Loading...

Knowledge Center


FAQs for Email Gateway
Technical Articles ID:   KB76144
Last Modified:  11/5/2018
Rated:


Environment

McAfee Email Gateway (MEG) 7.6.x

On October 22, 2015, McAfee announced the five year End of Life (EOL) for McAfee Email Gateway (MEG) software and appliances. For details, see KB85857

Summary

Recent updates to this article
November 5, 2018 Removed reference to an unpublished article in the Related Information section.
May 30, 2018 Collapsible formatting implemented.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

This article is a consolidated list of common questions and answers and is intended for users who are new to the product, but can be of use to all users

Click to expand the section you want to view:

What does the 'Unknown macro viruses' option in the anti-virus scanning option do?
This option allows the scanner to use heuristic scanning to detect unknown macro viruses.

What does the option 'Make deobfuscated content available to other scanners' in the anti-virus scanner do?
Obfuscated content is a string of characters where the original characters are mapped under a special coding scheme, such as percent-encoding. Obfuscated content can hide from scanners by transforming the original content, which is often malicious in nature, into a seemingly harmless and senseless string of letters.
This option provides extra protection against unwanted content, and the techniques that detect hidden viruses and malware are made available to content scanning.

When does the appliance remember portlet layout in the dashboard?
The appliance periodically saves portlet layout in the dashboard for the browser session. Also, it asynchronously saves the layout information if you change the layout.

What is the default maximum number of items for on-box quarantine?
There is no default value for MEG 7.6.x. Your initial value depends on your installed version of MEG and your appliance hardware model.

Where is the maximum number of on-box items set?
The maximum number of items in on-box quarantine is set in the Quarantine emails setting under System, System Administration, Database Maintenance, Retention Limits in the management console. When the number of items exceeds the threshold, they are removed from the older items by the database Maintenance Schedule. This value is at System, System Administration, Database Maintenance, Maintenance.

Can I repurpose my MEG appliance (for example, remove MEG and install Microsoft Windows Server) and still receive hardware support for the length of the hardware support contract?
Does
McAfee provide hardware support for a repurposed MEG appliance if its hardware support is valid?
No. McAfee does not provide hardware support for a repurposed MEG appliance.



Is the MEG Secure Web Mail delivery feature compliant with European legislation regarding the use of cookies?
NOTE: The European legislation is outlined in: https://ico.org.uk/for-organisations/guide-to-pecr/.

According to Opinion 04/2012 on Cookie Consent Exemption by the European Commission's Data Protection Working Party (http://ec.europa.eu/justice/data-protection/index_en.htm):

When a user logs on, they explicitly request access to the content or functionality to which they are authorized. Without the use of an authentication token stored in a cookie, the user would have to provide a username/password on each page request. So this authentication functionality is an essential part of the information society service they are explicitly requesting. As such these cookies are exempted under CRITERION B.

CRITERION B
The cookie is strictly needed for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

MEG cookie usage is classified according to Criterion B, where the user access to the service requires the use of cookies. So, access entails explicit consent for the use of such cookies.

For more information, see http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.

What type of certificates are used for encryption on Secure Web Mail?
Under Email, Encryption, Secure Web Mail, Certificates you see two areas where CSRs can be generated. These areas use different certificate types:

  • For Web Client HTTPS Certificate, the certificate type is Apache server (HTTPS). This certificate validates the webpage that clients access when retrieving Secure Web Mail messages.
    This certificate is the same type that can be used in the TLS certificates section or the Email Gateway HTTPS Certificate.
  • For Notification Signing Certificate, the certificate type is an email signing certificate (SMIME). This certificate validates the email notification that is sent to clients letting them know they have Secure Web Mail activity (for example, new message, password expiry reminder, and so on). You cannot use the same certificate that was used for web server certification here; you need to request an email signing certificate (SMIME) from your preferred certificate authority

Do I require a license to install or update the MEG 7.6.x appliance?
You do not need a license to install or operate the MEG 7.6.x appliance. But, according to normal McAfee practice, you have to purchase the product and use your Grant Number to download the software.

