Trustwave SEG 8.2 Release Notes

(Previously known as MailMarshal SEG)

Last Revision: February 11, 2019

These notes are additional to the SEG User Guide and supersede information supplied in that Guide.

The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21042.

Table of Contents

New Features
System Requirements
Upgrade Instructions
Release History

New Features

For more information about additional minor features and bug fixes, see the release history.

Features New in 8.2

Features New in 8.1.2

Features New in 8.1

Features New in 8.0.1

Features new in 8.0

Features new in 7.5.6

Features new in 7.5.5

Features new in 7.5

Features new in 7.3.6

Features new in 7.3.5

Features new in 7.3

System Requirements

The following system requirements are the minimum levels required for a typical installation of the Trustwave SEG Array Manager and selected database.

Table 1: System Requirements
Category Requirements
Processor Core i5 or similar performance
Disk Space 20GB (NTFS), and additional space to support email archiving
Memory 4GB (3GB available to SEG plus 1GB for operating system). Allow an additional 2GB if SQL Express is installed locally.
Supported Operating System
  • Windows Server 2008 R2 (SP1), Server 2012, Server 2012 R2, Server 2016 (Standard or Enterprise versions) ; Small Business Server 2011 (SP1)
  • Windows 7 (SP1), Windows 8, Windows 8.1, Windows 10 (Installation of server components on these workstation operating systems is not recommended)
    Note: Trustwave SEG Client components (Configurator and Console) can also be installed on Windows Vista SP2.
Network Access
  • TCP/IP protocol
  • Domain structure
  • External DNS name resolution - DNS MX record to allow Trustwave SEG Server to receive inbound email
  • Microsoft .NET Framework 3.5 SP1
  • Database server (managed cloud service): Azure SQL Database
  • Database server: SQL Server 2017, SQL Server 2016, SQL Server 2014, SQL Server 2012, SQL Server 2008 R2 (SP3)
  • Database server (free versions): SQL 2017 Express, SQL 2016 Express, SQL 2014 Express, SQL 2012 Express, SQL 2008 R2 Express (SP3)

    (Service packs listed are the minimum required for compatibility with all supported operating systems)

Port Access
  • Port 53 - for DNS external email server name resolution
  • Port 80 (HTTP) and Port 443 (HTTPS) - for SpamCensor updates
  • Port 1433 - for connection to SQL Server database and Reports console computers
  • Port 19001 - between Array Manager and Processing Nodes, and between Array Manager and
    Admin Web Console IIS server, if installed
    Note: Additional ports are required by the Nodes for email and updates.


Upgrade Instructions

Please review the SEG User Guide before upgrading.  

Trustwave SEG 8.0 supports a direct upgrade from Trustwave SEG 7.3.0 and later versions. This is a change from 7.5.X and earlier.

If your installed version does not support direct upgrade, you can upgrade in steps.

Database Prerequisites

You can access a supported SQL Express version from the Prerequisites tab of the SEG installation package. The "With SQL Express" version of the package also allows you to install SQL Express during the main SEG installation.

Upgrading a Single Server

To upgrade a single SEG server from any version supporting direct upgrade, install the new version on the existing server. You do not need to uninstall your existing version. The database will be upgraded in place, if necessary.

Upgrading an Array of Servers

After upgrading the Array Manager you can upgrade the processing servers through the Configurator, with no need to log on to the processing servers. For more information, see the Upgrading section in the User Guide.

Upgrading From Older Versions

To upgrade from a version prior to 7.3.0, first upgrade to version 7.3.0. Full details about upgrading to version 7.3.0 from older versions can be found in the documentation for the target version.

Notes on Upgrading

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21042.

Read the notes for all versions newer than your installed version. This list only includes information about versions newer than 7.3.0. For earlier versions, see the release notes of each version.


SEG can be installed in a variety of scenarios. For full information on uninstalling SEG from a production environment, see the Trustwave SEG User Guide.

To uninstall a trial installation on a single computer:

  1. Close all instances of the SEG Configurator and SEG Console.
  2. Use Add/Remove Programs from the Windows Control Panel to remove Trustwave SEG.
  3. Use Add/Remove Programs from the Windows Control Panel to remove additional components you may have installed, such as Web components or the Marshal Reporting Console.
  4. If you have installed any components (such as the Configurator, Console, Web components, or Marshal Reporting Console) on other computers, uninstall them.
  5. If you have installed SQL Express specifically to support SEG and no other applications are using it, uninstall SQL Express.

Release History

The following additional items have been changed or updated in the specific build versions of Trustwave SEG (previously MailMarshal) listed.

Note: The information in this document is current as of the date of publication. To check for any later information, please see Trustwave Knowledge Base article Q21042.

8.2.2 (February 11, 2019)

MM-6700 Some installations affected by the issue fixed in MM-4324 required a manual update to stored procedures after every upgrade. Fixed.
MM-6763 When Syslog processing was enabled, the Array Manager could stop unexpectedly. Fixed.
MM-6771 In earlier 8.2 releases, folded Subject lines were not correctly populated by the Receiver. Fixed.
MM-6772 In earlier 8.2 releases, DKIM signing and verification did not correctly handle folded headers. Fixed.
MM-6783 In version 8.1 and above, the repacking flags for external commands were incorrectly set. Fixed.
MM-6785 Syslog processing caused the Array Manager to stop with certain system date formats. Fixed.
MM-6787 The Array Manager log now includes more details of DBLog file processing.
MM-6788 The default settings for update of the "last seen" value (user group pruning) have been adjusted to improve database performance on large sites.
MM-6789 In some cases the Engine did not deadletter a message when an exception occurred in unpacking. Fixed.
MM-6795 In version 8.1 and above, slow processing of rule profiling data at the Array Manager could cause DBLog files to be queued at the processing servers. Fixed.
MM-6799 Rule profiler usage statistics were incorrect when a rule was copied. Fixed.
MM-6802 Routing table entries containing high ASCII characters such as umlaut characters could not be edited in the Configurator. Fixed.
MM-6804 Gathering of Product Improvement Program (telemetry) data caused services to fail when the SQL server was unavailable. Fixed.
MM-6807 The SpamProfiler cartridge (executable) included in the release has been updated.

