This blog post refines best practices for anti-spam on McAfee Email Gateway 7.x.

 

Update

Ensure that spam rules and engine are up-to-date. If your appliance is not running on the latest updates, your appliance will not catch the latest spam messages.

 

You can check the current update status under System, Component Management, Update Status in the appliance administrator console. Appliance gets update from our update servers. Ensure to open the following ports on your firewall. See KB72970 for the details.

  • Anti-Spam Engine
    • MEG 7.6.2 and later: on HTTPS TCP 443, outbound to tau.mcafee.com.
    • EWS 5.6, MEG 7.0, MEG 7.5, and MEG 7.6 up to 7.6.1: on FTP TCP 21, outbound to ftp.nai.com. Uses PASV.
  • Anti-Spam Rules and Streaming updates

 

Spam score and report

Set up the appliance to add a spam score and report on all messages. Should you get some spam mail delivered to your mailbox (or false positives), you can provide this mail to our spam team for further review and correction.

 

  1. Navigate to Email, Email Policies, SMTP, Spam.
  2. Choose Yes to enable anti-spam scanning. Else you can inherit from the parent policy in which its anti-spam is enabled.
  3. Choose To all messages for Add a spam score indicator.
  4. Choose To all messages for Attach a spam report.
  5. Click OK.
  6. Apply changes.

 

Score based action

Enable the second score based action with When the spam score is at least 5.0, and make sure to check the box in the And Also box to quarantine the modified version of the message.

 

The default configuration is to mark when score is more than or equal to 5 points, and accept and drop when score is more than or equal to 10 points. The spam team considers any message which receives fewer than 5 points to be legitimate and any message receiving 5 or more points to be spam. Therefore, the default anti-spam scanning configuration could let some spam-like emails delivered. Change anti-spam settings as follows if you would like to block email message which spam score is between 5.0 and 10.0:

 

  1. Navigate to Email, Email Policies, SMTP, Spam.
  2. Ensure to check the second When the spam score is at least, and enter 5.0 to the next text box.
  3. Choose Accept and then drop the data (Block) for its action.
  4. In And also checkboxes list, ensure to check Quarantine modified.
  5. Click OK.
  6. Apply changes.

 

If there is a false positive, in other words legitimate email is being scored too high, you can get a copy of it from quarantine and submit to our spam team.

 

Submission

When legitimate message gets blocked by anti-spam, submit it to the spam team for fixing. When spam message gets through the appliance and delivered, submit it to the spam team for fixing. See KB59415 for additional information on submitting messages to our team.

 

McAfee Customer Submission Tool (MCST)

Consider using McAfee Customer Submission Tool (MCST), which is a free plugin for Microsoft Outlook. With MCST, extra buttons or menu entries become available when you read your email. It allows you to perform:

 

  • Submit email samples to McAfee Labs for further analysis
  • Submit email samples to McAfee Quarantine Manager to help prevent further spam
  • Submit unwanted email that was not categorized as spam (or phish)
  • Submit email that was wrongly categorized as spam (or phish)
  • Delete the email message optionally after the submission
  • Add a spam sender's email address to the blacklist to prevent more spam
  • Add a sender's email address to a whitelist to prevent further email from that sender being wrongly categorized as spam or phish
  • Add all the email addresses in your Microsoft Outlook Contacts folder to a whitelist, to prevent emails from known contacts being wrongly categorized as spam or phish
  • Access the tool using the buttons available in the standard toolbar and the entries available in the Actions menu or the ribbon interface in Outlook 2010

 

You can download either the 32 bit or 64 bit version from http://www.mcafee.com/us/downloads/free-tools/customer-submission-tool.aspx. On the right side of the page, there is a box listing "McAfee Customer Submission Instructions" in the eight languages. Clicking on your language will allow you to download a Product Guide and a supplemental Readme.


