Best Practices - Submitting spam samples to McAfee

Version 1

    AntiSpam products such as McAfee AntiSpam should provide extremely high spam and phish detection rates, but even with Streaming Updates enabled, you may occassionally recieve an unwanted spam message. The chances are high that the McAfee AntiSpam team will also recieve the missed spam from our extensive collection of spam honeypots, but submitting missed spam is worthwhile and can help improve detection rates as customer samples are processed, reviewed and added to our ruleset where appropriate.

     

    McAfee provides a free plug-in for Microsoft Outlook to simplify sending any missed spam samples. Samples can also be submitted from Lotus Notes, and manually using other email clients. It is important to send the complete message, including the message headers, wherever possible, as the mail headers contain valuable information that can be used to detect spam.

     

    Spam and phishing emails can be sent to McAfee using the following processes:

     

     

     

    How to submit a spam or phish sample using the McAfee  Spam Submission Tool
    The McAfee Spam Submission Tool is a small plug-in for  Microsoft Outlook that allows missed, or low scoring, spam messages and  incorrectly identified non-spam messages to be quickly and easily sent  to McAfee for analysis.

     

     

    The Spam Submission Tool can be downloaded from the

    Free Tools section of the following URL:

    http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html
    It is also posted in Avert Tools sites
    http://vil.nai.com/vil/averttools.aspx

    NOTE: NEW RELEASE  - Version 2.2 (2.2.414) of McAfee Customer Submission Tool is now  available for download. New Features include:
    • Exchange 2007 mail environment support.
    • Outlook 2007 support.

    Follow the included installation instructions to install the Spam  Submission Tool. After the Spam Submission Tool is installed, two  additional icons are displayed in the Outlook Toolbar.
    • To submit a spam/phish message that was not detected with the  latest rule set, select the spam/phish message and then click the Submit  Spam or Phish Sample icon on the toolbar.
       
    • To submit a message that was incorrectly detected as a  spam/phish message with the latest ruleset, select the message and then  click the Submit Non-Spam Sample icon.
       
    • Messages larger than 1 MB in size can not be submitted via the  Tool.

     

    For addition information refer to the Customer Submission Tool product  guide (cst_20_product_guide_en.pdf) which is also available in several  languages from:

    http://www.mcafee.com/us/smb/downloads/free_tools/index.html



    Submitting samples from IBM Lotus Domino Servers / Lotus Notes  Clients
    Follow the advice documented in article: KB54323 - Collecting Spam samples for issues incurred on  Lotus Domino servers and Notes Clients.


    Manually submitting missed spam
    The analysis of messages to identify spam does not solely rely on the  body text of the message. The header and message construction allows us  to review and design accurate language independent detection to further  the effectiveness of the product. Wherever possible, the complete  message including original headers is required. One of the benefits of  the McAfee Anti-Spam technology is its language independent analysis of  the message construction and headers. A forwarded message loses much of  this vital information, so attach the original spam message to a new  message when sending it.

    IMPORTANT: Any  spam messages should have the whole message saved or exported as an attachment,  and then attached to a new message for submission to McAfee for  analysis. Please ensure mail is submitted by (or from) a mail  administrator should we need to contact you. Auto-forwarded emails will  be automatically discarded.

    Manually submitting False Positives
    NOTE: The mailboxes  for spam submission are not for support queries.

    A false positive is a spam detection for an item which is actually  legitimate. False positive detections should be sent to the email  address below:

    customer+false-positive@clicknet.com

    NOTE: Clicknet.com is a domain owned by McAfee Inc.

    It is extremely unlikely that we would need to contact someone in  relation to a submitted sample, however it is recommended that any  submissions are sent from a legal email address (not an alias) and  include contact information including the company name and telephone  number(s).


    Submitting missed or low scoring spam manually
    For items which are actually spam but failed to be captured by a  McAfee product either due to a new method of spam delivery, or where the  spam detection rules were insufficient to trigger the appropriate  response (for example, scored 4.9 or less), use the following email  address:

    customer+missed-spam@clicknet.com