4 Replies Latest reply: Apr 5, 2013 4:51 PM by pm_nate RSS

    SaaS Email Protection & Continuity - Incorrect Malicious Email Detection


      Thought I would throw this question out here seeing as the tech support script robots are dirinvg me crazy by failing to answer my questions sensibly.


      I recently had a customer sign up for this service, a financial services organisation, they send emails in batches ever day to their customers - several thousand emails at a time.


      Thursday last week they got a notification that their outbound email had been blocked due to "malicious email activity".


      Now, bear in mind, they are PCI DSS compliant, they have multiple firewalls, they have security scans and anti-virus running on every machine, they are as clean as a whistle when it comes to viruses and trojans, they have to be.


      The McAfee tech sent a spreadsheet with a list of over five hundred emails that had been identified as being "malicious".


      I sat down with two of the directors of this company and we looked at each "malicious" email, they were all emails sent from their systems to their customers regarding customer accounts, they were all valid and correct emails, none of them were malicious.



      After much prodding the McAfee tech's turned the service back on and sent out a templated email with this warning attached:


      "If outbound emailproblems continue to originate from your IP address after service has beenreinstated, it will be removed again, and requests for a second reinstatementare rarely approved."


      My question is this:  They sent no malicious emails therefore there was nothing they could change about their email activity so if they start emailing again via McAfee is this just going to happen again ?   Are McAfee incapable of telling the difference between a company contacting it's customers via email and a spammer ?    Do they work on volume ?  Is there a limit on how much email can go through SaaS ?



      I have had no luck getting a sensible response, if I phone tech support I get a scripted response from whomever I talk to telling me to answer questions and we go round and round in circles, I cannot get past the scripted phone support people.


      I tried partner support they told me to call tech support - utter waste of time.



      I need to know if this is a one off or if it is just a waste of time using the SaaS service for this volume of email traffic.



      At the moment it's looking like my customer has wasted their money or at least my money as they are refusing to pay the bill now as they have no faith in McAfee to be able to support their email volumes.


      I'm just glad I didn't sign up one of my other clients who was interested ; much bigger, 200 mailboxes, 20K emails a day.

        • 1. Re: SaaS Email Protection & Continuity - Incorrect Malicious Email Detection
          Brad McGarr

          Hi Simon,


          Without knowing the specifics of your case I can only offer general guidance. If you'd like to send me your service reqeust number privately I can look up the details to get a more accurate insight. The crux of the matter is that these messages may be violating the McAfee Terms and Conditions (http://www.mcafee.com/us/about/legal/saas-terms.aspx). The Standard Terms and Conditions defines Bulk Email as " a group of more than one hundred (100) Emails with substantially similar content." The McAfee SaaS Email Protection Supplemental Terms and Conditions go on to state:


          • ADDITIONAL CUSTOMER OBLIGATIONS. Customer's Email systems are directly and permanently connected to the Internet with a fixed IP address. Customer agrees not to: ( i ) transmit through the Services any Junk Email, Viruses or Bulk Email; (ii) allow its systems to serve as an Open Relay; (iii) transmit obscene or pornographic material; (iv) impersonate any person or entity or falsely state or otherwise misrepresent an affiliation with a person or entity (each of which shall be included in the definition of "Prohibited Use").


          (Emphasis Added)


          This is the most likely cause of an outbound abuse case being opened.


          Let me know if you have any questions.

          • 2. Re: SaaS Email Protection & Continuity - Incorrect Malicious Email Detection

            Hi Brad,


            I guess they fall foul of the bulk email rule then, they use an in-house bespoke software system to manage customer accounts, it auto-generates letters which are sent via email to customers referencing their account status and asking them to call the office.


            Those letters are templated so apart from the persons name, account reference and balance information a lot of the emails will look the same, obviously they have lots of different templates but in one batch several hundred emails may have the same template applied.


            That 100 email rule pretty much means the majority of my customers won't be able to use this service, but then I'm guessing with a rule like that the SaaS service is more aimed at very small companies that don't send a lot of emails. 


