Learn about best practices for spam control with Symantec Messaging Gateway (SMG) appliances.
Several variables affect how spam messages can be detected and managed.
Learn about email and spam
If you want to control spam you need to understand the problem. Learn about the protocols, techniques, and technologies involved; the product documentation is an excellent resource to build and strengthen your knowledge.
Symantec Messaging Gateway appliances offer industry-leading antispam technology with unparalleled accuracy and effectiveness. The following document explains in detail how to configure and tune the product for best results. It also provides an overview of antispam effectiveness issues, policies, and procedures that are related to Symantec Messaging Gateway and other Symantec Mail Security products.
Accuracy of less than 1 in a million false positives makes Symantec Messaging Gateway appliances the gold standard of antispam solutions. Spam could represent more than 90% of the total volume of messages you receive. The time that is lost deleting spam costs the most in lost productivity, according to several studies. Therefore, we suggest that you set the anti-spam policies to delete spam automatically. Unless necessary, spam should not be quarantined.
Keep your software up-to-date
By keeping your Symantec antispam software up-to-date, you can take advantage of the latest technology in antispam software.
Implement Recipient Validation for ALL domains if possible
Most spam is sent blindly without attention to the recipient name in some sort of brute force attack. This also enables the spammer to discover who the existent or valid recipients are, using a technique called Directory Harvest Attack (DHA). Recipient validation allows you to accept only those messages that have a valid recipient, and reject messages to invalid recipients if Reject Invalid Recipients is enabled. This greatly reduces the volume of spam to be processed.
Enable Directory Harvest Attack (DHA) with action reject (you need DDS set for this)
Spammers employ directory harvest attacks to find valid email addresses at the target site. A directory harvest attack works by sending a large number of possible email addresses to a site. An unprotected mail server rejects messages sent to invalid addresses, so spammers can tell which email addresses are valid by checking the rejected messages against the original list.
By proper implementation of SPF/SenderID/DKIM/DMARC, most spoofed spam can be blocked/quarantined.
Please see https://www.symantec.com/docs/HOWTO128205 and https://www.symantec.com/docs/HOWTO128215 for configuring outbound and inbound sender authentication respectively
Try to use the "reject" action instead of "drop" or "defer" when possible
The idea behind this is simple; the more you reject, the less you process. Knowing that the vast majority of inbound SMTP traffic received these days is spam (75-90%), this greatly helps in using available resources to process valid messages. When the Drop choice is used, the SMG still accepts the message and takes up further processing power that is not necessary.
Enable Connection Classification
To use this feature, the SMG appliance must be deployed at the gateway (receiving SMTP connection from the original IP address). When enabled, it will restrict the quality of service to connections from sources that are known to send spam.
Use the Symantec Global Bad Senders to detect spam sources
Make use of Symantec Global Bad Senders data to stop a majority of spam at the connection time.
Reduce the usage of Global Good Sender (IP and Domain)
The usage of the good senders is basically a whitelist that allows the sender to skip a full set of filters in the gateway. Symantec suggests reducing at a minimum the list of IP addresses or domains and use it in extreme scenarios. Accepting senders via "good sender list" allows the source to send any kind of email, spam included.
Once this option is enabled you silently accept more spam from the sources specified in the list.
Bounce Attack Prevention protects your systems from bounce attacks. BATV will identify fake Non-Delivery Reports (NDRs) and prevent backscatter attacks from entering the network with configurable actions, including rejecting or deleting these messages, while still allowing legitimate bounce message notifications to be delivered normally.
SMG provides you with the option to convert your invalid recipient email addresses into probe accounts, which can be used in the Symantec Probe Network. Probe accounts help Symantec track spam and learn from it. The intelligence that Symantec gains from probe accounts enable continuous improvement of the rules that govern spam filters. Better filters mean fewer spam intrusions on your network.
Take advantage of the newsletter and marketing mail dispositions
A set of dispositions for newsletters, marketing mail, and suspicious URLs is available in SMG. Although these are not considered spam by Symantec, this feature is designed to give more control to customers in blocking unwanted content. See About Disposition Verdicts in Messaging Gateway.
Take advantage of URI Reporting
Help Symantec create better spam filters that block messages based on Uniform Resource Identifiers (URI). When URI reporting is enabled, Symantec Messaging Gateway sends a report to Symantec Security Response. The report contains URIs that appear in the messages that Symantec Messaging Gateway scans for spam.
Symantec uses this information to develop new URI-based filters. These updated filters are received through the Conduit service.
Take advantage of Customer-Specific Rules
You can obtain custom spam rules specifically for your organization based on the new threat messages that administrators and end-users submit. This feature works best when end-users can dynamically block new threat messages by moving them to the "Report Spam" folder, by deploying Symantec Email Submission Client on Microsoft Exchange servers.
You can enable URL Reputation Filtering to scan emails for URLs and sends DNS queries to Symantec for reputation lookup. This increases the product's ability to detect and protect against spam and phishing attacks.
CAUTION: This feature drastically increases the volume of DNS requests to your DNS servers. Make sure that your DNS servers are capable of handling the increased traffic before enabling this feature.
Make sure the inbound MTA "sees" the original source IP address for inbound connections.
A high percentage of the spam messages can be rejected at the time the SMTP connection is made to the SMG appliance based on IP reputation. To take advantage of this feature, the SMG appliance requires the inbound connection to maintain the source IP address unmodified by any upstream host.
Set interfaces to the highest speed possible, full duplex and non-autonegotiate.
On certain network environments, the auto-negotiation process does not set the best speed and duplex option on the link between the appliance's NIC and the switch, We suggest that you manually select the best possible speed and duplex combination for each Ethernet interface.
Reject connection from bogons at the edge (usually firewall).
If you prefer, these connections can be blocked before they arrive at the SMG appliance.
Reduce the total volume of spam entering your network.
If you need to reduce the total spam volume, you can enable Connection Classification in SMG.