Taken from McAfee KnowledgeBase - How to enable new spam rules on Email Gateway for system defined header analysis

 

Environment

 

McAfee Email Gateway (MEG) 7.x

 

 

Summary

Several new spam rules have been added to MEG 7.x that look at defined header values to improve detections.

 

New Rules:

 

  • EDT_ SDHA_SMP_HMS_FRM - This rule triggers when the MAIL FROM has a null sender.
  • EDT_ SDHA_HMS_FRM - This rule triggers when the header From is missing or empty.
  • EDT_SDHA_FRM_INV (Header From Invalid) - This rule triggers when the 822 header is an invalid email address.
  • EDT_SDHA_ADR_FRG (Address Forged) - This rule triggers when there is a mismatch in either the local or the domain part of the email address between 821 and 822 headers.
  • EDT_SDHA_DMN_FRG (Domain Forged) - This rule triggers when there is a mismatch in the domain part of the email address between 821 and 822 headers.
NOTE: EDT_SDHA_ADR_FRG (Address Forged) and EDT_SDHA_DMN_FRG (Domain Forged) replicate the Header Analysis featurefrom Ironmail.
  • The rule EDT_SDHA_ADR_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" email address.
  • The rule EDT_SDHA_DMN_FRG is functionally equivalent to the following filter on IronMail:
    SDHA, 821-Address, Forged "From:" domain name.

 

Solution

Use the following procedure to enable the rules.
IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.
  1. Open the MEG Management console and select Email, Email Policies, Policy Row, Spam.
  2. Select the Spam Rules tab.
  3. In the Filter text box, type EDT_ and click Apply.
  4. Disable all five rules displayed and click Apply.
  5. Select System, System Administration, Configuration Management.
  6. Select Backup Configuration and save the zip file to your local drive.
  7. Open the zip file, navigate to the \config directory, and open SharedSettings.xml in a text editor.
  8. Search for EDT_.
  9. For the five rules, change the enabled value from 0 to 1 and set the score to the required level.
  10. Save the file and update the configuration zip file.
  11. Select System, System Administration, Configuration Management, Restore from File.
  12. Navigate to the modified zip file and load the modified config.
  13. Click OK and apply changes as required.