7 Replies Latest reply: Feb 11, 2013 10:51 AM by pm_nate RSS

    Providing the Best Level of Spam Protection


      In providing the best level of spam protection using Saas Email Security, I found that the following settings work for me.


      1. Add all vaild domains you receive email from in your Sender Allow list.
      2. Setup to deny any emails that fail SPF validation. Though, many organizations do not maintain existing SPF records, or even have one setup. Every organization should have to which prevents spammers from delivering forged emails using you corporate email addresses.
      3. Setup to Quarantine Graymail.


      Using these simple techniques, your organization will stop receiving all the spam and bulk emails, or Graymail, that clog our inboxes and ruin employee productivity.


      Please add to this list, as it's definitely not listing all the settings you could use. Just a small subset that is will not overly impact valid email flow.

        • 1. Re: Providing the Best Level of Spam Protection

          Graymail is a new feature I hadn't noticed before. The documenation I've found about it (primarily the online help for that area of the policy admin interface) doesn't describe how graymail is defined/detected in the McAfee/MX Logic system. Anyone have a pointer to detailed info?

          • 2. Re: Providing the Best Level of Spam Protection



            The below info is from Nov 2012 enhancement,


            Spam is easy to define – unsolicited email that arecipient does not want nor has asked to receive – unlike ‘graymail,’ which isusually legitimate bulk mail that was requested by the user in the past, but isno longer wanted by the user. Graymail is generally not considered spam, yet itcan represent a significant nuisance to recipients, and it often includesunsubscribe options that do not work.


            New in this release is a pre-built content policy thatcan be leveraged to easily identify and block graymail.

            McAfee has identified four sources of Graymail that willbe addressed by the new filter:

            1.Legitimate bulk email that a user once wanted but nolonger wants and is now viewed as annoying

            2.Vendors who obtain the email address of an individualand sign them up for emails that the user would normally opt into

            3.Customers attending trade shows who are asked toregister with vendors to win items. Per the agreement for the show, thisresults in a marketing opt-in

            4.Opting into a bulk mail feed that automatically addsthe user into additional, unrequested feeds


            Attributes of graymail filtering include:

            1.When enabled, graymail is aggressively filtered by thespam filter and shows up as spam in the Spam Quarantine and in reports.

            2.User-level and admin-level Allow lists bypass graymailfiltering

            3.Any user that opts into the Graymail filter andreceives a false positive resulting from the filter should add the sender totheir Allow list if needed. Do not report graymail triggers as a falsepositive.

            4.Blocked/denied graymail is logged in Message Audit asspam, and displays as a spam content keyword violation.


            Additional info:



            Hope this information helps.




            • 3. Re: Providing the Best Level of Spam Protection

              Thanks for the reply JP. I understood graymail conceptually, as you describe. I was looking for details on how McAfee actually identifies it. Do you just add graymail samples to your heuristic filters, and in that regard this feature is simply a more aggressive spam filter (i.e. capture on a lower spam score)?


              Also, you mention users being able to opt into Graymail filtering, but our users don't see such an option. I don't see an admin policy option to enable that for users, just to turn on graymail tagging/quarantine/etc globally. Anything I'm missing here?

              • 4. Re: Providing the Best Level of Spam Protection

                The way we will identify messages as Gray mail, they will go through the spam filter and we will take your Gray mail action that you select, when we find the phrases listed below.

                Note: The below Words and Phrases can be changed at any time.


                - Content removed by Administrator -



                If you want this for few users, you may need to create a group that will include the individuals and then create a new policy and apply the policy using group subscription.

                Hope this helps!





                Message was edited by: JJAYARA on 12/6/12 1:47:02 PM CST


                EDITS: My apologies. This content was not intended for public consumption, and has been removed at the request of Messaging Security.


                Message was edited by: SPyron on 2/7/13 11:47:22 AM CST
                • 5. Re: Providing the Best Level of Spam Protection

                  Excellent, that's the level of detail I was looking for. Thanks very much!

                  • 6. Re: Providing the Best Level of Spam Protection

                    Be careful with this though. I first started Graymail prior to adding most of my domains under the Sender Allow List, and many valid emails from coming in.

                    • 7. Re: Providing the Best Level of Spam Protection

                      While we're on the subject of graymail, I can provide some insight on our logic behind the graymail feature.


                      Q. What is the technical difference between graymail and spam?

                      A.The thread above does a good job of describing how McAfee defines graymail but it doesn't address the fundamental technical difference between graymail and spam. The difference is this: Spammers actively try to defeat spam filters and graymail senders generally don't. Graymail senders do try to optimize for deliverability but that's not nearly as aggresive a posture as a spammer takes. What this means is that blocking graymail is a much more static process than blocking spam, which is a very clostly and dynamic process. Another key technical difference is that graymail is not malicious. It's uncommom for graymail to have intentionally malicous content or links while spammers include such things all the time.


                      Q. Do spam and graymail have anything in common?

                      A.Yes, both often have unsubscribe processes that result in more email, not less.


                      Q. Why can't I select from various levels of graymail filtering?

                      Imagine if there were 4 settings for the graymail filter instead of 1, then consider this conundrum: United Airlines (not picking on United intentionally) sends lots of newsletters and this is definitely graymail. Let's say graymail filtering is set to level 1 (the weakest setting). What happens on our end is we get support calls from hundreds of customers. Some think that United belongs in level 1 and they give us a pat on the back, others disagree and think that United shouldn't be blocked until level 2, and others may feel that United should be blocked until level 4, and so forth. We eliminate this subjectivity by simply blocking all graymail when the filter is enabled. Then, if there is a piece of graymail you want to receive, you simply look for it in your spam report and click the "always allow" link and now you've successfully customized the graymail filter to allow the few pieces you want. This method eliminates all subjectivity and guesswork involved in trying to determine why some senders are blocked at a certain level and others aren't.


                      Q. Should I use the Graymail Filter?

                      A.The easiest way to help a user determine if they should enable the graymail filter is to point out these options:

                      • If you want to receive more graymail than you want to block, I would recommend not using the filter and instead just add the few graymail senders that you don't want to the sender deny list.
                      • If you want to block more graymail than you want to receive, then I would recommend turning the graymail filter on and then add the few graymail senders that you want to the sender allow list.


                      Q. I'm an IT administrator. Why should I care about the graymail filter solution?

                      A.When we developed this feature, it was in response to large customers with angry executives who considered increasing volumes of graymail as annoying as spam. Naturally, these IT folks wanted to make these executives happy and we wanted our buyers (the IT folks) to be heros in the eyes of their executives. So, my answer is that you should care because it's features like this that can make you a hero to your management. Ask around, and we think you'll find that your users are annoyed by this stuff and when you judiciously implement the graymail filter taking into account the advice above, I think you'll make your users very happy.


                      Q. Graymail sucks, why doesn't everyone want to block it?

                      A.It's all about user perception. Most users don't yet consider graymail as annoying as spam and do not want it blocked by default. In cases where the user is angry about graymail, graymail filtering is perceived as a positive, but this is still the minority of users, for now.


                      Q. Why can't users turn on graymail filtering in the Control Console??

                      A. Users can now toggle graymail filtering (when allowed by policy) as of the Feb 11 2013 release!



                      Hope this helps!




                      Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.


                      Message was edited by: pm_nate on 2/7/13 5:42:12 AM CST


                      Message was edited by: pm_nate on 2/11/13 10:51:51 AM CST