8.2.1 (December 14, 2018)

MM-6731 Messages deadlettered due to rejection by the Archiver server were incorrectly classified as "deadletter - routing". Fixed: these messages are classified as "deadletter - archiving".
MM-6736 The Receiver incorrectly skipped DKIM/DMARC evaluation for inbound messages. Fixed.

8.2.0 (December 6, 2018)

MM-1717 SpamCensor and SpamProfiler results are added to message headers for easier analysis.
MM-4324 Merging a configuration allowed duplicate classification codes. Fixed: Classifications are made unique when merging. Upgrade to 8.2 or above resolves existing duplicates.
MM-4842 IP whitelisting updates are improved to ensure that pruned addresses are not restored by an update.
MM-5007 DKIM keys can now be included in the configuration backup.
MM-5125 Message subjects written to the database by the Receiver and Sender now support wide characters.
MM-5132 For SEG Service Provider Edition installations, the Customer Name is available in Templates and Digests with the variable {CustomerName}.
MM-5554 Global TLD information consumed by all features is retrieved from a file that can be updated through the product update service. An updated file is also included in this release.
MM-5634 When a message is temporarily undeliverable, the failure reason or code is logged to the message table.
MM-5635 A new rule action provides the ability to insert text at the beginning of a message subject.
MM-5740 SpamCensor attachment evaluation now allows multiple entries in the FileType parameter.
MM-5776 The version of the ChartDirector charting software included in the installation has been updated.
MM-5895 The DMARC DNS record check from the Configurator now uses Google DNS or a DNS server set with a registry key.
MM-6251 The version of DKIM processing (LibOpenDKIM) included is updated.
MM-6277 A new rule action allows SEG to not return an NDR when onward message delivery is refused. This action is logged.
MM-6290 The Sender service could stop unexpectedly in rare cases due to routing issues. Fixed.
MM-6314 The version of DMARC processing (LibOpenDMARC) included is updated.
MM-6316 Badly formatted DMARC reports were never deleted from folders. Fixed.
MM-6339 The version of the Yara Analysis Engine included is updated.
MM-6341 For SEG Service Provider Edition installations, messages are rejected by default if the SPE Customer ID cannot be determined.
MM-6369 The Configurator now allows selection of more than one Elliptic Curve for key exchange.
MM-6399 Shutdown of the SpamProfiler service has been improved.
MM-6408 The included default database provider driver is MSOLEDBSQL (supporting TLS v1.2 secured connections).
MM-6435 The version of Libcurl included with the product is updated.
MM-6449 Image Analyzer has been updated to version 7.
MM-6450 Subfolders of the Config folder are now included in the configuration commit from Array Manager to processing servers.
MM-6501 For outbound messages, SPF, DKIM, and DMARC evaluation is now only performed if explicitly required by rules. Internal servers sending through SEG are not expected to have entries that allow DMARC validation. The previous behavior (evaluating all messages) can be set if required.
MM-6522 Message stamping uses in-memory files to improve performance.
MM-6567 The DMARC Report Import service now only runs if required by configuration settings.
MM-6572 Releasing of messages to multiple recipients by the Controller service is more efficient.
MM-6585 SQM now correctly displays Unicode characters in message subjects.
MM-6586 In earlier versions, encoding tags in the subject line (such as UTF-8) could be ignored if presented in uppercase. Fixed.
MM-6590 The Server Tool now allows explicit configuration of separate Server, Database, and Operational User for the Syslog database.
MM-6597 The DMARC Report Import service runs only when DMARC is enabled for a local domain.
MM-6601 DKIM key generation now allows selection of the key length (1024, 2048, or 4096).
MM-6602 Message stamps now allow CSS STYLE tags to be defined and merged into the styles for the stamped message.
MM-6603 DMARC policy processing now honors the optional "PCT" value.
MM-6608 For SEG Service Provider Edition installations, DMARC settings were not correctly applied for each customer. Fixed.
MM-6609 DMARC validation of incoming DMARC reports has been updated to be independent of other rules.
MM-6611 SpamProfiler holds some suspect messages briefly for rescanning to improve accuracy.
MM-6618 Enabling Syslog in the Configurator no longer checks for a Syslog database. This change allows configuration of the service when the Windows user does not have permission to connect to the database.
MM-6629 Named Expressions in TextCensor scripts could not be edited. Fixed.
MM-6632 SEG now collects anonymized summary system data for the SEG Product Improvement Program by default. For details, see Trustwave Knowledge Base article Q21064.
MM-6643 Message data submitted for SpamProfiler for evaluation is limited in size for performance reasons.
MM-6649 The timestamp of Syslog records was converted to Array Manger local time instead of UTC. Fixed.
MM-6651 When editing or creating a TextCensor script, the presence of named expressions was not correctly checked. Fixed.
MM-6660 The TextCensor DLL included with the installation has been updated.
MM-6692 DMARC tables are indexed for performance improvement.
MM-6695 The Block Malware - Outbreak Detection rules are removed. These rules depend on a sub-category in SpamProfiler that is not currently implemented.

