If you are like most customers, a major reason you chose to get the MEG appliance is for the spam filtering capabilities. So you get the appliance and set it up, but there's still a lot of spam getting through. Here are some best practices which should help to curb the spam volumes a bit, without impacting your outbound mail flow. Most of these changes will involve the Spam subsection of the Spam column in Email Policies, and thus should be handled there.
1. Set up the appliance to add a spam score and report on all messages. By doing this, you will be making it so that, should you get some spam mail(or false positives), you can provide this mail to our spam team for further review and correction.
2. The spam team considers any message which receives fewer than 5 points to be legitimate and any message receiving 5 or more points to be spam. Therefore, the default configuration (mark when score >=5 points, accept and drop when score >=10 points) is going to let some spam in. Depending on your environment, this may not be desirable. It is considered a best practice to configure the appliance to accept and drop messages receiving 5 or more points, but make sure to check the box in the "And Also" box to quarantine the Modified version of the message. This ensures that if there is a false positive, you can get a copy of it to submit to our spam team.
3. When messages do get blocked, submit them to the spam team for fixing. Although it is sometimes possible to guess at the content which caused the message to be blocked, it's always best to submit spam false positives and false negatives to the team so that they can update the spam rules and work to improve spam blocking. See KB59415 for additional information on submitting spam messages to our team.
4. Finally, if possible, use GTI and GTI feedback. The first of these tools identifies a large percentage of spam more quickly than the regular rules, and can help quash spam blassts more quickly. However, when doing so, if your mail server sends mail out through your MEG appliance, make sure to have an outbound policy defined by the source IP of your mail server to turn off GTI (and really, all sender authentication) for outbound mail.
GTI Feedback submits various metadata about the message to our team so that we can improve the GTI reputations and improve the spam rules as well.