Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1045 Views 6 Replies Latest reply: Apr 30, 2013 1:57 PM by pm_nate RSS
rimike Newcomer 3 posts since
Apr 24, 2013
Currently Being Moderated

Apr 24, 2013 12:22 PM

No real whitelisting capabilities

This is more of a rant than a question but one of our customers recently experienced an issue where a whitelisted sender's mail was being bounced due to IP reputaiton.

 

The sender uses a hosted email service so it's rather out of their control if an IP gets flagged as a source of spam.

 

Technical support said that there are filters in place that do not honor whitelists, which seems like a major design flaw in the service.

 

The entire point of a whitelist is to always allow mail from a sender or domain through to avoid it being flagged as a false positive.

 

Also all email should be quarantined for user review, it's a horrible practice that legitimate mail will get bounced back to the sender with the recipient not having a chance to review and allow it through if it's legitimate mail.

 

 

 

Hopefully someone that works at McAfee reads these forms, we are seriously considering dumping this service due to this issue.

  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    1. Apr 26, 2013 5:10 PM (in response to rimike)
    Re: No real whitelisting capabilities

    Greetings rimike,

     

    The Sender Allow List only covers messages scored for spam, or triggering on the content keyword filters. There are situations though outside of that where messages will be blocked regardless of an allow list entry. So yes, you are correct there is no 'absolute, send everything from this domain my way without checking it' whitelist. Viruses, rolling block list entries, or attachment violations are outside of the allow list purview. This is done to limit security loopholes created by allow list entries. Commonly a major source of delivered spam is allow list entries without SPF Record Checking being compromised by spoofing or a hacked server.

     

    Whether or not a message is quarantined is governed by the inbound policy. Within the policy, under Spam, you can choose how the filter will handle violations of two of the three spam thresholds, medium and high. If you would like you can set these both to quarantine. Criticial spam though will always be denied (that is not quarantined, and sent back to the sender) unless the sender or sender domain is allow listed.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • Brad McGarr McAfee Employee 154 posts since
    Dec 4, 2012
    Currently Being Moderated
    3. Apr 26, 2013 5:54 PM (in response to rimike)
    Re: No real whitelisting capabilities

    rimike,

     

    I appreciate the concerns you have, and understand how valuable a tool email is. The 2-hour and 30-minute rolling block lists are defensive and responding to potentially malicous actions, e.g. a high rate of non-deliverable email that resembles a directory harvest attack which not only creates additional risk to you and our other customers, but creates unneccisary load on our MTAs.

     

    I would have to disagree with you though on the comment regarding "people would rather deal with potential spam from a whitelisted address than have legitimate email blocked." I handle several cases a week personally where a whitelist entry allowed spam and phishing attacks in. On the surface it would seem like a "allow everything" list would work well, but in practice it creates too many legitimate risks for organizations. Remember, the filter is designed with end users who are not technical in mind, many of whom mistakenly fall victim to phishing attacks or click on URLs and download virus payloads. End users often do not have the proper training to distinguish a risk masquarading as a trusted sender from legitimate email, and those are the situations we aim to protect networks from.

     

    I'm sorry to hear that the SaaS Filter does not perform the way you would like. I'm not personally aware of any services that have a 'allow all from this sender with no filtering', all filters are going to provide a layer of protection to allow listed addresses because of the issue with compromised servers and spoofing.


    Brad McGarr
    McAfee SaaS Email & Web Protection
    Technical Support Technician I (Legacy & Partner Support)
    Microsoft Certified Professional
    Microsoft Technology Associate - Windows OS | CompTIA A+ Certified Technician | CIW Web Foundations Associate
    Visit my blog: Brad's Corner - Insights from SaaS Email & Web Security Support https://community.mcafee.com/blogs/brad-denver

    Frequently Requested Information
  • frankm Apprentice 62 posts since
    Jan 10, 2013
    Currently Being Moderated
    4. Apr 29, 2013 7:52 AM (in response to rimike)
    Re: No real whitelisting capabilities

    @rimike - When using a shared IP network, that is one of the risks a business lives with and needs to work with their data provider on cleaning up their IP netblock. When dealing with global IP issues as McAfee does, and they are not the only providers that do this, the benefits significantly outweigh any potential downside.

  • pm_nate McAfee Employee 17 posts since
    Dec 6, 2012
    Currently Being Moderated
    6. Apr 30, 2013 1:58 PM (in response to rimike)
    Re: No real whitelisting capabilities

    Just a few additional thoughts on this topic that might be helpful:

     

    This feature is like the gas pedal on a modern car: When you stomp on the gas pedal on an icy day you are telling the car to go to full throttle, even though this is not a good idea. Cars with traction control will temper that "full throttle" command in order to save you from spinning out and wrecking your car. It is able to do this because the car is able to analyze and react to conditions faster and more efficiently than the driver.

     

    This is exactly the value that system level blocking delivers. These system level blocks are not only beneficial to customers, they are absolutely essential. Without this capability, we wouldn't be providing adequate attack protection. When these attack events occur, we're not talking about a few thousand messages a day. We're talking about millions of messages an hour. When someone tries to send 270+ messages every single second to one of your customers, you deny it. If we pass that traffic we will DoS our own customer. Clearly, this is unacceptable. Therefore, the only possible response is to block the sender at the IP level for a short period because you are effectively dealing with a denial of service attack. When someone performs a DoS attack on your customer, the appropriate response is to eliminate that threat regardless of the customer's "happy path" posture to the sender. These special events rarely mean that legitimate mail is impacted, as these attacks usually come from rogue IPs, not to be confused with legitimate mail providers, many of whom have rate limiting safeties in place to prevent such floods from being initiated from their networks. Also, there is no way to quarantine this much mail. Imagine an end user getting a spam report with 16,000 messages in it. It would render the report useless. Every service provider has this capability and uses it on a regular basis. There is no way to operate without this capability. Whether or not they are as honest and up front with their policies as us is an entirely different issue.

     

    Nate Fitzgerald

    Senior Product Manager, McAfee

     

     

     

    Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.

     

    Message was edited by: pm_nate on 4/30/13 1:58:44 PM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)