Proofpoint Mail Sanitation

What does it mean when I see "[Unscanned Attachment]" in my email subject?

Penn has contracted with Proofpoint to provide our email sanitation. The Proofpoint service provides spam detection, virus protection, and URL safety validation. As part of this protection, it also uses sandboxing to examine email attachments. As part of this sandboxing, the attachments are examined using a virtual machine for known malicious behavior. This examination can be time-consuming, depending on the size of the attachment.

Proofpoint uses a cloud-based approach for the sandboxing, which may, due to email volume, cause the process to time out. Generally and under normal circumstances, we see less than 0.01% of all emails with scanned attachments time out.

If the examination of the attachment(s) takes longer than 5 minutes, the service will abandon the analysis and pass the email on, but will annotate the subject line of the email with "[Unscanned Attachment]".

What should I do when I receive an email annotated with "[Unscanned Attachment]"?

When receiving an email annotated with "[Unscanned Attachment]", you should be extra vigilant prior to opening or using the attachment. It does not necessarily mean that the attachment is malicious. Emails from an unknown source should be treated with even more caution.

Why would I receive an email marked "[Unscanned Attachment]" that does not have an attachment?

Due to the way O365 handles email and the particulars of PennO365 email routing, emails that are formatted as Rich Text will have a hidden attachment of winmail.dat, which will be scanned by Proofpoint. If the scan times out, as mentioned above, the email will be marked with "[Unscanned Attachement]" even though no attachment is visible. We recommend that all clients use HTML as the preferred format for sending email.

ISC's Penn Email Routing (PER) service uses a third-party vendor, Proofpoint, to provide email routing and security for email service providers at Penn, such as PennO365, Google Apps, etc. Proofpoint's URL Defense service effectively detects, catches, and analyzes malicious URLs in email messages.

What is Proofpoint URL Defense?

Proofpoint URL Defense is a technology that protects you and Penn network resources by blocking access to malicious websites. URL (Uniform Resource Locator) is another name for a web address link.

How does Proofpoint URL Defense work?

As email enters Penn Email Routing service, Proofpoint’s automated systems review messages for malicious characteristics or content. During this review, URLs in the message are rewritten to cause URL defense to evaluate the link.

What happens when I click on a protected link?

If the link is safe, you are immediately and seamlessly directed to the intended website. If the link is malicious, you will see a notification in your web browser.

Will all URLs in a message be protected?

URLs located in attachments are not rewritten. Please refer to Proofpoint’s’ Rewriting Scenarios table for more information.

What if I believe a link is being blocked incorrectly?

If you believe an email link has been miscategorized, please email security@upenn.edu. The Office of Information Security (OIS) analysts will review the link and submit false positives to Proofpoint for reevaluation.

How do I know a URL has been rewritten?

Hover over the URL in the message. If it has been reswritten, the URL will reference URL Defense.

Will URL Defense delay my email?

No. Protected URLs are checked in real-time to ensure that the latest status determines it to be safe.

How will URL Defense affect mass email marketing campaigns?

Mass email marketing services such as Emma and MailChimp may need to have report metrics adjusted to report on “unique clicks” instead of “total clicks” (or the equivalent.)