Ensure your spam rules and engine are up-to-date. If your Appliance does not have the latest updates, it will not detect the latest spam messages. You can check the current update status under System, Component Management, Update Status in the Appliance administrator console. The Appliance receives updates from the McAfee update servers. To receive these updates, you must ensure the following ports are open on your firewall:
MEG 7.6.2 and later: HTTPS TCP 443, outbound to tau.mcafee.com.
EWS 5.6, MEG 7.0, MEG 7.5, and MEG 7.6 up to 7.6.1: FTP TCP 21, outbound to ftp.nai.com. Uses PASV.
Anti-Spam Rules and Streaming updates:
On HTTP TCP 80, outbound to http://su3.mcafee.com/su3, http://sav-su3-1.mcafee.com, 18.104.22.168, and 22.214.171.124
For more information, see KB72970 - Open ports required for the EWS/MEG 7.x Appliance.
Maximum scanning size:
The anti-spam scanner has a default maximum scanning size limit of 250KB. The MEG anti-spam scanner does not scan email messages that exceed this size limit.
To confirm or modify this setting, see KB72143 - How to increase the EWS and MEG Appliance maximum message size for spam detection.
Spam score and report:
Set up the Appliance to add a spam score and report on all messages. If you still receive spam or false positives in your mailbox, you can provide this mail to the McAfee spam team for further review and correction. Make sure these changes are done on your primary inbound policy(more than likely this will be the default policy).
Select Email, Email Policies, SMTP, Spam.
Select Yes to enable anti-spam scanning.
For Add a spam score indicator, select To all messages.
For Attach a spam report, select To all messages.
Score based action:
Enable the second score based action with When the spam score is at least 5.0 and always enable the And Also setting to quarantine the modified version of the message. The default configuration is to mark when the score is greater than or equal to 5 points and accept and drop when the score is greater than or equal to 10 points. The McAfee spam team considers any message that receives fewer than 5 points to be legitimate and any message that receives 5 or more points to be spam. Therefore, the default anti-spam scanning configuration may allow some spam-like emails to be delivered. Change the anti-spam settings as follows to block any email message whith a spam score between 5.0 and 10.0:
Select Email, Email Policies, SMTP, Spam.
Enable the second listed When the spam score is at least, and enter 5.0 in the text box next to it.
For the action, select Accept and then drop the data (Block).
In the And also options, enable Quarantine modified.
Click OK, then apply the changes.
Although email is considered spam at a score of 5.0 or higher, this value can be modified depending on your needs. It is possible to drop this lower threshold value down to 4.2 with only a slight increase in false positives.
If there is a false positive (legitimate email is scored too high) or false negative (spam email is scored too low), obtain a copy of the email from quarantine and submit it to the McAfee spam team.
For full steps, see KB59415 - How to submit spam and phishing samples to the McAfee Spam Analysis Team.
Global Threat Intelligence (GTI) message reputation identifies a large percentage of spam more quickly than the regular anti-spam scanning and can help stop spam blasts more quickly.
Select Email, Email Policies, SMTP.
On your inbound email policy group, open Sender Authentication and navigate to the Message Reputation tab.
In Higher Detection Threshold, enable McAfee GTI Message Reputation at the higher detection threshold.
Set the Detection threshold for Higher threshold as Highly suspect.
From the If the sender fails the check list menu, select one of the available Block actions.
Within the Sender Authentication section, there are some other settings that can be enabled to assist with blocking unwanted messages. On the Message Reputation tab of the Sender Authentication window, Enable the Lower Detection Threshold and set the Detection threshold to suspect. Change the action to add to score 10 for if the sender fails the check. Navigate to the SPF, Sender ID, DKIM, and FCrDNS tab. Enable SPF, Sender ID, DKIM, and FCrDNS. For each process, change the failure action to add to score 10. Still within the Sender Authentication window, navigate to the Cumulative Score and Other Options tab. NOTE: Depending on the resolution of your monitor, this tab may need to be accessed via clicking on a drop down arrow and then selecting the tab. On this tab, put a checkmark in the box to Check the total added score. It is recommended to leave the score threshold at 20. This will check the score for GTI at the lower threshold, SPF, Sender ID, DKIM, and FCrDNS. If there are two or more failures amongst the 5 scanners, the configured action for the threshold being reached will be taken. Click OK and apply the changes. It is important to note that the sender authentication scores are independent of the spam score.
IMPORTANT: If the Appliance is behind an MTA and has a hop count set (as explained in the next step), do NOT use the Reject, Close, and Deny(Block) action. This can cause MEG to block the connecting IP address of your onward server when GTI Message Reputation detection triggers.
If your MEG is behind the MTA:
Select the Cumulative Score and Other Options tab, enable Parse the email headers for sender address if behind an MTA and specify the Number of hops to the MTA.
Click Apply changes.
NOTE: If you encounter issues where legitimate messages are blocked by GTI message reputation, see KB62754 - Email Gateway/Secure Mail/Email and Web Security: TrustedSource FAQ.
McAfee strongly recommends that you enable GTI feedback. GTI feedback submits various metadata about the message to McAfee to improve the GTI reputations and spam rules.
Select Email, Email Policies, SMTP, McAfee GTI feedback.
Enable Threat Feedback.
Click OK and apply the changes.