            Got to say I'm really surprised you have that low a threshold, thats exceptionally limiting in this day and age, doesn't exactly make this product competitive with the other big email filtering providers.    The 20K emails a day customer I mentioned previously goes through one of your main competitors and they send templated emails and have never had a complaint.


            Unfortunately it means I won't be selling this to the other two customers who were interested, I know they both send a lot of templated marketing emails to clients so they would trip over this rule in no time.


            Anyway, thanks for pointing me in the right direction, at least I can tell this customer the reason as to why they got blocked.




            • 3. Re: SaaS Email Protection & Continuity - Incorrect Malicious Email Detection
              Brad McGarr

              You're welcome Simon.


              The Terms & Conditions are designed to protect the integrity of the shared IP addresses. Bulk mailing substancially increases the possibility of an IP address being blocked due to improperly audited mailing lists resolving to too many invalid email addresses or addresses that are spam-traps, and recipients reporting those messages as spam and it resulting in a shared IP being blocked. When a shared IP is blocked for any reason by other providers, it greatly impacts other customers unfairly. Which is why we encourage organizations who need to do bulk mailing to either use a third-party service that can manage their mailings, or, to not use the outbound filtering for the servers responsible for bulk mailing.

              • 4. Re: SaaS Email Protection & Continuity - Incorrect Malicious Email Detection



                Thanks for your patience. I will shed some light on our outbound policy: We don't block outbound traffic based on volume, although we don't go out of our way to encourage customers to bulk mail through the service either, which is why things have sounded conflicted. Apologies for that.


                Here's why we don't encourage it: We have many customers that send bulkmail through the service without disruption, so we're concerned less about volume than we are about how many complaints that traffic generates. Therefore, our outbound shut-down poilicy, in the rare instances that it has to be used, is complaint driven and it is implemented this way because we have to protect the reputation of our IP space. This is the case with most of the major service providers because our customers share IP space for outbound delivery. So to a small degree we are at the mercy of the opinions of the masses, which is also true for most service providers. For example, if a customer sends lots of bulk outbound email through the service that thousands of the recpients consider spam, they will report this to their service provider (say it's GMail for sake of argument). At some point GMail will get tired of these complaints and block our IPs because now they consider us a bonafide spam source. Obviously, we can't have major service proviers labeling us as a spammer and blocking us because it stops thousands of other customers from being able to email GMail recipients. Now, why do these users think it's spam? We have no idea, but there are some contributing factors that might be able to be avoided.


                1. Whenever possible, hire a 3rd party to send it. Legitimate bulk mail senders are good at sending this stuff without attracting the wrong kind of attention. I doubt this is possible in the case you described, but it should always be considered.

                2. Isolate the sending IP of the bulk mail from the corporate mail. Even if you were sending all your outbound mail directly, without routing through a filtering service, you should *never* send bulk mail from the same IP address as the corporate mail. The risk to your IP reputation is simply too great and you risk the "deliverability" of your corporate mail, which could hinder your business moreso than the deliverability issues with the bulk mail. If you continue to use us for outbound scanning, which I hope you do, it's probably best if you do not route the bulk mail through the service, but the corporate mail should be fine.

                3. Consider implementing and montoring DMARC/SPF/DKIM. It could be that the reason that this email is generating lots of complaints is because the customer in question is a phishing target and users simply don't trust your mail because its been drowned out by phishing. I've worked with several major corporations that have this issue. Most are implementing DMARC to help understand the depth of the issue and attempt to address it. There are companies who specialize in DMARC and deliverability. It's a completely seperate discipline than email security.

                4. Lots of companies send bulk mail and try to follow the rules by including an unsubscribe link, but then the unsubscribe doesn't work. When a user unsubscribes from a bulk mailing and the unsubscribe is not immediately honored, you go from trusted vendor to spammer in 24 hours or less in their minds. They will report you as a spammer upon the next mailing, usually the next day. Make sure the unsubscribe process is effective and simple.


                There's probably more that could be said about this topic but I will leave it at that. I hope you find this useful in working with your customer's needs.





                Sr. Product Manager





                Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.


                Message was edited by: pm_nate on 4/4/13 5:26:44 PM CDT


                Message was edited by: pm_nate on 4/5/13 4:51:20 PM CDT