8.1.3 (September 13, 2018)

MM-6564 In earlier 8.1 releases, certain badly formatted email addresses in the MAIL FROM or RCPT TO caused the Receiver to stop unexpectedly. Fixed.
MM-6571 After upgrade from version 8.0 to earlier 8.1 releases, the Credit Card Number, Social Security Number and PCIDSS TextCensor scripts had no "apply to" options selected. Fixed.
MM-6584 The Sender service could stop unexpectedly in rare cases due to message routing issues. Fixed.
MM-6621 The MessageId is changed when a message is released from quarantine (reverting to the behavior in all releases before 8.1.2). To control this behavior, see Trustwave Knowledge Base article Q21049.

8.1.2 (August 9, 2018)

MM-6364 Syslog record transmissions in RFC-3164 format now include the TAG: format to start the content portion of the record.
MM-6465 Syslog Rejected Messages records now populate the From variable with the Return Path address if the From address is empty.
MM-6467 The rule execution profiler result display is improved.
MM-6499 The Sender and Receiver services could fail to stop on command in some cases when a processing thread was unresponsive. Fixed.
MM-6500 Sender logging for null MX record detection is improved.
MM-6504 The MessageId is no longer changed when a message is released from quarantine. The previous behavior can be used if required.
MM-6530 In earlier 8.1 releases, configuration upgrade or import from earlier versions failed if older, unused Routing Tables were present. Fixed.
MM-6531 In earlier 8.1 releases, the Web Admin Console could not connect with Windows Authentication, due to a limitation of the REST interface. Fixed: the Web Admin Console uses the earlier port 19001 interface.
MM-6532 Web Admin Console connections to the Array Manager are reset to use port 19001 if port 19006 had been selected in an earlier 8.1 installation.
MM-6534 Syslog database connections did not work when the database user credential was a Windows username. Fixed.
MM-6535 SpamProfiler cartridge (executable) files could not be updated through automatic updates. Fixed.
MM-6536 Upgrade from release 8.0.1 to 8.1.1 (only) did not correctly upgrade the database. Fixed.
MM-6546 The SpamProfiler cartridge (executable) included in the release has been updated.
MM-6556 The engine could stop unexpectedly when attempting to extract URLs for validation. Fixed.
MM-6560 The version of Libtet (PDF unpacking) that is included in the installation has been updated.

8.1.1 (June 28, 2018)

MM-6496 Sender logging for null MX record detection is improved.
MM-6498 In release 8.1.0, the Sender and Receiver services might not stop as requested when under load. Fixed.

8.1.0 (June 27, 2018)

MM-2058 Notification email messages for expired TLS certificates are improved.
MM-2267 Category script evaluation is now performed once per message. Engine performance is improved.
MM-3433 The REST API now provides the ability to retrieve a message in the sender queue.
MM-4133 The REST API now provides the ability to locate a user in a usergroup by exact match or wildcard.
MM-4331 Rule execution profiling is improved.
MM-4396 Email processing nodes send a notification email every hour if they cannot contact the Array Manager. For configuration settings see Knowledge Base article Q20987.
MM-4476 Storage of the Routing Tables in Registry has been revised for ease of use.
MM-4839 SEG service logs now provide consistent service startup information.
MM-5131 For SEG Service Provider Edition installations, the Maximum Recipients Per Message setting was not honored by the Receiver. Fixed.
MM-5237 URL rewriting for BTM changed XMLNS tags. Fixed.
MM-5656 The SQM User Settings page did not display the Message Digests tab if digests were configured with user groups containing AD users. Fixed.
MM-5720 Visual C++ 2015 redistributables are now included in the installation.
MM-5721 When a message is released, the processing node performs additional validation to ensure appropriate recipients.
MM-5730 In version 8.0, the Basic Install option did not connect to the local SQL Express instance on the first attempt. Fixed.
MM-5806 Installing SQL Express from the Prerequisites tab of the install window now sets the same options as the install wizard (Mixed Mode and TCP enabled).
MM-5886 On the Configurator DMARC Dashboard, search selections were not properly retained. Fixed.
MM-5994 The size of string data allowed in database logging files from nodes to Array Manager has been increased.
MM-6026 The Engine service would not stop when a thread was hung, in specific cases. Fixed.
MM-6053 Messages rejected at the Receiver are logged to the database.
MM-6117 The version of Libcurl included with the product is updated.
MM-6132 The Array Manager could fail to start while retrieving the database details. Fixed.
MM-6139 URL rewriting for BTM changed the envelope subject of a message upon rewriting the subject of an attached message. Fixed.
MM-6153 The Web Console now communicates with the Array Manager using the REST interface.
MM-6154 The Sender service now checks for Null MX records and does not deliver messages to a domain with a valid Null MX entry.
MM-6160 Message rejection codes are added for some additional cases (internal to Receiver processing).
MM-6297 The Receiver waits for SpamProfiler to be ready before accepting mail. On a new installation, SpamProfiler file download and initialization can take several minutes.
MM-6322 The version of the REST SDK used has been updated.
MM-6347 The Database Provider can be changed to MSOLEDBSQL using a Registry setting. This option is provided to allow connection to SQL servers that require TLS 1.2. For configuration settings see Knowledge Base article Q21020.
MM-6370 The version of OpenSSL used by SEG has been updated.
MM-6380 The SpamProfiler cartridge installed with SEG has been updated.
MM-6383 Text logging could cause services to stop where certain values were logged. Fixed.
MM-6405 Installation uses the Microsoft Universal C++ Runtime package.
MM-6427 TextCensor scripts could show an item match limit of 0 (zero). Fixed: the limit displays correctly as "ALL". Script triggering is not affected by the change.
MM-6434 The Engine log could show repeated errors concerning URL Categorization Cache. Fixed.

