5 Replies Latest reply on Jan 24, 2013 12:10 PM by Regis

    Anti-spam effectiveness of MEG  - your experience? your options?

    Regis

      Greetings,

       

       

      I'd like to hear some other customers' experiences on the efficacy of the anti-spam rules/engine in MEG versus what you had run before hand, or... just in terms of general user complaints.     

       

      For the customer I'm working with at present, they had migrated from Commtouch, and though Commtouch was like a sieve to a lot of the Fedex, UPS and various phishing shills,  it did a pretty good job on general spam.   In contrast, MEG7 in the month they've had it has been better on the phishes, but FAR worse on the general spam.  They quarantine at a score of 5.  Header annotation of the spam scoring details is enabled, and the ones getting through that look pretty obvious as spam are scoring quite low... even moving the score for quarantine down to 3 wouldn't catch a lot of these with the scores they're getting.  

       

      One enterprising user who's got a rather old and dirty email address is seeing that just shy of 25% of the mail MEG delivers to his mailbox ... is spam.    25%.     He sought to prove his unhappiness with MEG and put a trial of Cloudmark on his windows machine (it's a free for personal use anti-spam product I'd never heard of...it runs on the Windows desktop) and found that Cloudmark correctly identified nearly all of the ones MEG missed as spam.  

       

      Whatever Cloudmark is doing in their detection and algorithms,  I'd love to get MEG to do the same.  

       

      MEG support has reviewed the configuration and saw nothing amiss (config was done with POC sales engineer as well as Accuvant quickstart folks). 

       

      They have anti-virus, anti-spyware, and packers all enabled to drop. 

      Spam and phishing enabled, as well as a lot of the sender auth options: 

      Sender auth: 

           message reputation  

                higher detection threshold: enabled, highly suspect; 80, reject close and deny  10

                lower threshold threshold: enabled, suspect, 50, allow through monitor  10

           RBL uses cidr.bl.mcafee.com

           SPF Sender ID  DKIM FCrDNS

                SPF: disabled (this customer themselves doesn't publish an spf record themselves fwiw)

                Senderid and add senderid to emails is enabled and failed sender id adds 5 if failed, deducts 10 if passed.    (hrmmm.... )

                DKIM's enabled    failing adds 5,  passing subtracts 10.

                Forward confirmed reverse dns is disabled.   (?)

            Cumulative score and other options

                "Check the total added score:"  disabled          (?)

                Parse the email headers for sender address if behind an MTA is set appropriately to the architecture (one path has this enabled so the MTA doesn't get GTI penalized for every spam if relays)

       

      Support encouraged us to feed samples to the antispam team with the MCST plugin tool, which we have for some users, but that just seems like a reactive drop in the ocean when another competing tool is detecting these out of the box without needing to spoon fed samples from one users' 25% missed spam.  

       

      I'd welcome any experience or insight here, or comparative commentary on how your settings are and how happy the natives are at that level. 

       

      Thanks for any experiences or insight.

       

      Message was edited by: Regis on 11/15/12 11:17:24 AM CST
        • 1. Re: Anti-spam effectiveness of MEG  - your experience? your options?

          Hi Regis,

           

          I have MEG 7 setup for my users and I have heard nothing but complaints since switching from Postini.  MEG 7 does a pretty rotten job of blocking spam as a whole and every one of my customers has let me hear about it.  Even my boss who was the first one to suggest MEG 7 is asking me to do something about the obvious spam that gets through.  I am in the same boat as you, dropping the spam scoring really wouldn't catch anything because the obvious spam scores extremely low.  If I were to lower it, it would just catch normal mail.

           

          I have noticed it is a little bit better since I updated to 7.0.2 and changed a few sender authentication settings.

           

          I have found that GTI and sender reputation is the best way to determine if the email is coming from a legitimate source first before even having to rely on the spam filter.  Here are my settings:

           

          Phish - Virus normal,  Spam set to 5 Quarantine >10 just dump.

           

          Sender Auth GTI I have 50+ to be blocked

          GTI of 20+ get a score of +10 cumulative

           

          RBL I use zen.spamhaus.org

           

          For me I use an SPF records check as SPF Fail = +5 cumulative SPF Pass= -2

          I dont use SenderID

          I dont use DKIM

          I use the rDNS as fail = +5 cumulative pass= -2.

           

          My combined score is 10 and up gets dumped.

           

          The way I have it setup here is that if you have a spammy IP you get 10 points.  You need to pass both the SPF and the rDNS to then get your message through.  I believe the way you have set yours up the McAfee box is adding points and subtracting points, but the cumulative total has no action on it.

           

          EDIT: If a message gets block because of your cumulative score it will say Blocked: Sender Authentication Threshold.  If you do not see that happening at all, then those settings are doing nothing IMO.

           

          Hope this helps a bit.