GTI Message Reputation

 

  • Use GTI message reputation. GTI message reputation identifies a large percentage of spam more quickly than the regular anti-spam scanning, and can help quash spam blasts more quickly.
    1. Navigate to Email, Email Policies, SMTP.
    2. On your inbound email policy group, open Sender Authentication and navigate to Message Reputation tab.
    3. In Higher Detection Threshold, enable McAfee GTI Message Reputation at the higher detection threshold.
    4. Ensure Detection threshold for Higher threshold as Highly suspect.
    5. Choose one of available Block actions from If the sender fails the check list menu.
    6. If your MEG is behind MTA, navigate to Cumulative Score and Other Options tab, ensure to enable Parse the email headers for sender address if behind an MTA option and specify Number of hops to the MTA.
    7. Click OK.
    8. Apply changes

 

  • If your mail server sends email out through your MEG appliance, make sure to have an outbound policy defined by the source IP of your mail server to turn off all sender authentication for outbound email. Below steps show how to create outbound email policy group and disable sender authentication for the outbound policy:
    1. Navigate to Email, Email Policies, SMTP.
    2. Click Add Policy.
    3. Enter policy name for your outbound email policy group.
    4. Choose which policy to inherit settings from.
    5. Choose Outbound for Email direction.
    6. Click Add Rule.
    7. Choose Source IP address for Rule type.
    8. Choose is for Match.
    9. Enter the IP address of your mail server to Value.
    10. Click OK.
    11. Click OK.
    12. On the newly created outbound email policy group, click Sender Authentication.
    13. Choose No for Enable sender authentication for your outbound policy.
    14. Click OK.
    15. Apply changes.

      NOTE: When legitimate message gets blocked by GTI message reputation, refer to KB62754 - Email Gateway/Secure Mail/Email and Web Security: TrustedSource FAQ.

 

  • If the box is behind an MTA and has a hop count set, do NOT use Reject, Close, and Deny(Block) action. Otherwise, the MEG may potentially block the connecting IP address of your onward server when GTI Message Reputation detection triggers.
    • To confirm you have hop count set:
      1. Navigate to Email, Email Policies, Sender Authentication, Cumulative Score and Other Options.
      2. Confirm that Parse the email headers for sender address if behind an MTA option is selected.
    • To configure GTI Message Reputation action:
      1. Navigate to Email, Email Policies, Sender Authentication, Message Reputation.
      2. Ensure that If the sender fails the check is NOT set to Reject, Close, and Deny(Block) for both Higher Detection Threshold and Lower Detection Threshold.
      3. Click OK.
      4. Apply changes.

 

GTI Feedback

Use GTI feedback. GTI feedback submits various metadata about the message to our team so that we can improve the GTI reputations and improve the spam rules as well.

 

  1. Navigate to Email, Email Policies, SMTP, McAfee GTI feedback.
  2. Enable threat feedback.
  3. Click OK.
  4. Apply changes.

 

Logging

If possible, enable all detection events and GTI logging options. This will make GTI related troubleshooting easier.

 

  1. Navigate to System, Logging, Alerting and SNMP, Logging Configuration, SMTP Settings, Detection Events, Advanced.
  2. Scroll down the Override SMTP detection events window and locate McAfee GTI related events. There are a couple of such events.
  3. Select all the McAfee GTI related events.
  4. Click OK.
  5. Apply changes.

 

Recipient Authentication

If possible, enable recipient authentication using LDAP. This will reduce the amount of incoming SMTP DATA phase to the MEG, and help reduce the scanning load on the appliance. See KB76232 for the steps to configure LDAP server and configure the appliance to check the LDAP server for recipient authentication.

 

Quarantine Management
Appliance has onbox quarantine. You can quarantine spam messages to onbox quarantine. It has basic features such as digest message and reporting.


If you want granular control over quarantined items and queues, digest messages, reporting, and black/white list management and/or to consolidate quarantine of multiple McAfee products, consider using off-box quarantine solution - McAfee Quarantine Manager (MQM). MQM runs on Microsoft Windows server platform, gives interactive web GUI, and stores quarantined items using database.
You can download MQM from McAfee Download Site at http://mcafee.com/us/downloads/downloads.aspx. See KB56057 for the details of how to download McAfee products, documentation, security updates, patches, or hotfixes.