8.0.7 (May 25, 2018)

MM-6365 The Receiver could stop unexpectedly when processing a malformed DMARC record. Fixed.
MM-6371 The version of Image Analyzer included in the installation has been updated to correct an issue with initialization on Windows 2016 servers.
MM-6373 DMARC message database logging could cause SQL deadlocks under heavy load. Fixed.
MM-6376 DMARC aggregate reports had an incorrect Content Type header. Fixed.
MM-6378 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-6379 The version of OpenSSL used by SEG has been updated.
MM-6382 .XZ compressed files are unpacked.
MM-6393 Adding message users to groups could cause delays on a busy system with large groups. Fixed.
MM-6395 The customized version of 7zip (archive unpacker) included in the installation has been updated to address known vulnerabilities. This update was also released to SEG Automatic Updates for earlier supported versions.
MM-6396 User group pruning performance has been enhanced.
MM-6452 The DKIM key text field on the DKIM window now includes a scrollbar to allow the full key to be viewed and copied. (March 6, 2018)

MM-4120 Folder names entered in the Configurator could include invalid characters. Fixed.
MM-6209 Domain and route entries could not contain the underscore character. Fixed.
MM-6261 For SEG Service Provider Edition installations, the sender no longer attempts to deliver messages to domains that resolve to loopback entries.
MM-6296 Default values used for message unpacking limits in the controller did not match the engine settings. Fixed.
MM-6298 Certain characters in email addresses caused DMARC validation to fail. Fixed.
MM-6300 The DMARC Report Service could stop when dealing with corrupted or large DMARC reports. Fixed.
MM-6301 Loading of IPv6 addresses in IP groups during array manager startup could fail under certain circumstances. Fixed.
MM-6302 The Array Manager did not always use the "preferred server for notifications" when it was available. Fixed.
MM-6315 The sender DNS cache could incorrectly return permanent DNS failures after two consecutive temporary failures. Fixed.
MM-6317 For SEG Service Provider Edition installations, the "Send a copy of the message to host" action no longer requires TLS when TLS is required for the recipient domain.
MM-6320 For SEG Service Provider Edition installations, retrieval of queue information through REST is more efficient.
MM-6321 The REST API could consume a large amount of CPU resource. Fixed.
MM-6323 In earlier 8.0 releases, message details could not be viewed in consoles if the message had been released for all recipients. Fixed.
MM-6331 The receiver now enforces TLS cipher strength ordering (strongest preferred) by default.
MM-6333 Minor improvements and corrections are made to REST API functionality. (December 12, 2017)

MM-5981 DKIM keys could not be replicated if the Array Manager and processing server were in unrelated domains. Fixed: It is possible to use a generic credential to connect. For details, contact Trustwave Technical Support.
MM-6166 DMARC reports were sent with a blank MAIL FROM. Fixed: reports are sent "from" the DMARC organizational address for the domain.
MM-6210 Messages could not be viewed in the Console if a custom file type was invoked, in some cases. Fixed.
MM-6211 The REST API now provides the ability to list, add, get, and edit TextCensor scripts.
MM-6235 In earlier 8.0 releases, stripping of attachments within archives did not work as expected. Fixed.
MM-6236 In earlier 8.0 releases, setting folder retention to an explicit value longer than 68 years caused unexpected deletion of all messages in the folder. Fixed.
MM-6238 Additional information about DKIM signing and verification is logged.
MM-6256 In earlier 8.0 releases, opening the Database tab of the server tool caused the tool to stop. Fixed.
MM-6258 In earlier 8.0 releases, TLS certificate expiry notifications were not sent from separate processing nodes. Fixed. (November 7, 2017)

MM-5846 Message subjects are stored in the database as Unicode. Some interfaces, including SQM and digests, display wide characters in subjects correctly. For more information, see article Q20902.
MM-6134 In a database under heavy load, the user summarization stored procedure could time out. Fixed.
MM-6135 For SEG Service Provider Edition installations, queued messages can now be retrieved by customer ID.
MM-6136 The REST API now provides a check for availability of a remote delivery server.
MM-6152 In earlier 8.0 releases, the REST interface could fail to find a message. Fixed.
MM-6161 Configuration import failed when processing some valid combinations of nested user groups. Fixed.
MM-6163 In earlier 8.0 releases, Web Console installation did not present the option of Forms or NTLM authentication. Fixed.
MM-6164 Web Console installation did not enable Windows authentication on the virtual directory when NTLM authentication was specified. Fixed. (September 19, 2017)

MM-5999 On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-6005 Message stamping has been made more efficient.
MM-6030 The Configurator now shows the date created, date modified, and user names for each rule and policy group.
MM-6031 In earlier 8.0 releases, exceptions in the Yara module could cause the SEG Engine to stop. Fixed.
MM-6045 In earlier 8.0 releases, policy group schedules were not honored. Fixed.
MM-6090 The DMARC dashboard menu for domain selection did not honor the period selected. Fixed.
MM-6118 On upgrade from 7.X, the custom file type list (filetype.cfg) was not copied to all required locations. Fixed.
MM-6120 Changing the retention period on the DMARC Reports folder caused some other properties of the folder to be unset. Fixed.
MM-6121 DMARC Dashboard views in the Console can now be filtered by DMARC alignment status.
MM-6122 The version of Libtet (PDF unpacking) that is included in the installation has been updated. (August 11, 2017)

