I'd like to hear some other customers' experiences on the efficacy of the anti-spam rules/engine in MEG versus what you had run before hand, or... just in terms of general user complaints.
For the customer I'm working with at present, they had migrated from Commtouch, and though Commtouch was like a sieve to a lot of the Fedex, UPS and various phishing shills, it did a pretty good job on general spam. In contrast, MEG7 in the month they've had it has been better on the phishes, but FAR worse on the general spam. They quarantine at a score of 5. Header annotation of the spam scoring details is enabled, and the ones getting through that look pretty obvious as spam are scoring quite low... even moving the score for quarantine down to 3 wouldn't catch a lot of these with the scores they're getting.
One enterprising user who's got a rather old and dirty email address is seeing that just shy of 25% of the mail MEG delivers to his mailbox ... is spam. 25%. He sought to prove his unhappiness with MEG and put a trial of Cloudmark on his windows machine (it's a free for personal use anti-spam product I'd never heard of...it runs on the Windows desktop) and found that Cloudmark correctly identified nearly all of the ones MEG missed as spam.
Whatever Cloudmark is doing in their detection and algorithms, I'd love to get MEG to do the same.
MEG support has reviewed the configuration and saw nothing amiss (config was done with POC sales engineer as well as Accuvant quickstart folks).
They have anti-virus, anti-spyware, and packers all enabled to drop.
Spam and phishing enabled, as well as a lot of the sender auth options:
higher detection threshold: enabled, highly suspect; 80, reject close and deny 10
lower threshold threshold: enabled, suspect, 50, allow through monitor 10
RBL uses cidr.bl.mcafee.com
SPF Sender ID DKIM FCrDNS
SPF: disabled (this customer themselves doesn't publish an spf record themselves fwiw)
Senderid and add senderid to emails is enabled and failed sender id adds 5 if failed, deducts 10 if passed. (hrmmm.... )
DKIM's enabled failing adds 5, passing subtracts 10.
Forward confirmed reverse dns is disabled. (?)
Cumulative score and other options
"Check the total added score:" disabled (?)
Parse the email headers for sender address if behind an MTA is set appropriately to the architecture (one path has this enabled so the MTA doesn't get GTI penalized for every spam if relays)
Support encouraged us to feed samples to the antispam team with the MCST plugin tool, which we have for some users, but that just seems like a reactive drop in the ocean when another competing tool is detecting these out of the box without needing to spoon fed samples from one users' 25% missed spam.
I'd welcome any experience or insight here, or comparative commentary on how your settings are and how happy the natives are at that level.
Thanks for any experiences or insight.
Message was edited by: Regis on 11/15/12 11:17:24 AM CST