6 Replies Latest reply: Apr 30, 2013 1:58 PM by pm_nate RSS

    No real whitelisting capabilities


      This is more of a rant than a question but one of our customers recently experienced an issue where a whitelisted sender's mail was being bounced due to IP reputaiton.


      The sender uses a hosted email service so it's rather out of their control if an IP gets flagged as a source of spam.


      Technical support said that there are filters in place that do not honor whitelists, which seems like a major design flaw in the service.


      The entire point of a whitelist is to always allow mail from a sender or domain through to avoid it being flagged as a false positive.


      Also all email should be quarantined for user review, it's a horrible practice that legitimate mail will get bounced back to the sender with the recipient not having a chance to review and allow it through if it's legitimate mail.




      Hopefully someone that works at McAfee reads these forms, we are seriously considering dumping this service due to this issue.

        • 1. Re: No real whitelisting capabilities
          Brad McGarr

          Greetings rimike,


          The Sender Allow List only covers messages scored for spam, or triggering on the content keyword filters. There are situations though outside of that where messages will be blocked regardless of an allow list entry. So yes, you are correct there is no 'absolute, send everything from this domain my way without checking it' whitelist. Viruses, rolling block list entries, or attachment violations are outside of the allow list purview. This is done to limit security loopholes created by allow list entries. Commonly a major source of delivered spam is allow list entries without SPF Record Checking being compromised by spoofing or a hacked server.


          Whether or not a message is quarantined is governed by the inbound policy. Within the policy, under Spam, you can choose how the filter will handle violations of two of the three spam thresholds, medium and high. If you would like you can set these both to quarantine. Criticial spam though will always be denied (that is not quarantined, and sent back to the sender) unless the sender or sender domain is allow listed.

          • 2. Re: No real whitelisting capabilities

            Thank you for your response.


            The main problem is "rolling block lists" which seemingly seem to often pick up large ISP's mail servers.


            That just doesn't fly in a business environment.

            Email is too critical of a communications tool to arbitrarily bounce legitimate email with no way for the recipient to designate "always allow this mail through" and no notification to the recipient that this occured.


            Frankly people would rather deal with potential spam from a whitelisted address than to have legitimate mail bounced back to a known, trusted sender.


            It's pretty clear there's no changing McAfee's mind on this but do note that it's a horrible practice and it will cause people not to want to use your services.

            We have no choice but to start to move clients to a competetor's service that does honor whitelists before all other fiters.


            on 4/26/13 5:26:50 PM CDT
            • 3. Re: No real whitelisting capabilities
              Brad McGarr



              I appreciate the concerns you have, and understand how valuable a tool email is. The 2-hour and 30-minute rolling block lists are defensive and responding to potentially malicous actions, e.g. a high rate of non-deliverable email that resembles a directory harvest attack which not only creates additional risk to you and our other customers, but creates unneccisary load on our MTAs.


              I would have to disagree with you though on the comment regarding "people would rather deal with potential spam from a whitelisted address than have legitimate email blocked." I handle several cases a week personally where a whitelist entry allowed spam and phishing attacks in. On the surface it would seem like a "allow everything" list would work well, but in practice it creates too many legitimate risks for organizations. Remember, the filter is designed with end users who are not technical in mind, many of whom mistakenly fall victim to phishing attacks or click on URLs and download virus payloads. End users often do not have the proper training to distinguish a risk masquarading as a trusted sender from legitimate email, and those are the situations we aim to protect networks from.


              I'm sorry to hear that the SaaS Filter does not perform the way you would like. I'm not personally aware of any services that have a 'allow all from this sender with no filtering', all filters are going to provide a layer of protection to allow listed addresses because of the issue with compromised servers and spoofing.

              • 4. Re: No real whitelisting capabilities

                @rimike - When using a shared IP network, that is one of the risks a business lives with and needs to work with their data provider on cleaning up their IP netblock. When dealing with global IP issues as McAfee does, and they are not the only providers that do this, the benefits significantly outweigh any potential downside.

                • 5. Re: No real whitelisting capabilities

                  The McAfee customer does have a static IP.


                  they have no control if one of their customers is using a personal email address to try to contact them.

                  A bounced email will lead to lost business and an overall appearance of unprofessionalism.


                  And we have no real answer or solution for our customer other than saying sorry, there's no way for you to really receive email sent to you and held in quarantine for your review if something's suspected to be spam.

                  They interpret that that the service has a problem or is overall just a bad service if they won't deliver mail from an email address that they have whitelisted.

                  We switched to McAfee from another SaaS provider (GFI) that does honor whitelists over all other filters.  Their in-house option does as well.


                  It's obvious that there's no changing minds on this issue but i wanted to provide feedback on our thoughts about the problem and that it just doesn't work in a business environment that relies on email communications from consumers/personal email addresses.


                  It may reduce the load on your MTAs but it's also blocking legitimate mail from being delivered with no recource or notification on the receiver's end. 


                  thank you.




                  Message was edited by: rimike on 4/29/13 2:19:26 PM CDT
                  • 6. Re: No real whitelisting capabilities

                    Just a few additional thoughts on this topic that might be helpful:


                    This feature is like the gas pedal on a modern car: When you stomp on the gas pedal on an icy day you are telling the car to go to full throttle, even though this is not a good idea. Cars with traction control will temper that "full throttle" command in order to save you from spinning out and wrecking your car. It is able to do this because the car is able to analyze and react to conditions faster and more efficiently than the driver.


                    This is exactly the value that system level blocking delivers. These system level blocks are not only beneficial to customers, they are absolutely essential. Without this capability, we wouldn't be providing adequate attack protection. When these attack events occur, we're not talking about a few thousand messages a day. We're talking about millions of messages an hour. When someone tries to send 270+ messages every single second to one of your customers, you deny it. If we pass that traffic we will DoS our own customer. Clearly, this is unacceptable. Therefore, the only possible response is to block the sender at the IP level for a short period because you are effectively dealing with a denial of service attack. When someone performs a DoS attack on your customer, the appropriate response is to eliminate that threat regardless of the customer's "happy path" posture to the sender. These special events rarely mean that legitimate mail is impacted, as these attacks usually come from rogue IPs, not to be confused with legitimate mail providers, many of whom have rate limiting safeties in place to prevent such floods from being initiated from their networks. Also, there is no way to quarantine this much mail. Imagine an end user getting a spam report with 16,000 messages in it. It would render the report useless. Every service provider has this capability and uses it on a regular basis. There is no way to operate without this capability. Whether or not they are as honest and up front with their policies as us is an entirely different issue.


                    Nate Fitzgerald

                    Senior Product Manager, McAfee




                    Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.


                    Message was edited by: pm_nate on 4/30/13 1:58:44 PM CDT