MM-3812 The SEG variables {ServerAddressSender} and {ServerAddressRecipient} were not correctly used when sending notification messages from templates. Fixed.
MM-5882 Receiver performance could be affected during a configuration reload. Fixed.
MM-5980 In earlier 8.0 releases, requests to upgrade nodes from the Configurator did not succeed. Fixed.
MM-5907 In earlier 8.0 releases the Hash module of Yara was not supported. Fixed. In addition, the version of the Yara Analysis Engine is updated to 1.0.4.
MM-5977 The Console RSS functionality has been improved.
MM-5979 Upgrade is blocked if CountryCensor rules or files are present.
MM-5993 Upgrading to earlier 8.0 releases could fail due to a lock on previous SpamProfiler executable files. Fixed.
MM-5995 On upgrade from 7.X, some Registry values that store time values were not correctly updated to REG_QWORD. Fixed.
MM-5996 Upgrade from 7.X did not check for a supported operating system version (Server 2008 R2 or above) before beginning to copy Registry keys. Fixed.
MM-5997 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5998 On upgrade from 7.X, if the upgrade failed the manager listening port was set to 0. Fixed: the port is reverted to the previous value.
MM-6002 When a DMARC disposition was set on a message and the message was not quarantined, it was not delivered. Fixed.
MM-6004 Message stamping at the top of a HTML message did not always correctly identify the beginning of the HTML body. Fixed.
MM-6006 SpamProfiler scores and analysis are always logged to the Receiver log.
MM-6007 The TLD Difference evaluation for domain similarity matched on other local domain names. Fixed.
MM-6008 Items with a SpamProfiler score between 96 and 99 inclusive are tagged as "Spam-Suspect".
MM-6009 Console Audit logs now record opening the message detail.
MM-6010 Header matching now decodes headers (such as UTF-8 encoded headers) if required, and checks both raw and decoded text.
MM-6013 The Edit Distance evaluation for domain similarity could match on other exact local domain names. Fixed.
MM-6023 Cleanup of long paths in the unpacking directory has been improved.
MM-6024 The customized version of 7zip (archive unpacker) included with SEG has been updated. (July 10, 2017)

MM-5902 The customized version of 7zip (archive unpacker) included with SEG has been updated with long filename support.
MM-5904 Receiver socket buffer size is now set dynamically by default to enhance performance.
MM-5906 SPF Fail records can be viewed in the DMARC dashboard.
MM-5909 Calls to message repacking commands are now fully quoted.
MM-5914 In release 8.0.0, category scripts might not be run for all attachments. Fixed.
MM-5915 SpamCensor scanning of parent message and all attached messages has been improved.
MM-5917 On upgrade from versions below 8.X, the destination folder could not be chosen in some cases. Fixed. Also, some 32-bit DLLs are deleted on upgrade as not required.
MM-5918 XML files that were not category scripts could cause upgrade from versions below 8.X to stop. Fixed.
MM-5919 SpamProfiler technology has been updated. For upgrades from version below 7.5.8, the update URLs have changed.  For more information about required URLs, see Knowledge Base article Q12992.
MM-5920 The version of Libtet (PDF unpacking) that is included in the installation has been updated.
MM-5961 On upgrade the SpamProfiler service is updated to the new technology as required. (June 20, 2017)

