Security Alerts¶
The Security Alerts page consolidates four proactive security systems: IOC Monitor, Outbound Guard, Retroscan, and System Alerts. The URL supports ?tab=<name> for direct deep-links from the dashboard.
IOC Monitor (False-Negative Feedback Loop)¶
The IOC Monitor manages a feedback loop for mails that were reported as spam but passed through the filter (false negatives).
How It Works¶
- End users report a mail as spam (via the quarantine portal or an email header link)
- nmg extracts URLs and sender domains from the reported mail
- Extracted indicators are stored as IOCs (Indicators of Compromise)
- All future mails containing an active IOC (same URL, same sender domain) receive a score boost
IOC Table¶
| Column | Description |
|---|---|
| Type | url_host or sender_domain |
| Value | The IOC value (hostname or domain) |
| Hits | Number of mails containing this IOC |
| Active | Enable/disable the IOC |
| First Seen | Timestamp of first report |
| Last Seen | Timestamp of last detection |
| Source | Reported message that generated the IOC |
Metrics¶
Aggregated statistics are shown at the top of the page: - Total number of reported mails - Reports in the last 30 days - Active URL IOCs - Active sender IOCs
Reported Messages¶
The Reported Messages tab shows all spam reports with metadata (sender, subject, score at scan time, number of IOCs extracted).
Outbound Guard¶
The Outbound Guard detects compromised SMTP accounts based on unusual sending spikes.
Detection Logic¶
nmg monitors sending volume per sender account (SMTP auth user) in rolling time windows. If an account suddenly exceeds its normal sending rhythm by a multiple, an alert is triggered.
Alert Table¶
| Column | Description |
|---|---|
| Sender | SMTP auth user (sender address) |
| Window | Start and end of the detection window |
| Mail Count | Messages sent in this window |
| Recipient Count | Number of distinct recipients |
| Sample Recipients | First recipients of the burst |
| Node | Detecting cluster node |
Recommended Response¶
On an outbound alert: 1. Immediately disable the SMTP account 2. Reset the password 3. Check sent mails via mail logs for spam content 4. If necessary, check external blacklist entries and request delisting
Retroscan (Post-Delivery IOC Monitoring)¶
Retroscan checks already-delivered mails retroactively against phishing feeds — useful when a URL was clean at delivery time and was only classified as phishing later.
Process¶
- The nmg-scheduler runs nightly (configurable)
- All mails delivered in the last N days are re-scanned
- URLs are checked against the current phishing feeds
- Hits appear in the Retroscan Hits table
Retroscan Hits Table¶
| Column | Description |
|---|---|
| Domain | Phishing domain in the original mail |
| Feed | Phishing feed that now lists the domain |
| Sender | Original sender of the mail |
| Subject | Original subject |
| Scanned At | Timestamp of the retroscan run |
Retroscan Exclusions¶
Domains that should always be ignored by the retroscan (e.g. large CDN providers) can be managed under the Retroscan Exclusions tab.
- Suffix matching: An entry of
cloudinary.comautomatically excludes all subdomains (img.cloudinary.com,res.cloudinary.com, …) — no wildcard pattern is needed. - Entries can be removed at any time, after which the retroscan will check the domain again.
Recommended Response¶
On a retroscan hit: 1. Identify the original mail (via mail trace) 2. Notify the recipient not to open the link 3. Create an IOC entry for the domain (via IOC Monitor → add manually)
System Alerts¶
The System Alerts tab shows cluster-aggregated warnings from the operating system and nmg components.
Alert Categories¶
| Category | Trigger |
|---|---|
| Disk | Disk utilisation above threshold |
| Certificate | TLS certificate expiring in less than 30 days |
| Queue | Postfix queue depth above threshold |
| Cluster | Node unreachable or version divergence |
| ClamAV | Signature update failed or outdated |
| Retroscan | Retroscan job failed |
| Outbound | Outbound spam burst detected |
Alert Table¶
Each alert shows: category, affected node, description, timestamp, and expandable detail information.
Acknowledging Alerts¶
Alerts can be acknowledged via the Acknowledge button (soft-delete). Acknowledged alerts disappear from the view but are kept internally for 24 hours as a cooldown — within this period no new alert of the same category and node is created, preventing alert flooding.