5 Replies Latest reply: Jun 22, 2014 8:44 PM by echelon RSS

    McAfee Email Gateway 7.0.4 sudden increase in spam.


      I am running McAfee Email Gateway 7.0.4 as a virtual machine.     E-mail that is scored with a spam score 10 or higher is quarantined.  E-mail that is scored as 5 or higher (but less than 10)  has [SPAM] prepended to subject line and released.  For the last 2 years this has caught most of the spam.     Most spam (at least to me) was quarantined.  Some spam would be tagged with [SPAM] but released.    On occasion, some spam would get through with out even being tagged. 


      About 1 week ago I started getting a lot more spam in my inbox.  About 1/2 is tagged as [SPAM] but the other 1/2 is not even tagged.    I still get some spam being quarantined, although it seems less that in the past.   It seems the overall amount of spam I get has not actually increased but that the gateway is catching less , or scoring it lower.



      As the admin, I also get e-mail notifications if the spam update failed for a while (it would eventually succeed.)


      "Anti-spam update failing repeatedly. DATs/rules update failed. "

      Anti-spam rules update succeeded after a series of failures. Successfully updated DATs/rules. 


      This would happen once in a while in the past, but now happens several times a day.   


      I believe the current behavior of our gateway is to allow e-mail through if spam processing is not working.  But I would expect that spam functionality still to work even if the spam filter has not updated.   



      I suspect the spam is getting through while the gateway is having update issues.  Not sure if this indicates a problem with our internet connection, or a problem with the McAfee download site, or  improved spamming technques.


      Anyone else notice a sudden increase in spam getting through?



        • 1. Re: McAfee Email Gateway 7.0.4 sudden increase in spam.

          We have seen the exactly same thing you have seen. We are running 7.5.1 and the amount of SPAM getting through is unacceptable. We have opened a support call and have been forwarding lots of samples to the case.  Not sure if the increase of messages about Spam updates  failed/successful is related at all at this point.



          • 2. Re: McAfee Email Gateway 7.0.4 sudden increase in spam.

            We have also seen a large rise in the amout of spam getting through the filter. We are migrating to 7.5, as we were told that it does a much better job of cathing the newer types of spam.  I would say that most of the issue lies with improved spamming techniques, vs any software issues (updates, etc)

            The messages you are tagging as spam; what percent of that is actually legit? Do you have the user qurantine server enabled ?


            • 3. Re: McAfee Email Gateway 7.0.4 sudden increase in spam.

              Are you using a proxy to get the updates in MEG?


              We too have had episodes in the past with 7.5P1 and 7.5P2 where the appliances would not get their spam updates properly, you could see lots of the following errors in the logs:


              spam_updater:state=_FAILED_(_LOADING_)  ver=4844 error=80052112 (ECURLE_PARTIAL_FILE)

              spam_updater:state=_FAILED_(_WAITING_)  ver=4845 error=8005211c (ECURLE_OPERATION_TIMEOUTED)


              We had the MEGs using our McAfee WebGateway as a proxy for their updates. We solved the issue by systematically whitelisting the spam update sites for the MEGs so that nothing would get scanned by the WG in the response and this got rid of the vast majority of those errors. We still see some, but not more that 1-2 a day (whereas before we could see 30-40 a day, often 5-10 in sequence).

              • 4. Re: McAfee Email Gateway 7.0.4 sudden increase in spam.

                We just received the following notification that seems to indicate the reason for the increase in SPAM the last couple of weeks.


                From: McAfee SNS [mailto:sns@snssecure.mcafee.com]
                Sent: Wednesday, March 26, 2014 3:36 PM
                Subject: McAfee SNS Notice: Messaging Reputation Server *UPDATE*


                Restoration of the Messaging Reputation server and database used for spam filtering will be completed on schedule next week.

                McAfee expects a return to normal operating parameters. Tuning enhancements will continue and customers should expect to see incremental improvements over the following 7 days. Additionally, McAfee will increase spam protection and system reliability over the next three months, resulting in additional improvements.


                Previously Announced via SNS (10 March 2014)

                The McAfee GTI Messaging Reputation database server experienced a hardware failure and impact to the database. Because McAfee was unable to provide updated messaging reputation data to these products, existing reputation data grew stale over time, resulting in more spam getting through to mailboxes.

                Products utilizing anti-spam technology were impacted:

                • IronMail (McAfee E-Mail Gateway [MEG] 6.x)
                • E-mail Gateway (MEG 7.x)
                • Firewall Enterprise (All versions)
                • E-mail and Web Security Gateway (All versions)
                • SaaS E-Mail Protection
                • Security for Microsoft Exchange (formerly GroupShield)
                • TrustedSource.com Website
                • Security Center
                • 5. Re: McAfee Email Gateway 7.0.4 sudden increase in spam.

                  This problem  is back.  Over the last week and especially this weekend I have been getitng a lot more spam.     Also getitng a lot of alters about spam defintions updating after repeated failures.      It looks like it tries to update every 10 minutes but I would think that, even if the updates only happened every few hours, a lot of the obvious spam should have been blocked.