MM-1678 SEG variables can be used in Engine Header Rewrite rules.
MM-3142 A domain route can be explicitly marked as "down". Messages that would be delivered through this route will be held without retry or timeout until the route is marked as "up".
MM-3323 Server Properties, General page now shows correct server and time zone information for currently supported Windows versions.
MM-3391 The Engine service better handles stopping and restarting under load (for example with virus scanner reloading).
MM-3841 The Receiver connection count could display an incorrect very high number. Fixed.
MM-3905 Regular Expression checking of attachments in Category Scripts now searches over line breaks in the content by default.
MM-4293 Invalid date formatting in templates was not correctly handled. This issue could cause services to stop. Fixed: variables with invalid date formatting are not substituted.
MM-4386 Blended Threat rewriting incorrectly affected schema names in TNEF attachments. Fixed.
MM-4590 Installers and executables include manifests, as per Microsoft certification requirements.
MM-4836 The Sender service could stop unexpectedly in rare cases related to deadlettering of multiple messages. Fixed.
MM-4890 Server Thread settings can be configured for each processing server. Engine default settings are optimized by default, based on the number of processors on the individual server. On upgrade, customized settings are not changed.
MM-5128 URL rewriting for Blended Threat analysis uses a HTTPS link to the scanner if the original link is a HTTPS link.
MM-5214 Logging of TLS certificates to disk did not save the entire chain. Fixed.
MM-5248 When a message exceeds the maximum size for SpamProfiler evaluation, the truncated message is now evaluated.
MM-5253 CRL Distribution Points could not be extracted from certificates with a single v3 extension distribution point entry. Fixed.
MM-5273 DKIM library initialization is more efficient.
MM-5406 URL rewriting for Blended Threat analysis did not correctly handle links with @ characters in the path or query string. Fixed.
MM-5408 SPF evaluation supports IPv6.
MM-5409 URL rewriting for Blended Threat analysis passed an incorrectly escaped version of the URL to the scanner. Fixed.
MM-5420 All functions that require a list of Top Level Domains now use a copy of the Mozilla TLD file, which will be updated as required. The listing is used by Blended Threat rewriting, DMARC, and SpamSURBL functions.
MM-5446 SpamCensor Types evaluation could fail to trigger as expected because scoring was not summed correctly. Fixed.
MM-5447 When a message had invalid header format (no line breaks), the Receiver dropped the connection with no message. Fixed: the connection is terminated with a SMTP 554 response.
MM-5453 On upgrade, TextCensor scripts are checked for compatibility with the new version of the TextCensor engine.
MM-5474 Memory used for CRL list retrieval in the Receiver/OpenSSL was not fully released. Fixed.
MM-5478 The version of Libtet (PDF unpacking) that is included in the installation has been updated to
MM-5516 For SEG Service Provider Edition installations, if a connection was denied due to relaying restrictions, some other criteria were still checked to no purpose. Fixed.
MM-5517 TLS certificate manager in the Controller service has more efficient threading.
MM-5523 The Receiver service could stop due to problems in OpenSSL routines. Addressed with improvements in OpenSSL.
MM-5542 SpamCensor now scans a parent message and all attached messages.
MM-5565 On installation, logging when setting the MaxUserPort value is improved.
MM-5569 Digesting could fail when the SQL server default collation was Case Sensitive, due to inconsistent capitalization in a stored procedure. Fixed.
MM-5596 Management of DKIM keys and selectors has been enhanced. DKIM keys can be created directly in the Configurator.
MM-5623 The Controller could stop when importing a signed certificate with a blank password. Fixed.
MM-5624 The Yara functionality could not be completely updated through automatic updates. Fixed.
MM-5626 The version of the Yara Analysis Engine is updated to 1.0.3 (Yara codebase 3.5.0).
MM-5627 An incorrectly formatted or corrupt certificate or private key file could cause the Receiver or Sender service to stop. Fixed.
MM-5629 The Sender only loads a client certificate if it is requested by the remote server.
MM-5633 Loading of certificates in the Sender is improved.
MM-5642 The Receiver service could stop in specific cases due to an issue in TLS negotiation. Fixed.
MM-5643 Web Components installation on Windows Server 2016 did not check prerequisites. Fixed.
MM-5652 TextCensor could add blank lines to the Engine log. Fixed.
MM-5661 The version of OpenSSL used by SEG has been updated.
MM-5670 The default setting for minimum TLS cipher strength is set to "Medium" for new installations, and also on upgrade if the setting was "Low".
MM-5672 If a message processed through SEG does not include a Message-Id header, SEG adds this header to allow better tracking of any issues with onward delivery.
MM-5675 Loading and initialization of virus scanners has been made more efficient.
MM-5685 Default SSL cipher strings have been updated to disable "Diffie Hellman Authentication" ciphers, for compatibility with Exchange 2003 defaults.
MM-5696 Automatic updates now provide the ability to set parameters for file unpacking components.
MM-5717 When scanning a message with attached child messages, SpamCensor stops scanning at the first message that triggers and returns information about that message.
MM-5728 Email between local domain addresses that is checked by SpamProfiler is now validated with the Outbound SpamProfiler configuration.
MM-5777 GeoLite2 is used to provide geographical information for DMARC reports. GeoLite2 database updates are provided as part of the Automatic Updates to the Array Manager.
MM-5782 Business Email Compromise fraud detection is enhanced with the ability to enter and match local executive user names and addresses, and to check for domain similarity.
MM-5786 Category Script evaluation can now check SEG Envelope properties. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5793 Re-packing of a message could be unnecessarily triggered by the Blended Threat functionality if all URLs found were exempt from re-writing. Fixed.
MM-5807 The SpamProfiler executables have been updated.
MM-5808 Changes in TLS configuration are now applied to messages in the Sender retry queue.
MM-5812 Email addresses with certain invalid domain formats could cause the Sender to stop. Fixed: the affected messages are deadlettered.
MM-5813 A REST API call is available to delete messages from all queues based on search criteria.
MM-5826 Notification messages created by rule action are now identified by message name in the service logs.
MM-5829 If a CAB file contained a single file, the extracted file was incorrectly named. Fixed.
MM-5835 Category Script evaluation can now be used to check values in the headers of a message. For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login).
MM-5836 Checking of free disk space has been made more efficient to avoid possible issues with slow disk access.
MM-5844 Category Script evaluation can now check for domain similarity (to enhance fraud detection). For more details see the Advanced Anti-Spam document available from the SEG Documentation page (requires customer login). (October 4, 2016)

MM-5521 For SEG Service Provider Edition installations, the SMTP relay denied response did not include any details of the source IP or recipient. Fixed.
MM-5524 Additional functions required for BTM rewriting have been moved to the file retrieved through automatic updates, to better support automatic updating.
MM-5541 For SEG Service Provider Edition installations, IP Relay source matching could function incorrectly where ranges entered by multiple customers and the Service Provider overlapped. Fixed.
MM-5548 For SEG Service Provider Edition installations, Marshal IP Reputation Service unlicensed notifications could be sent in error. Fixed.
MM-5568 The SEG Engine now reports "starting" for a longer period to reduce misleading "failed to start" reports from other services on slow systems.
MM-5599 BTM rewriting was unnecessarily rewriting links in signed messages, resulting in deadletters. Fixed.
MM-5609 The Engine could fail to restart because anti-virus DLLs did not exit completely before reporting as stopped to the Service Control Manager. Fixed.
MM-5610 For SEG Service Provider Edition installations, SpamProfiler now ignores certain checks for messages between SPE customers.
MM-5620 The OpenSSL library that SEG uses has been updated to version 1.0.2h.
MM-5622 The customized version of 7zip (archive unpacker) included with SEG has been updated to support newer decompression methods (version 16.02).
MM-5630 User group membership could be incorrectly updated (members could be missing) if an error occurred while refreshing a sub-group. Fixed.
MM-5640 For SEG Service Provider Edition installations, in certain cases IP based relay restrictions were not applied. Fixed. (May 31, 2016)

MM-5271 Proxy port entry for internet access allowed only four digits. Fixed: five digits are allowed.
MM-5274 CRL distribution points were not extracted from certificates with v3 extensions. Fixed.
MM-5277 Suspect URL detection did not correctly normalize some URLs before querying the service. Fixed.
MM-5278 TextCensor memory usage has been improved.
MM-5390 In release 7.5.5, top-level message attachments were not scanned by TextCensor. Fixed.
MM-5391 The list of event sources shown in the Console Event Viewer has been updated with the current malware scanners.
MM-5392 Certain malformed RTF message bodies caused the engine to stop. Fixed.
MM-5399 Text log files are better formatted for 5 digit thread IDs.
MM-5400 The customized version of 7zip (archive unpacker) included with SEG has been updated to address recently reported vulnerabilities in 7zip.
MM-5404 The SEG product version is no longer present in the SMTP greeting string by default.
MM-5405 TextCensor evaluation is no longer single-threaded. (March 3, 2016)

