cancel
Showing results for 
Search instead for 
Did you mean: 

Prevent mass mailing worms from sending mail

Hi All,

Need expert advice on following issue, any help would be greatly appreciated.

I am using a BI application on Windows Server 2003 which sends reports to end user on their email, I have McAfee installed on the same server. Since past few months I have observed that some times the end users are not getting emails. After investigating further I saw following event viewer warning messages at the same time when my BI application services were trying to send emails with multiple recepients.

Source: McLogEvent
EventID= 257
Description: Would be blocked by access protection rule(rule is in warn-only mode) (Antivirus Maximum protection protected cached files from password and email address stealers.)

Source: McLogEvent
EventID= 258
Description: Would be blocked by access protection rule(rule is in warn-only mode) (Antivirus Maximum protection prevent mass mailing warms from sending mail.)

After discussing this with my security admin he reviewed the McAfee logs and informed me that McAfee is not blocking any emails and these are just warning messages and we can ignore these.

Please let me know what does these warning messages mean?

Thanks a lot for your help.

Regards,

Sohel

6 Replies

Re: Prevent mass mailing worms from sending mail

To add, we have also unchecked "Prevent Mass Mailing Worms from sending mail (PORT 25)" by doing following steps.

-Right click on the McAfee Shield
-Select the Viruscan Console
-Double click access protection
-Under Ports to Block uncheck "Prevent Mass Mailing Worms from sending mail (PORT 25)"

alexn
Level 14
Report Inappropriate Content
Message 3 of 7

Re: Prevent mass mailing worms from sending mail

Hi,

Both rules are of much importance, specifically, "Prevent Mass Mailling Worms from sending mails".This rule protects you from fromSPAM emails attacks.

In both  rules mentioned above, you must have seen a process which is blocked by these rules, simply add that process under "Excluded process".if you think that this process is from our legimetate application.

Enable this rule by selecting Block and Report and add exclusions. This is the good practice.

Alex

Reliable Contributor petersimmons
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Prevent mass mailing worms from sending mail

I'd just turn it off. It was interesting in 2005-2007 but these days all it does interfere with server applications sending email. I don't see any value in its use these days.

pato
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Prevent mass mailing worms from sending mail

I actually see one value. It protects your company of receiving possible negative press because your clients were sending spam (which this would block). Or maybe that your company IP range gets into a Spam blacklist, preventing your company of sending legit emails for a certain time.

But that's about it.

Re: Prevent mass mailing worms from sending mail

Thank you all for your response, Its greatly appreciated. I shall discuss this with my security admin and will update you guys in case of any queries.

Cheers,

Sohel

Highlighted
apoling
Level 14
Report Inappropriate Content
Message 7 of 7

Re: Prevent mass mailing worms from sending mail

Hi,

I'd like to complement all comments here.

In my opinion using an Access Protection rule only makes sense if you use both Block and Log. Using Block (unmonitored) only obviously makes no sense (apart from the case when you are a kamikaze blocker) and using Log only is only meaningful when you want to test a rule before you actually turn it fully on.

If you email environment is secured with respect to which client can connect to your SMTP server or email infrastructure, then turning off "Prevent mass mailing worms from sending email" rule might be justified but only selectively: if you have mobile clients do not turn this rule off in their VirusScan policy.

There is a document on Access Protection rules available here, should you be interested, here:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20870/en_US/...

Attila

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.