           

          Loomis

           

          Message was edited by: loomis on 11/16/12 12:45:33 PM CST

           

          Message was edited by: loomis on 11/16/12 12:49:12 PM CST
          1 of 1 people found this helpful
          • 2. Re: Anti-spam effectiveness of MEG  - your experience? your options?
            Regis

            Loomis, thanks for your input.  Seems your users are about as happy as this company's users are since MEG went live.

             

            Q: do you have many false positives when using the zen RBL?  That's their most aggressive rbl right?

             

             

            I'd be curious of others who've recently switched from something else. 

            'm trying to raise the issue constructively with the anti-spam team and try to get to the bottom of why the spam situation is so bad. 

            • 3. Re: Anti-spam effectiveness of MEG  - your experience? your options?

              I'll have to say that I hated MEG 7. All my costumers that have migrated to 7 version started complaning about several spam coming in. Besides, MEG 7 dropped several features that 6.72 had, Mail Firewall, for example. And it's hard to understand on MEG 7 how the score is applied, I mean what let the message to be consired a spam, the sum of the points, you can look up on the header of the messages on Outlook, but you can't see it as whole at MEG 7 console. That is one thing that I'd be helpful to adjust the config to catch more or less spam. The only thing that got better is the interface.

               

              In my opinion, this product has a lot to be improve to become competitive. MEG 6.7.2 was a lot better, although there is a 7.5 version that I didn't try yet.

               

              HTH,

               

              Xavier

              • 4. Re: Anti-spam effectiveness of MEG  - your experience? your options?

                Hi Regis,

                 

                I have gone round and round with support and my own testing and have found this to be the best solution (my clients are much happier).

                 

                I have setup two main policies that I use, one is the default and one is bypass GTI.

                 

                Default Policy:

                 

                The most effective way to combat massive spam is to make the higher GTI score custom and set it to 35.  Set it to reject, close, deny connection.  No normal IP should score above that score and even with 500 clients constantly sending and receiving email I have almost no issues with this low a setting. 

                 

                **** This next setting is how I'd like to have it run but it is not currently working with McAfee so leave the lower setting off or configure to your liking *****

                 

                I then setup the lower GTI score to 20 and add to cumulative score +10.  I then have SPF checks +5 if fail -2 if pass and DKIM checks +5 if fail -10 if pass (The negative scores dont seem to work right as of this post).

                *********

                 

                I then have the spam scoring left at the default level.  I went into compliance and DLP and created a new dictionary called bounce with the wildcard term *bounce* applied to the envelope from, sender.  Most mass mailers and newsletters and basic junk crap nobody wants has bounceback notification and therefore bounce in the email address.  I then created a second dictionary called Score Drop and I put legitimate messages with bounce in there such as: term ending with @bounce.r.groupon.com.

                 

                I went to the default policy and turned on compliance.  If the dictionary bounce is hit you add +4 to the spam score (default is 5 so as long as it is very legit it wont get quarantined).  If the dictionary Score Drop is hit you add -4 to the spam score effectively cancelling the +4 for bounce.

                 

                Now for the second policy GTI Bypass you need to remember that no matter what GTI settings you put on any policy besides the default it doesn't matter unless the policy is defined by source IP.  If you use email addresses like *groupon.com it will still use the default policy for GTI scoring before using your defined policy for the spam scoring.  You must use source IP addresses for this policy to get different GTI scoring to work.  For instance "Source IP is 192.168.0.1" or "Source IP is in 192.168.0.0/24".  Setup GTI Bypass to be default and only block highly suspect GTI scores (Over 80), default spam scoring, and turn off compliance.  Add any legit IP addresses that get blocked by default to the GTI Bypass Policy.

                 

                Now any message that gets blocked and needs to go through you put the source IP within GTI bypass and leave the rest to default.  Add any newsletters and mass mailings that are legitimate to the Score Drop dictionary by using the @domain.blah.com and setting it to be and ends with term.

                 

                This worked really well for me so hopefully it works better for you.

                 

                Message was edited by: loomis on 12/12/12 5:57:33 PM CST

                 

                Message was edited by: loomis  -- Fat fingers and typos on 12/12/12 6:00:33 PM CST
                1 of 1 people found this helpful
                • 5. Re: Anti-spam effectiveness of MEG  - your experience? your options?
                  Regis

                  Thanks Loomis,

                   

                  I wanted to circle back in this thread and give some credit where credit is due -- in December ish,  apparently a couple new GTI classifiers came on-line in mcafee's cloud.  We've seen an enormous improvement in anti-spam efficacy since then.

                   

                  The other thing that helped was shutting down a backup lower-priority MX that forwarded mail to the MEG.  Despite several reviews of the MEG configuration with McAfee saying our rules were right,   it became very interesting to see how much spam fell off when that backup MX went offline.  Now, that could be that spamming companies that had locked into the backup mx suddenly went away and cut our volume tremendously, I'm not sure, but there is a lot less crap getting through now since December.  

                   

                  Working with support and the anti-spam team, I'd like to credit the new GTI classifiers with most of that.