MM-5195 In recent releases, the message viewer did not provide information about message components for delivered messages. Fixed: this information is retrieved from the database if a full message file is not present on disk.
MM-5196 If a message was marked temporarily undeliverable during a configuration reload, it would not be retried until the Sender was restarted. Fixed.
MM-5198 Whitespace at the start or end of plain text message stamps is no longer trimmed when edited and saved. Blank lines can be added for formatting.
MM-5208 TextCensor now does not check sub-components when the parent has already been scanned or excepted from scanning.
MM-5209 Attempts to retrieve CRLs from a location that could not be reached caused the Controller to stop. Fixed.
MM-5210 In previous 7.5 releases, Libcurl did not correctly process gzip encoded web responses. Fixed. In addition, the version of libcurl included with the product is updated to 7.46.0.
MM-5211 The header Reply-To field is now available as a template variable {Header-Reply-To}. The message return path is used if Reply-To is not set.
MM-5212 The OpenSSL library that SEG uses has been updated to version 1.0.1q.
MM-5218 Signing of executable files now uses a SHA256 certificate.
MM-5220 YAE scripts now support the Hash function of Yara.
MM-5238 The SpamProfiler integration SDK has been upgraded.
MM-5240 For SEG Service Provider Edition installations, RBL license notification emails are not sent if the installation is not licensed.
MM-5242 Uninstallation of the SQM site did not de-register the interface DLL. Fixed.
MM-5247 Logging of quarantine release actions to the service text logs has been improved.
MM-5251 For new installations, the Malware - AMAX folder is included in the virus reporting group. (December 8, 2015)

MM-5200 In release 7.5.0, reporting a message as spam or not spam caused the Controller service to stop. Fixed. (November 24, 2015)

MM-4251 SEG now corrects headers that violate the RFC limit of 998 characters, "folding" the header onto multiple lines by default.
MM-4726 File name checking could fail for very long MIME encoded file names. Fixed.
MM-4727 Improved decoding of MIME Encoded-Word content has been implemented for message subject display (digests and console), Header Rewrite, and filename rules.
MM-4832 Multi-line content-disposition headers were not extracted correctly, so attachments with long file names might be incorrectly filtered. Fixed.
MM-4883 Libcurl is updated to use Visual Studio 2013.
MM-4909 Additional file types have been added to support anti-spam scanning. These types are not currently selectable in rules.
MM-4961 The default name of the product database for new installations is now TrustwaveSEG. Upgrading does not alter the database name.
MM-4999 A setting is available to control acceptance of multiple HELO commands within a session. For details of this advanced option, contact Trustwave Support.
MM-5038 For SEG Service Provider Edition installations, the From address for spam and not spam reports can be set as required.
MM-5049 Long-running Receiver threads could incorrectly log a low data transfer rate. Fixed.
MM-5054 URL rewriting for BTM incorrectly treated text with two consecutive dots as a URL if the text after the dots was a valid TLD. Fixed.
MM-5065 When a user selects SpamProfiler options with potential for higher false positives in the Configurator, an extra confirmation message is presented.
MM-5069 Default message template text and From addresses (for new installations) have been branded for Trustwave.
MM-5077 Some URLs containing escaped characters were not rewritten for Blended Threats inspection. Fixed.
MM-5085 Image Analyzer has been updated to version 6. This version offers 30%-60% fewer false positives for the same level of detection, depending on the sensitivity setting.
MM-5115 The OpenSSL library that SEG uses has been updated to version 1.0.1p.
MM-5124 A small memory cleanup issue in the Array Manager has been corrected.
MM-5135 The default Scams TextCensor Script is updated for new installations.
MM-5164 A new YAE based rule to detect malformed PDF documents is included on new installations and in the Upgrade Rules policy group for upgrades.
MM-5173 The version of libcurl included with the product is updated to 7.44.0. (September 10, 2015)

MM-5141 The Engine and Array Manager are now able to access up to 4GB of memory on a 64 bit system. Larger rulesets can be loaded without issues and performance enhancement is expected.
MM-5143 The version of Libtet (PDF unpacking) that is included in the installation has been updated to
MM-5144 URL rewriting for BTM incorrectly treated some inline CSS declarations as URLs. Fixed.
MM-5145 Deletion of unpacked files with certain filenames could fail. Addressed by re-trying the deletion with no string parsing of the file name. (April 21, 2015)