Where can I download the MEG 7.6.x product guides?

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

What is the recommended size of the data storage for the MEG virtual appliance?
McAfee recommends 120 GB. Although the minimum configurable size is 40 GB, this space can fill up with logs, user data, or both. You might then see the logging and reporting features becoming unstable or failing to work properly. Contact Technical Support if your disk partition is filling and you experience instability with your virtual appliance installation.

IMPORTANT: After the appliance is installed, the disk size cannot be changed. You must define the size of the data storage disk during installation.

Does the MEG virtual appliance support Microsoft Hyper-V?
MEG supports Hyper-V starting from MEG 7.6.4.1.

Can I uninstall patches from MEG 7.6.x, or does MEG 7.6.x have a patch rollback feature?
No. To roll back your MEG 7.6.x appliance to the previous patch level, you need to reimage the appliance using the ISO image.

NOTE: A configuration backup taken from the new (updated) MEG patch or version cannot be applied to the MEG appliance reimaged to the old version. The reason is because the XML parser in the old MEG patch or version does not understand new XML elements or attributes introduced in the new MEG patch or version. So, Technical Support strongly recommends that you back up and save your MEG configuration before installing a patch or performing an upgrade. Then, you can restore it in the event you need to roll back.

How can I create a bootable USB to install MEG 7.6.x on the M7 Content Server Blade?
Burn the ISO image for MEG 7 onto a USB disk using compatible software, for example, win32diskimager.

NOTE: For win32diskimager, you must rename the ISO file as .img for the software to locate the file. In the appliance BIOS settings, ensure that you specify USB as the first boot option, plug in the USB drive, and exit the BIOS settings to run the installation.

Can I update the MEG 7.6.x appliance anti-spam engine/signature from ePO?
No. You cannot manage this action from ePO.

Can I disable the DAT update from the FTP site and enable it only from HTTP?
You can do this under ePO management. Modify the repository list on the agent policy for the MEG appliance and remove the FTP site if it is listed in the repository list.

How can I configure the DAT/Engine update schedule from the Appliance Dashboard when ePO management is enabled?
Open the appliance Dashboard, and select System, Component Management, Update Status, Anti-Virus Engine, Scheduled, Configure Anti-Virus Update. Configure the time to schedule the update.

NOTE: If ePO management is enabled, do not schedule other updates to run at the same time.

Can I revert the appliance configuration to the factory default?
Yes. In the manager, click System, System Administration, System Commands, Revert to default configuration.

IMPORTANT: This action erases the entire current appliance configuration, including IP addresses.

Can I push the McAfee Agent from ePO to the appliance?
No. Currently, this action is not possible.

Can I manage on-box quarantine from the ePO console when the MEG 7.6.x appliance is managed by ePO?
No.

Can I manage the appliance using ePO with the management traffic routed through Out of Bandwidth (OOB)?
By default, agent-to-server communication does not use OOB to connect to the ePO server. Agent-to-server communication is initiated from the appliance and uses the configured gateway to connect to the ePO server. But, you can configure a static route in the appliance to route traffic through the OOB interface.

Can I use the Out of Band (OOB) management interface to accept SMTP/POP3 traffic for scanning?
No. The OOB management interface is for the sole use of management traffic, not for scanning traffic.

How can I manually update the MEG 7.6.x DATs or Anti-Virus Engine?
Download the DATs or Engine manually. For information about DAT files accessing the FTP site hosting these files, see KB55986.

NOTES:

  • The Engine is located in /current/LV2SNENG1000/Engine/0000/avengine64.zip
  • DATs are located in /current/VSCANDAT1000/DAT/0000/avvdat-*.zip

Update the DATs or Engine under Dashboard, System, Component Management, Update Status, Import.

What FTP mode does MEG 7.6.x use for downloading updates?
MEG 7.6.x normally uses the McAfee Agent for downloading updates, which uses Passive FTP.
But, if the McAfee Agent fails or is disabled, MEG 7.6.x uses the legacy updater, which tries both passive and active FTP (if one fails) to download updates.

NOTE: The manual switching of modes is not supported.

If I do not have console Internet access or cannot open the outbound ports to query the update servers, is it possible to manually configure the MEG 7.6.x update servers?
Yes. Import the following links into the appliance by selecting System, Component Management, Update Status, Import.

  • Engine: ftp://anonymous@ftp.nai.com/CommonUpdater2/current/LV2SNENG1000/Engine/0000/avengine64.zip
  • DAT: ftp://anonymous@ftp.nai.com/CommonUpdater2/current/VSCANDAT1000/DAT/0000/avvdat-*.zip
Can I reimage my Email Gateway 5500 appliance to run Web Gateway or vice versa?
Appliances cannot be reimaged for any use other than what they were originally purchased for.
While the hardware is the same for the MWG and MEG Intel-based 5500 appliances, the BIOS and licensing are different and this operation is not supported.

Back to Top

How can I configure MEG 7.6.x to integrate with Splunk or ARCSight?
Open the Appliance Dashboard, and select System, Logging, Alerting and SNMP, System Log Settings. Select a logging format of Splunk or ARCSight.

NOTE: You must configure the target according to the package requirements to receive these alerts.

Can I categorize SNMP traps based on OID under .1.3.6.1.4.1.1230.2.4.2 for severity?
No. Categorization in this scenario is not possible.

Can I use the Configuration Report of a factory default appliance to compile a list of all configurable items for MEG 7.6.x?
Yes. The Configuration Report provides a list of most configurable items in MEG 7.6.x.

Is the MEG 7 appliance 220 welcome banner customizable?
Yes. For more information, see KB76213.

How do I edit the dashboard portlet thresholds in MEG 7.6.x?
You can change the alert and warning threshold values for areas of the dashboard that have numeric counters and a circular icon to the left of the title:

  1. Double-click the title bar to expand the portlet to the full width of the page.
  2. Click the circle icon located to the left of the parameter name, and edit the alert and warning threshold fields. You then see these fields on the right side of the same line.
  3. When you have finished editing, click Save. Now, when the item exceeds the threshold you set, an event is triggered in System Events. You must also set up System Log events or Email Alerting to receive the event information.

    NOTE: For more information about editing and viewing current thresholds for areas in the dashboard such as queued messages, quarantined messages, and messages sent to the Quarantine Manager, see the MEG 7.6.x Administration Guide.

    For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

     

If I set the event log level to 'All Events' and disable all the 'Low' and 'Medium' severity events, the log level must be equivalent to High severity events. Why isn't this level re-elected in the level indicator?
The pull-down menu for log level provides a method for choosing the level, and the advanced settings determine what particular event information to log. This behavior is expected.

The management console displays a list of spam rules, but their meanings are not stated anywhere. What do the spam rules mean and what do they look for?
McAfee does not disclose the meaning of individual spam rules because publicizing them would provide spammers with a way to circumvent the rules themselves.

What happens to the queued emails on the appliance if I manually install an AV DAT from Component Management...Update From File?
The mail queue is processed normally and is not rescanned using the new AV DAT.

Can ePO manage MEG 7.6.x certificates?
Yes. You can use ePO to manage CA certificates, S/MIME Encryption certificates, and PGP encryption keys. But, you cannot manage TLS certificates and keys.

Can I delete files that are detected by the AV scanner but retained when detected by GTI File Reputation?
No. Currently, this action is not possible.

Can I use GTI File Reputation when the 'Find unknown viruses' option is deselected?
No. Currently this action is not possible.

If I select 'Allow through' for the primary action, and 'Quarantine original' for 'And also,' will the item be allowed through and quarantined?
Yes.

Is the "plain contents" option under encrypted content intended for unencrypted and unsigned plain-text messages?
Yes. This option is for plain-text messages that are not signed or encrypted.

Does MEG 7.6.x support lookups for SPF or SenderID on IPv6 addresses?
No. MEG 7.6.x does not support IPv6 addresses for SPF and SenderID.

The appliance management console occasionally lists Event 210070. What do these events mean?
Event 210070 High Severity - This event indicates that the appliance hardware monitoring has detected a change as listed under System, Logging, Alerting and SNMP, Logging, Configuration, Non-proxy settings, System events.

The Appliance Dashboard displays hardware status monitor icons and the appliance periodically runs a hardware status check (temperature, voltage, power supply unit, cooling subsystem, and so on). When the status checker detects changes on these components since the previous check, the appliance raises the event 210070.

What are the limitations of Compliance Dictionaries in the MEG Management Console?
There is no limitation for the number of Terms that can be added in each Dictionary, but the Console restricts the number of characters per Term to 2048 bytes.

What is the MEG Advanced Threat Defense (ATD) cache?
MEG uses a cache of scan results to minimize duplicate scans and optimize ATD.

What are the specifications of this cache?

  • ATD cache entries on MEG are stored on an in-memory database.
  • There is no maximum number of cache items.
  • The lifetime of each cache entry is 604,800 seconds (7 days).
How can I clear the Email Gateway ATD cache?
You can clear the cache from the MEG management console. Select Troubleshoot, Tools, ATD and clear the cache.

Can MEG be integrated with a cluster setup of ATD?
No. MEG does not support ATD configured in a cluster setup. Use an ATD appliance configured as a stand-alone installation.
Can a MEG cluster be integrated with a standalone setup of ATD?
Yes. This configuration is supported and tested.

NOTE: One standalone ATD might not take the volume of requests received from a cluster of MEG appliances, so you need multiple ATD devices configured in a standalone setup.

When MEG receives an archive file in an attachment, does it extract the archive and submit the individual files to ATD or send the top-level archive file? MEG submits the top-level archive file to ATD.

What is URL Reputation?
The URL Reputation feature which classifies embedded URLs in email messages. Classifying embedded URLs in email messages sent to your organization helps prevent users from visiting websites that might host malware or other undesirable content.

How does URL Reputation work and what ports does it use?
URL Reputation uses a locally stored database to look up the embedded URL. When the local URL lookup to the database fails, MEG 7.6.x sends a query to the online URL reputation database following host/port.Host:tunnel.web.trustedsource.org. Port: 443.

How does this compare to other McAfee products?
MEG URL Reputation does not have the SafeSearchEnforcer feature, which is available on URL filtering in Web Gateway 7.6.x.

Can I create a repository for the DATs and Engine for Commtouch Command second AV engine on ePO and let the MEG 7.6.x appliance pull them from the ePO server?
Yes MEG 7.6.3.1 and later supports updating CommTouch from ePO. See KB83412.

What communications work if the Agent Handler is in place between the ePO server and MEG 7.6.x appliance?
  • Assuming that the Agent Handler can see both the ePO server and MEG appliance, policy push, DLP database push, counter event file retrieval, and DAT upgrade/downgrade have been tested on MEG 7.6.x and work.
  • LDAP configuration from ePO and Message Search will not work, because they require a direct communication path between ePO and appliance.

When I configure two or more ATD servers in MEG, how does MEG use the servers? Does it send traffic to each ATD appliance in turn (round robin), or does it send all traffic to the first and then if that appliance stops responding send traffic to the next configured appliance (failover mode)?
When you configure MEG with multiple ATD servers, traffic is sent to each server in turn (round robin).

Back to Top

Does MEG 7.6.x scan SMTP traffic?
Yes.

How many domains or mail relays can MEG 7.6.x support?
Although MEG 7.6.x does not have a technical limit on domains or mail relays, as more relays, domains, or both, are added, appliance performance might be affected.

What is the best method to generate a report for a single email?
If you enable Conversation logging, you must perform a Message search. Otherwise, select Reports, Email Reports and set a filter using recipient / sender (for example, an audit ID). You can use an audit ID to look at an entire conversation.

Can I list the appliance MAC addresses in the Appliance Dashboard?
No. The MEG 7.6.x dashboard does not show the MAC addresses of the appliance LAN interface.

Can more than one virtual host exist on the same NIC?
Yes.

Can I manually edit the MEG 7.6.x /etc/hosts file?
If you add an entry in the /etc/hosts file, it might not resolve the host name correctly for MEG 7.6.x. Also, this file is overwritten when certain changes are applied. So, editing this file manually is not currently supported.

Why is a PDF document that is not password protected for reading, but is protected for editing, blocked when the action for protected files is set to block?
A PDF file was detected as Corrupt Content by MEG. But, I can open the PDF and read it with Adobe Reader. Why?

Check the security property of the PDF file using Adobe Reader (as a best security practice, ensure that you scan it using your anti-virus tool before opening it). Access File, Properties, Security. If the Page Extraction option is not allowed, the MEG content scanning component cannot access the content of the PDF file for scanning. MEG handles such files according to Protected files settings because the content is protected and MEG is unable to scan it; so, it is considered password protected.

Why do non-Adobe PDF files trigger a corrupt appliance content detection?
Some non-Adobe PDF generators append extra padding, characters, or line feeds after the PDF End of File (%%EOF) notification. Additional content after the %%EOF notification causes a corrupt content detection.

An End user has requested the release of some quarantined email items through the quarantine notification digest, but MEG retains it with Release Request Pending status. Why?
MEG on-box quarantine has several queues, such as spam and compliance. Only spam can be released directly to the user. After the user raises a release request for a non-spam/non-viral message, MEG marks it as Release request: Pending. The Administrator has the authority to process the release request from the Message Search by selecting the corresponding quarantined emails and triggering the Release Selected option.

What ports does MEG use for communicating various services?
What ports must we open on firewall for MEG to function properly?

KB72970 lists the ports that are required to be opened on your firewall for the appliance to function properly.

Why do the dashboard and reports show that MEG counts many outbound emails but only few for inbound (or the reverse)?
MEG counts emails based on how they match policies. MEG counts an email as either outbound or inbound if the email matches a policy where it matches the Email direction configured in the policy.

Example:
Policy A has the Email direction set to outbound.
Policy B has the Email direction set to inbound.

If Policy A applies to many emails, but Policy B applies to very few emails, the dashboard and reports report larger numbers of outbound emails because they match Policy A, but few inbound emails because they match Policy B.

How does the Email Gateway anti-spam pre-scan rule work?
When anti-spam filtering is executed, the anti-spam pre-scan rule is validated before the other rules are checked. The pre-scan rule is defined as BAD_URI_ACCEL_* and checks suspicious or spam-related URL strings in the emails. If the pre-scan rule triggers for a specific mail item, the mail is scored at 10 and no other rules are checked. This action reduces the time required to scan messages.

Because the pre-scan functionality scores all mails triggered by this rule at 10, Technical Support recommends that you do not set the threshold for performing an anti-spam action to a score greater than 10. The default is Accept and Drop.

On the Email Policies page, why are there asterisks next to certain attributes?

The asterisks represent values that differ from the policy used for inherited attributes and highlight where differences exist in policies.

LDAP

Can I configure an LDAP query string to retrieve two different attribute types?
Yes. Specify the attribute names, separated by a space after the search filter.

In what order does the appliance check LDAP servers when multiple LDAP services are configured on the appliance?
You can specify the LDAP service name that is configured. When there is a list of Groups and Group membership, the appliance queries in the order shown in the dashboard.

When scheduling directory synchronization, does the appliance always synchronize it according to the schedule even when there are updates (such as adding a new user account) in the LDAP tree on the server?
Yes. The appliance always synchronizes according to the schedule.

What unit is mentioned in the Directory service page size?
LDAP page size is a limit to the number of search results returned by the server in a single page. If a search result has 100 queries and the page size is 50, the results are sent to the client with a maximum of 50 entries per page. The rest of the entries are returned in subsequent pages.

If I configure one LDAP server as a primary and another as a secondary, does the appliance first send a query to the primary, and send a query to the secondary only if the primary stops responding?
The answer depends on the options you choose from the LDAP Query page. If you select Stop on Result, and the primary responds, the secondary is not queried. If you do not select Fail Open, the secondary is not queried.

What Active Directory versions were tested against MEG 7.6.40x?
McAfee QA tested MEG 7.6.40x against Active Directory 2008 and 2012 and confirmed that MEG integrates with both Active Directory 2008 and 2012.

Back to Top

If one MEG appliance is configured as Cluster Master and another as Cluster Scanner, and the master goes down, does the Cluster Scanner take over?
With only the Cluster Master and a Scanner, failover does not take place. McAfee recommends that you implement a Cluster Master and Cluster Failover for failover to work.

If one MEG appliance is configured as Cluster Master and another as Cluster Failover, will this achieve high availability and Cluster Failover?
Yes. In this configuration, if the Cluster Master goes down, the Cluster Failover takes over.

If the Master appliance comes back online, what happens to the Cluster Failover appliance? Does the Master role return to the Master appliance?
When the Cluster Master fails, the Cluster Failover takes over. When the Cluster Master comes back online, it preempts the failover and seizes the Master role.

Can I create and configure an appliance cluster using virtual appliances?
Yes.

Can I perform a configuration push from an appliance with a newer applied patch to one with an older patch?
No. All appliances involved in a configuration push must be on the same patch release. Some appliance patches modify configuration parameters; if you perform a push from an appliance with a newer patch to one with an older version, a modified parameter could corrupt the configuration of the receiving appliance.

Can I configure a configuration push on the Cluster Master appliance to push to the Cluster Failover appliance and Cluster Scanner appliances?
No. See KB82172 for full details.

IMPORTANT: Do not enable the configuration push feature among cluster member appliances.

What protocol/mechanism does MEG cluster use for high availability?

  • VRRP in Explicit Proxy mode and Transparent Router mode.
  • STP in Transparent Bridge mode.

Do I need virtual IP address for MEG cluster in Transparent Bridge mode?
No. Virtual IP address is only needed for MEG cluster using VRRP (both Explicit Proxy mode, and Transparent Router mode).

How does the cluster master pass the scanning traffic to scanning appliance?
The cluster master appliance receives the packets of the email. The underlying protocol (VRRP or STP) ensures that the payload reaches the cluster master, the master appliance then forwards it to the scanning device using GRE.

How to
How can I prevent MEG from accepting emails in an emergency / stop SMTP traffic flowing?
To disable SMTP, select Email Configuration, and deselect Enable the SMTP Protocol.

How can I disable unused NICs?
To disable unused NICs:

  1. Open the appliance management console, and select System, Appliance Management, General.
  2. Under Network Interface Settings, click Change Network Settings.
  3. In the Network Interfaces wizard, deselect Enabled for the interfaces to be disabled.
How can I view blacklists and whitelists?
Open the appliance management console and select Email, Email Policies, Default Policy, Spam. Click the Blacklist and Whitelists tab, and select User Submitted, View to see the list for Blacklists and Whitelists.

How do I set up Virtual Hosting?
See the "Virtual Hosting" section of the Email Gateway 7.6.x.x Appliance Administrators Guide.
For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.


How do I configure MEG 7 Radius authentication?
See the "Login Services" section of the Email Gateway 7.6.x.x Appliance Administrators Guide.

For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.


Do procedures exist to disable DoD CAC Authentication?Yes. Log a support case with McAfee if you want to disable DoD CAC Authentication.

I have a false positive spam detection; how can I submit it to McAfee?
For information about submitting false positives, see KB59415.

How can I check on the length of the MEG 7.6.x email queue without opening/checking the Appliance Dashboard?
Use SNMP to query the appliance for the oid values smtp-message-queue-in and smtp-message-queue-out.

