cancel
Showing results for 
Search instead for 
Did you mean: 
wroche
Level 7
Report Inappropriate Content
Message 1 of 5

how to exclude legitimate inbound email replies

What is an effective way to set up exclusions from spam filtering so inbound messages that are replies to our company employees, from outside senders, are not quarantined? In other words, an employee of our company sends an email to an outside recipient. That recipient sends back the email using the "reply" function in their email client program. Email Gateway should recognize, somehow, that the email originated with our company and not subject it to various spam checks. Is there an effective way to configure this?

I notice in these types of messages that get quarantined there are some indicators such as:

"On*<*@company.com> wrote:" and "*- Original message -*From:*<*@company.com>". Perhaps if I set up exclusions based on these wildcard rules it won't apply spam calculations against these inbound messages, for a given Default Policy, yet not open up avenues for real spam to exploit and get past the filter.


Any ideas?

4 Replies
wroche
Level 7
Report Inappropriate Content
Message 2 of 5

Re: how to exclude legitimate inbound email replies

I noticed replies tend to have the following Header information:

In-Reply-To:*<*@servername.fqdnname>

So this might be a rule I can trigger on.

Suggestions?

McAfee Employee rbrady
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: how to exclude legitimate inbound email replies

You can create a dictionary to look for the desired terms and have it add a negative number to the spam score.  However, that does add a potential vector for spammers to try and slip more mail past the filter.  There isn't a built in way for MEG to know this is a real reply as opposed to someone faking it.

wroche
Level 7
Report Inappropriate Content
Message 4 of 5

Re: how to exclude legitimate inbound email replies

I tried to create a dictionary with a negative value and the field provided for inserting a value doesn't appear to allow me to insert a - sign. I tried single digit, I tried copy and paste from notepad. It won't take it. It doesn't matter, I'll play around with it. I think rather than a value, I'll just put it in as an allowance rule. I do understand it creates a potential hole for spam that illegitimately shape the header, but I've done a fair analysis and have yet to see one hit our filter with this type of string in the header that isn't legitimate.

Re: how to exclude legitimate inbound email replies

HI,

If you are on MEG 7.6 you can use spam rules for system-defined header analysis. Have a look at KB83588 for more information, it should help you in this scenario.