MM-3499 Configuration import could fail due to incorrect case-sensitive comparison of user group members. Fixed.
MM-3509 Active Directory authentication for SQM failed for users with a text name containing [ ] characters. Fixed.
MM-4709 TLS can now be configured with specific lists of cipher suites, overriding the generic selections. For details of this advanced option, contact Trustwave Support.
MM-4823 A problem with group synchronization in the Controller could cause the Receiver to stop processing messages. Fixed.
MM-4837 Clean installations no longer install MSXML4.
MM-4857 The Receiver now supports ECDHE key exchange for PFS (TLS "Perfect Forward Secrecy").
MM-4862 Some utility files such as TextCensor2 DLLs might not be correctly updated on upgrade. Fixed: upgrade checks file version numbers instead of creation dates.
MM-4863 Links enclosed in round brackets and rewritten by the Blended Threats function incorrectly included the trailing round bracket in the rewritten link. Fixed.
MM-4864 For SEG Service Provider Edition installations, relay source checking was not limited to specific customer domains. Fixed.
MM-4866 Cleanup of OpenSSL sessions has been improved.
MM-4867 Service executable paths were not quoted. Fixed.
MM-4869 Notification messages created by the Engine are now DKIM signed if required.
MM-4872 TLS now disables SSLv3 by default as per recent security best practice.
MM-4873 TLS cipher lists now exclude Anonymous, MD5, RC4, and IDEA ciphers as per recent security best practice.
MM-4874 Text logging includes better thread information.
MM-4876 The FileType DLL is now replaceable through the automatic update process.
MM-4880 The OpenSSL DLLs are now replaceable through the automatic update process.
MM-4892 UUEncoded streams in the message body could be altered by the Blended Threats function. Fixed.
MM-4911 DKIM signing failed in some cases for email with headers longer than 2048 bytes. Fixed.
MM-4930 The version of Libtet (PDF unpacking) that is included in the installation has been updated to
MM-4932 By default "bare" CR or LF characters in messages are changed to CRLF.
MM-4933 For SEG Service Provider Edition installations, some earlier versions allowed an incorrect entry of a hostname as the "forward to IP." Fixed: On upgrade the configuration is corrected to use these entries as hostnames.
MM-4935 Additional indexing is performed on the Message table in the database to enhance performance.
MM-4944 For SEG Service Provider Edition installations, SpamProfiler could apply the wrong direction for scanning. Fixed.
MM-4945 The Controller log now records DNS query responses that took over 1 second.
MM-4948 DKIM signing and verification incorrectly ignored whitespace at the top of the message body in text-only messages. Fixed.
MM-4951 Slow DNS responses could cause the Receiver to stop accepting messages. Addressed with changes to the process that updates lists of anti-relay and blocked hosts.
MM-4952 The version of libcurl included with the product is updated to 7.41.0.
MM-4960 SpamProfiler "valid bulk" classifications were not triggered due to unexpected format in data returned by SpamProfiler. Fixed.
MM-4965 URLCensor could perform unnecessary checks for incorrect URLs. Fixed.
MM-4968 SpamProfiler uses the same criteria for "inbound" and "outbound" messages that are used for other processing.
MM-4969 Full information about TLS negotiation is saved in the local message envelope.
MM-4979 Logging of DoS, DHA, relay, and other Receiver block events to the Event Log can be suppressed. For more information, see Trustwave Knowledge Base articles Q20228.
MM-4988 SpamProfiler responses were slow if IPv6 was enabled on the server. Fixed. The processing nodes MUST have a loopback adapter listening on the default IPv4 loopback address
MM-4990 SpamProfiler responses were slow due to settings applied to the HTTP connection with the local SpamProfiler process. Fixed.
MM-5001 For SEG Service Provider Edition installations, Customer ID was not correctly determined for some Out Of Office messages. Fixed.
MM-5002 Blended Threats rewriting of subject lines added a space to the line. Fixed.
MM-5028 The OpenSSL library that SEG uses has been updated to version 1.0.1m. (October 10, 2014)

MM-3597 The last lines of the Receiver log were not captured into the message envelope as expected. Fixed.
MM-4514 Email notifications are sent to the SEG Administrator from the local server when maintenance is about to expire or has expired.
MM-4591 The file extension .cpl has been added to the default Suspect Attachments rules.
MM-4628 File components that do not trigger a rule condition now do not add a line in text logs by default.
MM-4629 Visual C++ 2013 redistributables are now included in the installation.
MM-4674 The "monitor only" installation option and policy group have been removed.
MM-4706 DNS results were truncated if they exceeded the UDP packet size (notably when a large number of PTR records existed). Fixed by enabling EDNS0 in the DNS resolver.
MM-4710 Unpacking of XML based Excel documents now gets text from additional tags.
MM-4711 Unpacking of XML based Office Documents uses a simpler and more efficient parser.
MM-4723 Extracted binary unknown files could cause the engine to stop in TextCensor2 analysis due to improper formatting of extracted filenames. Fixed.
MM-4725 Moving or inserting User Groups by drag and drop now prompts for confirmation by default.
MM-4727 Better support for decoding Quoted Printable strings is provided.
MM-4729 For SEG Service Provider Edition installations, group information is loaded more efficiently.
MM-4731 Deleting User Groups now prompts for confirmation by default (in addition to the check for groups used in policy).
MM-4748 The OpenSSL library that SEG uses has been updated to version 1.0.1i.
MM-4753 Calls to TextCensor2 did not correctly handle the case where the requested file could not be opened. Fixed.
MM-4760 The default theme of SQM has been updated to a Trustwave branded theme.
MM-4764 The Array Manager could encounter a database deadlock when manipulating folder records. Fixed.
MM-4766 If a message file was manually deleted from the queue, the sender service could become unresponsive. Fixed.
MM-4767 When releasing a message through a digest link, a text note about adding the sender to safe senders was displayed in error. Fixed.
MM-4773 Default values for suspicious compression and max header lines have been updated to reflect current email sizes. Additional unpacking space could be required. See Trustwave Knowledge Base articles Q10868 and Q11369.
MM-4774 Links with query parameters could be invalidated when processed by a Blended Threats rewriting rule. Fixed.
MM-4781 Utility DLL files used by TextCensor have been reverted to the version installed with SEG 7.2.2.
MM-4786 The product End User License Agreement has been updated.
MM-4789 The storage location for automatic configuration backups can be set. See Trustwave Knowledge Base article Q19556.
MM-4795 SMTP Authentication failed with some remote systems due to incorrectly encoded strings. Fixed.
MM-4797 TLS Certificate verification in Connection rules did not work when SMTP Authentication was enabled. Fixed.
MM-4799 When adding a new node to an array, the node controller service could fail on startup, due to a problem with IP whitelist retrieval. Fixed.
MM-4821 A record of the creation and last modification of rules and policies (by user and time) is now stored in the Registry.
MM-4834 Messages with malformed headers containing bare linefeeds could cause the Receiver to fail in some cases. Fixed.

To review Release History prior to version 7.3.0, please see the Release Notes for the specific versions.

Legal Notice

Copyright © 2019 Trustwave Holdings, Inc.

All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages.


Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave.

About Trustwave®

Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit