Best practices for spam control with Symantec Messaging Gateway appliances.
There are several variables that affect how spam messages can be detected and managed.
Learn about email and spam.
If you want to control spam you need to understand the problem, so learn about the protocols, techniques and technologies involved. The documentation provided with the product in PDF format and the internet are excellent resources to build and strengthen your knowledge.
Read the documentation provided with the product.
Symantec Messaging Gateway appliances offer industry leading antispam technology with unparalleled accuracy and effectiveness. The accompanying document explains in detail how to configure and tune the product for best results
Read the Effectiveness User's Guide.
It provides an overview of antispam effectiveness issues, policies, and procedures related to Symantec Messaging Gateway and other Symantec Mail Security products.
Spam should be not be retained.
An accuracy of less than 1 in a million false positives makes Symantec Messaging Gateway appliances the gold standard of antispam solutions. Spam could represent more than 90% of the total volume of messages you receive. The time lost deleting spam costs the most in lost productivity according to several studies, therefore we strongly suggest to set the antispam policies to delete spam automatically. Unless absolutely necessary, spam should not be quarantined.
Keep your software up to date.
By keeping your Symantec antispam software updated you make sure you can take advantage of the latest technology in antispam software.
Implement Recipient Validation for ALL domains if possible.
Most of the spam is sent blindly without attention to the recipient name in some sort of brute force attack, that also enables the spammer to discover who the existent/valid recipients are using a technique called Directory Harvest Attack (D HA). Recipient validation allows you to the accept only those messages that have a valid recipient and reject messages to invalid recipients if Reject Invalid Recipients is enabled. This greatly reduces the volume of spam to be processed.
Enable Directory Harvest Attack (DHA) with action reject (you need DDS set for this).
Spammers employ directory harvest attacks to find valid email addresses at the target site. A directory harvest attack works by sending a large quantity of possible email addresses to a site. An unprotected mail server will simply reject messages sent to invalid addresses, so spammers can tell which email addresses are valid by checking the rejected messages against the original list.
You can setup this feature by following the instructions provided on the products's administrators guide.
Enable sender authentication.
You can enable SPF and SenderID sender authentication on a per domain basis and DKIM validation on a system-wide basis.
Sender authentication features included on the SMG appliance such as SPF also depend on how the sender domain SPF records have been created. For these, only enable sender authentication for domains you know are properly configured and frequently spoofed.
For DKIM, you can create a content filtering policy to apply actions based on the results of DKIM validation.
for more information on these subjects please see:
Sender ID is an attempt at extending the functionality of SPF, by comparing the envelope and the body sender. While this seems plausible, it will actually reject valid email under certain circumstances:
- If the sender has enabled BATV (see below), and does not have a Sender ID record with the correct policy their email will be rejected
- If some internal recipients are subscribed to mailing lists
SPF needs to be enabled for all sending domains to have any effect. It is also recommended to have one's own SPF record to avoid being spoofed. SPF only applies to the envelope.
Again, it is strongly advised to create one's own DKIM records too. If one enforces DKIM signing with a policy record like this:
_domainkey.example.com. IN TXT "o=-"
Any messages from one's own domain that are not signed will be rejected, thus neatly providing protection against spoofing. In this case it is important that any other solution providers that send emails on the company's behalf do so from a separate subdomain.
Try to use the "reject" action instead of "drop" or "defer" when possible.
The idea behind this is: the more you reject, the less you process. Knowing that the vast majority of the inbound SMTP traffic received these days is spam (75-90%) this greatly helps to use the resources available to process valid messages. When the Drop choice is used, the SMG still accepts the message and takes up further processing power that is not necessary.
Enable Connection Classification.
To use this feature the appliance must be deployed at the gateway (receiving SMTP connection from the original IP address). When enabled, it will restrict the quality of service to connections from sources that are known to send spam.
Use the Symantec Global Bad Senders to detect spam sources.
