense here to check the email. 0:07:28.320000 --> 0:07:33.660000 And then lastly, if that passes, either you don't have any content filters 0:07:33.660000 --> 0:07:38.980000 or it did pass the content filter, then the last thing would be an outbreak 0:07:38.980000 --> 0:07:41.460000 filter right here. 0:07:41.460000 --> 0:07:47.460000 And this is really checking to see, okay, you know, there's a lot of viruses 0:07:47.460000 --> 0:07:52.580000 are being created every day, and maybe these organizations that are creating 0:07:52.580000 --> 0:07:57.560000 virus signatures that say, oh, if a file has this characteristic, if it 0:07:57.560000 --> 0:08:01.380000 has this byte sequence in it, if it's got this certain amount of lines, 0:08:01.380000 --> 0:08:05.040000 and that is the, you know, black worm virus, or the Trojan horse virus 0:08:05.040000 --> 0:08:08.480000 or whatever, it's a well-known virus, we can see it. 0:08:08.480000 --> 0:08:11.240000 But there's a lot of viruses that are coming out that don't have formal 0:08:11.240000 --> 0:08:16.820000 names yet, that don't have formal numbers, and yet what they do, the effect 0:08:16.820000 --> 0:08:21.260000 they have on a system is very similar to existing viruses. 0:08:21.260000 --> 0:08:24.560000 So an outbreak filter would be like, okay, let's take a look at the body 0:08:24.560000 --> 0:08:28.440000 of the email, let's take a look at any attachments, and see if we can 0:08:28.440000 --> 0:08:31.760000 see some of the same types of things. 0:08:31.760000 --> 0:08:35.600000 Do we see some of the same sort of general code in there, or the same 0:08:35.600000 --> 0:08:40.440000 general form as what we would see in a known virus or malware? 0:08:40.440000 --> 0:08:44.140000 So an outbreak filter is looking for that, remember, if it was a known 0:08:44.140000 --> 0:08:48.780000 virus, known malware, it would have been caught in the anti-virus section 0:08:48.780000 --> 0:08:51.220000 two stages in advance. 0:08:51.220000 --> 0:08:54.480000 So this is the last stage that says, okay, it didn't match anything that 0:08:54.480000 --> 0:09:00.000000 was known, but does it have characteristics of known viruses? 0:09:00.000000 --> 0:09:04.260000 If so, it would match an outbreak filter, and we would quarantine it so 0:09:04.260000 --> 0:09:07.140000 we could look at it later on. 0:09:07.140000 --> 0:09:11.720000 If all that stuff passes, then the email can be delivered to the end recipient, 0:09:11.720000 --> 0:09:16.180000 as a clean email, as something that's safe. 0:09:16.180000 --> 0:09:19.520000 Now that's for emails that are coming in. 0:09:19.520000 --> 0:09:21.860000 What about emails are going out? 0:09:21.860000 --> 0:09:24.020000 Well, we'll take a look at that here in just a second, but let's just 0:09:24.020000 --> 0:09:28.860000 do a quick review here of the process of emails both from an outbound 0:09:28.860000 --> 0:09:35.180000 and an inbound direction, and where the ESA would fit into all of this. 0:09:35.180000 --> 0:09:40.460000 So in this particular scenario right here, we start out with step number 0:09:40.460000 --> 0:09:46.460000 one, which is the client creates some sort of an email, and they send 0:09:46.460000 --> 0:09:49.580000 their email to their own internal email server. 0:09:49.580000 --> 0:09:57.020000 This is probably like a window server, maybe a Linux server, something 0:09:57.020000 --> 0:10:06.320000 like that. Now, normally that email server would then send the email out. 0:10:06.320000 --> 0:10:09.620000 So in this case, the email server has to be pre-configured that, hey, 0:10:09.620000 --> 0:10:16.100000 after I get it, I have to forward that email on to the mail transfer agent, 0:10:16.100000 --> 0:10:19.700000 which in this case, the mail transfer agent is not another server, it 0:10:19.700000 --> 0:10:26.340000 is your ESA. So the email server has to be configured to forward it on 0:10:26.340000 --> 0:10:33.820000 to the ESA. And usually the way this is configured is that the email server 0:10:33.820000 --> 0:10:38.140000 will only forward on non-local emails. 0:10:38.140000 --> 0:10:41.240000 What do I mean? That means that if there's another employee sitting right 0:10:41.240000 --> 0:10:46.980000 here, and Bob is trying to send an email to Sam, and they're both in the 0:10:46.980000 --> 0:10:51.500000 same company, we normally would not have that go through the ESA. 0:10:51.500000 --> 0:10:55.300000 The ESA would only be first up that's leaving our organization going to 0:10:55.300000 --> 0:10:57.100000 the outside world. 0:10:57.100000 --> 0:11:00.320000 So the email server has to be configured for that. 0:11:00.320000 --> 0:11:04.220000 All outgoing emails to the outside world should go to the ESA first. 0:11:04.220000 --> 0:11:10.340000 Now once the ESA gets it, then it inspects the outbound email, and it's 0:11:10.340000 --> 0:11:12.180000 got a pipeline of things that looks at. 0:11:12.180000 --> 0:11:14.240000 Now, we haven't seen that yet, that's going to be coming up here in just 0:11:14.240000 --> 0:11:17.240000 a minute. But just like we had a pipeline of the stages we go through 0:11:17.240000 --> 0:11:21.100000 for inbound emails, we have a pipeline of stuff that's when we send outbound 0:11:21.100000 --> 0:11:25.480000 emails. Assuming that it goes through that pipeline and the email is okay, 0:11:25.480000 --> 0:11:28.580000 you know, there's not any confidential email, confidential information 0:11:28.580000 --> 0:11:32.260000 that's going out, there's no accidental viruses in this email that are 0:11:32.260000 --> 0:11:37.100000 going out, then the ESA performs step number four, which is a query as 0:11:37.100000 --> 0:11:43.300000 a DNS server. It says, hey, this email is going to Jackie at, you know, 0:11:43.300000 --> 0:11:47.720000 dogs.com. Can you give me the IP address of the Mail Exchange Server for 0:11:47.720000 --> 0:11:51.700000 dogs.com? And then the DNS server would respond back. 0:11:51.700000 --> 0:11:53.860000 Here you go, here's the IP address. 0:11:53.860000 --> 0:12:00.060000 At that point, the Cisco ESA using SMTP would push that information out 0:12:00.060000 --> 0:12:04.120000 to the next Mail Exchange Server, which could be hundreds or even thousands 0:12:04.120000 --> 0:12:08.720000 of miles away, that is at the recipient's location. 0:12:08.720000 --> 0:12:12.380000 And at that point, the recipient would get their email. 0:12:12.380000 --> 0:12:17.740000 Now, what about incoming email? 0:12:17.740000 --> 0:12:21.760000 Where does it fit in the scope of that? 0:12:21.760000 --> 0:12:24.600000 And that's what we see right here. 0:12:24.600000 --> 0:12:34.440000 So in this particular case, the sender at xy at company x.com is going 0:12:34.440000 --> 0:12:40.100000 to do a DNS, so they're going to send an email to their mail server. 0:12:40.100000 --> 0:12:42.260000 All right, this is, let's just say, is Linux. 0:12:42.260000 --> 0:12:46.040000 This is their mail server right here. 0:12:46.040000 --> 0:12:54.700000 Their mail server will then do a DNS lookup for, let's see here. 0:12:54.700000 --> 0:12:59.800000 Oh, this person wants to send an email to company x. 0:12:59.800000 --> 0:13:02.020000 All right, so down here, this is company x. 0:13:02.020000 --> 0:13:07.220000 Down here. And maybe this is dogs.com. 0:13:07.220000 --> 0:13:08.740000 Just as an example. 0:13:08.740000 --> 0:13:11.680000 If you work for dogs.com, when you're watching this video, please don't 0:13:11.680000 --> 0:13:15.400000 sue me. Okay, so this person here, dogs.com sends an email to company 0:13:15.400000 --> 0:13:19.820000 x. We have to do a DNS resolution lookup to figure out what the IP address 0:13:19.820000 --> 0:13:24.300000 is of the mail exchange server for company x. 0:13:24.300000 --> 0:13:29.800000 Now, in this case, that mail exchange server will be the IP address of 0:13:29.800000 --> 0:13:34.560000 this ESA. Let's say it's just 1.2.3.4. 0:13:34.560000 --> 0:13:41.000000 Okay, so this means that if you own this ESA, if this is yours, then one 0:13:41.000000 --> 0:13:43.500000 of the things you have to do is you have to make sure that all the internet 0:13:43.500000 --> 0:13:49.940000 DNS servers, when they do an MX lookup to find out what the IP address 0:13:49.940000 --> 0:13:53.260000 is of your mail exchange server, that all the DNS servers are pointing 0:13:53.260000 --> 0:13:57.600000 to this. They all have to know that, hey, they're going to be forwarding 0:13:57.600000 --> 0:13:58.780000 their emails to this. 0:13:58.780000 --> 0:14:03.280000 We don't want your ESA to be circumvented and all the DNS servers out 0:14:03.280000 --> 0:14:05.580000 there to give the IP address of this guy down here. 0:14:05.580000 --> 0:14:06.940000 We don't want that. 0:14:06.940000 --> 0:14:09.400000 Otherwise, it would go past the ESA. 0:14:09.400000 --> 0:14:17.860000 All right, so the mail exchange server comes back and says, oh, company 0:14:17.860000 --> 0:14:25.400000 x is ABCD, which is like this says right here, that is your ESA's address. 0:14:25.400000 --> 0:14:30.540000 So the email sent via SMTP passes through the firewall, which like we 0:14:30.540000 --> 0:14:37.600000 talked about in a previous video, so that as email is received on the 0:14:37.600000 --> 0:14:43.320000 outside interface, as SMTP comes in, the firewall's going to have to rule 0:14:43.320000 --> 0:14:48.020000 saying, okay, SMTP from the outside interface is allowed to go pass through 0:14:48.020000 --> 0:14:52.320000 my DMZ interface to get to the ESA. 0:14:52.320000 --> 0:14:56.560000 And notice this is what we call a single arm or a single interface deployment, 0:14:56.560000 --> 0:15:00.440000 because on the ESA, we only have one physical interface that's connected 0:15:00.440000 --> 0:15:05.360000 to anything. So SMTP is coming in the outside interface of the firewall 0:15:05.360000 --> 0:15:08.400000 being passed through to the DMZ interface. 0:15:08.400000 --> 0:15:12.260000 And now the ESA has a chance to inspect it, and we'll look at those inspection 0:15:12.260000 --> 0:15:14.460000 rules on the very next slide. 0:15:14.460000 --> 0:15:22.800000 Assuming the inspection is okay, then the ESA will invoke SMTP again and 0:15:22.800000 --> 0:15:28.660000 forward that email to your corporate email server. 0:15:28.660000 --> 0:15:32.180000 And once again, this is now SMTP. 0:15:32.180000 --> 0:15:36.960000 In this case, as far as the firewall is concerned, this is SMTP that's 0:15:36.960000 --> 0:15:44.100000 being received on the DMZ interface and needs to leave on an inside interface. 0:15:44.100000 --> 0:15:47.660000 That is a rule that have to be configured in the DMZ in the firewall to 0:15:47.660000 --> 0:15:53.260000 allow that. So far we've seen as far as the firewall is concerned, you're 0:15:53.260000 --> 0:15:54.980000 going to need two rules on here. 0:15:54.980000 --> 0:15:56.880000 You're actually going to need a third rule. 0:15:56.880000 --> 0:16:02.100000 You need a third rule because remember, this ESA right here is relying, 0:16:02.100000 --> 0:16:03.700000 here's the cloud. 0:16:03.700000 --> 0:16:12.060000 Somewhere attached to this cloud is Cisco Talos, which is constantly maintaining 0:16:12.060000 --> 0:16:17.560000 and updating this database of known bad mail servers, known bad viruses 0:16:17.560000 --> 0:16:22.440000 and malware, updating signatures and dictionaries, and every three to 0:16:22.440000 --> 0:16:30.560000 five minutes, they're going to be using a combination of HTTP and HTTPS 0:16:30.560000 --> 0:16:35.380000 to download that stuff to your ESA. 0:16:35.380000 --> 0:16:40.380000 So that is a third filter or a third rule that would have to be configured 0:16:40.380000 --> 0:16:41.840000 on the firewall. 0:16:41.840000 --> 0:16:47.440000 The firewall has to be pre-configured to allow HTTP and HTTP S traffic 0:16:47.440000 --> 0:16:53.160000 to be received from the outside interface and go through the DMZ so that 0:16:53.160000 --> 0:16:58.920000 your ESA can be constantly updated with the latest and greatest information. 0:16:58.920000 --> 0:17:01.860000 And the last thing I want to talk about is just like we just saw the rules 0:17:01.860000 --> 0:17:06.920000 for processing inbound email, what about the rules for processing outbound 0:17:06.920000 --> 0:17:08.840000 email that's leaving your company? 0:17:08.840000 --> 0:17:14.180000 Well, let's take a look at that. 0:17:14.180000 --> 0:17:20.540000 So here we see a lot of the same boxes that we saw on inbound emails. 0:17:20.540000 --> 0:17:30.100000 So here we have, for example, an employee, hopefully they are a trusted 0:17:30.100000 --> 0:17:34.260000 employee, and they are trying to send an outbound email to somebody out 0:17:34.260000 --> 0:17:36.340000 there in the world somewhere. 0:17:36.340000 --> 0:17:38.120000 Now here's the thing. 0:17:38.120000 --> 0:17:43.620000 When an email was coming in to our company, it's very natural as we didn't 0:17:43.620000 --> 0:17:47.980000 trust that. We wanted it to go through all those different boxes. 0:17:47.980000 --> 0:17:49.920000 Remember that mnemonic that I talked about? 0:17:49.920000 --> 0:17:53.900000 We wanted to go through all that stuff before the email was deemed safe. 0:17:53.900000 --> 0:17:58.720000 Now, if an email is leaving our company by default, the assumption is 0:17:58.720000 --> 0:18:01.580000 that some of this stuff we don't have to do. 0:18:01.580000 --> 0:18:04.040000 And let's take a look at what that is. 0:18:04.040000 --> 0:18:09.800000 Because the email is leaving from a known trusted source within our company, 0:18:09.800000 --> 0:18:17.940000 by default, anti-spam content filters and outbreak filters are not activated. 0:18:17.940000 --> 0:18:19.720000 So I'm just going to gray those out. 0:18:19.720000 --> 0:18:21.740000 Here they go. Let's just go back again. 0:18:21.740000 --> 0:18:27.060000 Anti-spam content filters and outbreak filters are not looked at for outbound 0:18:27.060000 --> 0:18:32.180000 emails. Because it's assumed the source of the email is already trusted. 0:18:32.180000 --> 0:18:35.000000 So all we're looking at are message filters. 0:18:35.000000 --> 0:18:39.680000 Remember that is stuff that you have to configure manually, very complex, 0:18:39.680000 --> 0:18:41.660000 anti-virus filters. 0:18:41.660000 --> 0:18:45.440000 Because after all, someone could accidentally be propagating a virus that 0:18:45.440000 --> 0:18:48.360000 they don't know about as like an attachment or something. 0:18:48.360000 --> 0:18:50.980000 And then the data loss prevention engine. 0:18:50.980000 --> 0:18:53.900000 Just want to make sure that people aren't accidentally putting in, you 0:18:53.900000 --> 0:18:55.060000 know, their social security numbers. 0:18:55.060000 --> 0:19:00.320000 They're not attaching company confidential documents to their emails. 0:19:00.320000 --> 0:19:01.880000 We want to pass through that. 0:19:01.880000 --> 0:19:05.840000 So the default behavior of the outgoing ESA pipeline is just these three 0:19:05.840000 --> 0:19:07.340000 items right here. 0:19:07.340000 --> 0:19:11.120000 Now certainly with configuration, you could turn on anti-spam content 0:19:11.120000 --> 0:19:15.820000 filters and outbreak filters, but those are not on by default for outbound 0:19:15.820000 --> 0:19:20.920000 emails. So that concludes this video. 0:19:20.920000 --> 0:19:22.300000 I hope you found it to be helpful.