Back to Top

What is TrustedSource? TrustedSource is the email reputation component of the McAfee Global Threat Intelligence (GTI) portfolio. It helps identify legitimate email senders and ensures that their messages are delivered without delay.
Can I pay a fee to be listed?No. Unlike other "pay-to-play" or bonded types of accreditation servers, McAfee believes that a sender can take advantage of the easier way of communicating with our customers only after they show a pattern of sending behavior that is acceptable to our broad customer base. We do not believe that the sender's reputation is a function of the amount of money they are willing to pay to get on the list.
What does reputation mean? For each IP address on the Internet, TrustedSource calculates a reputation value based on sending behavior, blacklist and whitelist information, spam trap information, and so on. The reputation is expressed in four classes:
  • Minimal Risk: The IP address is a legitimate sender or a source of substantial amounts of legitimate email.
  • Unverified: The IP address might be a legitimate sender, but displays a few properties suggesting further content inspection of emails received from that address.
  • Medium Risk: The IP address shows many spam sender characteristics, and email received from this address might be subject to higher scrutiny.
  • High Risk: The IP address has either been used to send spam or phishing, or must not send any email messages in general.

Is it possible to configure policy exceptions?Yes. With the release of MEG 7.6 and later, you can configure policy exceptions. Formerly, multiple policies were required to accommodate these scenarios. With the release of MEG 7.6, policy exceptions are implemented for those instances when a policy needs to be applied for all recipients or senders, except for an individual or a small subset of members of the original policy. For details, see KB79065.

How does TrustedSource work?

TrustedSource servers subtract point values from the Spam Profiler (SP) algorithm for messages from reputable senders and add point values if the sending IP address, the message hash, or a URL in the message conforms to any of the currently known characteristics of spam. Email Gateway/Secure Mail/Email and Web Security makes a real-time request to the TrustedSource servers for each message, and based on the reply, makes a point contribution that can increase or decrease the overall ESP spam score for that message.
 
How is sender identification performed?
TrustedSource identifies the sender by IP address. This action ensures that a spammer is not able to spoof another reputable sender by forging its identifying domain name or email address.
 
How does TrustedSource evaluate the reputation of the sender?
TrustedSource receives and analyzes billions of messages per month from a McAfee network of sensors deployed to protect enterprise traffic, messaging, and web gateways across 82 countries globally. It collects reputation data for URLs, IPs, Domains, and Messages. McAfee has developed proprietary heuristic algorithms to classify and rank a particular sender of email on an ongoing basis.
 
How does TrustedSource ensure a sender's reputation is kept up-to-date?
Changes in the reputation of senders are inevitable. Owners of classified IP addresses might change. The networks of legitimate e-mailers might become infected by viruses and, as a result, can instantly turn into major worldwide proliferators of spam. TrustedSource deals with this problem in multiple ways. The service does not operate as a simple IP address bypass list, but also examines the contents of each message and checks for its compliance with the customer's email content policies. Because of this fact, a message that expresses clear spam characteristics or includes viruses or other objectionable content will not be allowed to pass through the appliance and reach its target. McAfee has processes in place to continuously monitor the message patterns from all senders, including ones that are already listed. Any significant negative change in the types of messages originating from that IP address results in a quick removal of that sender from the service.
 
What is the best way for the public to submit requests?
The preferred method is to use the web form on the site http://www.trustedsource.org. Find the TrustedSource query section, enter the information, and select submit. You are then redirected to the Threat Intelligence page, where Threat Feedback is selected to submit the information by completing the form.
 
How can adjustments be submitted?
Our researchers can better adjust omissions and errors in context. For that reason, it is better to submit both samples and logging as follows:
Submit false negatives, or spam that has been delivered to the recipients' mailboxes, to Meg_spam@mcafeesubmissions.com for MEG 7.6.x appliances.
Submit false positives, or emails that are believed to have been erroneously quarantined, to Meg_falsepositives@mcafeesubmissions.com, again according to the appliance series in use.
 
NOTE: The messages' headers and full logging are required to investigate your sample and make any needed adjustments. McAfee examines the messaging history for each submitted IP address. If there is sufficient evidence of lawful and acceptable perennial behavior on the part of that sender, its reputation is adjusted and its scores decreased.

Back to Top
 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.