Make use of Symantec Global Bad Senders data to stop a majority of spam at the connection time.
Reduce the usage of Global Good Sender (IP and Domain)
The usage of the good senders is basically a white-list that allows the sender to skip a full set of filters in the gateway. Symantec suggests to reduce at minimum the list of IPs or domains and use it in extreme scenarios. Accepting senders via "good sender list" allows the source to send any kind of email (spam included). Once this option is enabled you silently accept more spam from the sources specified in the list. If your concern is that the appliance is blocking legitimate email then you need to submit the messages through our false positive address following the instructions in this article: http://www.symantec.com/docs/TECH83081
Enable Bounce Attack Prevention (BATV).
Bounce Attack Prevention protects your systems from bounce attacks. BATV will identify fake Non Delivery Reports (NDRs) and prevent backscatter attacks from entering the network with configurable actions, including rejecting or deleting these messages, while still allowing legitimate bounce message notifications to be delivered normally.
If BATV is enabled, a SenderID record of the following form should be added to DNS in order to avoid emails being rejected due to SenderID:
IN TXT "spf2.0/mfrom mx -all"
This avoids the above mentioned issue of BATV emails being rejected due to differing Enevlope and body senders.
About defending against bounce attacks: http://www.symantec.com/docs/HOWTO53527
Enable probe participation.
SMG provides you with the option to convert your invalid recipient email addresses into probe accounts which can be used in the Symantec Probe Network. Probe accounts help Symantec track spam and learn from it. The intelligence that Symantec gains from probe accounts enables continuous improvement of the rules that govern spam filters. Better filters means fewer spam intrusions on your network.
Take advantage of the new dispositions.
A new set of dispositions for Newsletters, Marketing Mail and Suspicious URLs was introduced into version 9.5.x and later . Although these are not considered spam by Symantec, the new feature is designed to give more control to customers in blocking unwanted content. For more information on the new verdicts please check this article.
Take advantage of URI Reporting
Help Symantec create better spam filters that block messages based on Uniform Resource Identifiers (URI). When URI reporting is enabled, Symantec Messaging Gateway sends a report to Symantec Security Response. The report contains URIs that appear in the messages that Symantec Messaging Gateway scans for spam. Symantec uses this information to develop new URI-based filters. These updated filters are received through the Conduit service.
Take advantage of Customer Specific Rules
You can obtain custom spam rules specifically for your organization based on the new threat messages that administrators and end users submit. This feature works best when end users can dynamically block new threat messages by moving them to the "Report Spam" folder, by deploying Symantec Email Submission Client on Microsoft Exchange servers.
See the following documents for additional information on Customer Specific Spam Rules:
Setting up customer-specific spam submissions: www.symantec.com/docs/HOWTO77719
About submitting messages for customer-specific spam rules: www.symantec.com/docs/HOWTO77718
The Network and the Environment
Make sure the inbound MTA "sees" the original source IP address for inbound connections.
A high percentage of the spam messages can be rejected at the time the SMTP connection is made to the SMG appliance based on IP reputation. In order to take advantage of this feature, the SMG appliance requires the inbound connection to maintain the source IP address unmodified by any upstream host.
Set interfaces to the highest speed possible, full duplex and non-autonegotiate.
On certain network environments, the auto-negotiation process does not set the best speed/duplex option on the link between the appliance's NIC and the switch, We suggest the administrator to manually select the best possible speed/duplex combination for each ethernet interface.
Reject connection from bogons at the edge (usually firewall).
If you prefer, these connections can be blocked before they arrive to the SMG appliance.
Reduce the total volume of spam entering your network.
If you need to reduce the total spam volume, you can enable Connection Classification on SMG
Submit missed spam The Easy Way.
if you use Microsoft Exchange 2007 and 2010, download and install the Symantec Email Submission Client (SESC). Simply sign into http://fileconnect.symantec.com and download the installer.
Imported Document Id