Learn about best practices for spam control with Symantec Messaging Gateway (SMG) appliances.

Several variables affect how spam messages can be detected and managed.

The Administrator

Learn about email and spam

If you want to control spam you need to understand the problem. Learn about the protocols, techniques, and technologies involved; the product documentation is an excellent resource to build and strengthen your knowledge.

See Symantec Messaging Gateway Documentation.

Symantec Messaging Gateway appliances offer industry-leading antispam technology with unparalleled accuracy and effectiveness. The following document explains in detail how to configure and tune the product for best results. It also provides an overview of antispam effectiveness issues, policies, and procedures that are related to Symantec Messaging Gateway and other Symantec Mail Security products.

The Product

Spam should not be retained

Accuracy of less than 1 in a million false positives makes Symantec Messaging Gateway appliances the gold standard of antispam solutions. Spam could represent more than 90% of the total volume of messages you receive. The time that is lost deleting spam costs the most in lost productivity, according to several studies. Therefore, we suggest that you set the anti-spam policies to delete spam automatically. Unless necessary, spam should not be quarantined.

Keep your software up-to-date

By keeping your Symantec antispam software up-to-date, you can take advantage of the latest technology in antispam software.

Implement Recipient Validation for ALL domains if possible

Most spam is sent blindly without attention to the recipient name in some sort of brute force attack. This also enables the spammer to discover who the existent or valid recipients are, using a technique called Directory Harvest Attack (DHA). Recipient validation allows you to accept only those messages that have a valid recipient, and reject messages to invalid recipients if Reject Invalid Recipients is enabled. This greatly reduces the volume of spam to be processed.

Enable Directory Harvest Attack (DHA) with action reject (you need DDS set for this)

Spammers employ directory harvest attacks to find valid email addresses at the target site. A directory harvest attack works by sending a large number of possible email addresses to a site. An unprotected mail server rejects messages sent to invalid addresses, so spammers can tell which email addresses are valid by checking the rejected messages against the original list.

See the administration guide to learn how to configure this feature.

Enable sender authentication

By proper implementation of SPF/SenderID/DKIM/DMARC, most spoofed spam can be blocked/quarantined.

• Please see Setting up sender authentication for outbound mail and Symantec™ Messaging Gateway Administration Guide for configuring outbound and inbound sender authentication respectively

Try to use the "reject" action instead of "drop" or "defer" when possible

The idea behind this is simple; the more you reject, the less you process. Knowing that the vast majority of inbound SMTP traffic received these days is spam (75-90%), this greatly helps in using available resources to process valid messages. When the Drop choice is used, the SMG still accepts the message and takes up further processing power that is not necessary.

Enable Connection Classification

To use this feature, the SMG appliance must be deployed at the gateway (receiving SMTP connection from the original IP address). When enabled, it will restrict the quality of service to connections from sources that are known to send spam.

Use the Symantec Global Bad Senders to detect spam sources

Make use of Symantec Global Bad Senders data to stop a majority of spam at the connection time.

Reduce the usage of Good Sender (IP and Domain)

The usage of the good senders is basically a whitelist that allows the sender to skip a full set of filters in the gateway. Symantec suggests reducing at a minimum the list of IP addresses or domains and use it in extreme scenarios. Accepting senders via "good sender list" allows the source to send any kind of email, spam included.

Once this option is enabled you silently accept more spam from the sources specified in the list.

If your concern is that the appliance is blocking legitimate email, submit the false positives to Symantec Security Response.

Enable Bounce Attack Prevention (BATV)

Bounce Attack Prevention protects your systems from bounce attacks. BATV will identify fake Non-Delivery Reports (NDRs) and prevent backscatter attacks from entering the network with configurable actions, including rejecting or deleting these messages, while still allowing legitimate bounce message notifications to be delivered normally.

Also review: About defending against bounce attacks

Enable probe participation

SMG provides you with the option to convert your invalid recipient email addresses into probe accounts, which can be used in the Symantec Probe Network. Probe accounts help Symantec track spam and learn from it. The intelligence that Symantec gains from probe accounts enable continuous improvement of the rules that govern spam filters. Better filters mean fewer spam intrusions on your network.

Take advantage of the newsletter and marketing mail dispositions

A set of dispositions for newsletters, marketing mail, and suspicious URLs is available in SMG. Although these are not considered spam by Symantec, this feature is designed to give more control to customers in blocking unwanted content. 

Take advantage of URI Reporting

Help Symantec create better spam filters that block messages based on Uniform Resource Identifiers (URI). When URI reporting is enabled, Symantec Messaging Gateway sends a report to Symantec Security Response. The report contains URIs that appear in the messages that Symantec Messaging Gateway scans for spam.

Symantec uses this information to develop new URI-based filters. These updated filters are received through the Conduit service.

Take advantage of Customer-Specific Rules

You can obtain custom spam rules specifically for your organization based on the new threat messages that administrators and end-users submit. This feature works best when end-users can dynamically block new threat messages by moving them to the "Report Spam" folder, by deploying Symantec Email Submission Client on Microsoft Exchange servers.

See Setting up customer-specific spam submissions

See About submitting messages for customer-specific spam rules

Use URL Reputation Filtering (10.7.0 - 10.7.4)

You can enable URL Reputation Filtering to scan emails for URLs and sends DNS queries to Symantec for reputation lookup. This increases the product's ability to detect and protect against spam and phishing attacks.

CAUTION: This feature drastically increases the volume of DNS requests to your DNS servers. Make sure that your DNS servers are capable of handling the increased traffic before enabling this feature.

See the video Enhancing URL Reputation Filtering.

Enable Spam URL and Malicious URL Filtering (10.7.5 and later)

Configure a Spam rule acting on the "If message contains Spam URL content" disposition and a Spam rule acting on the "If message contains Malicious URL content".

See Creating the policies that detect spam and unwanted email

The Network and the Environment

• Make sure the inbound MTA "sees" the original source IP address for inbound connections.
  • A high percentage of the spam messages can be rejected at the time the SMTP connection is made to the SMG appliance based on IP reputation. To take advantage of this feature, the SMG appliance requires the inbound connection to maintain the source IP address unmodified by any upstream host.
• Set interfaces to the highest speed possible, full duplex and non-autonegotiate.
  • On certain network environments, the auto-negotiation process does not set the best speed and duplex option on the link between the appliance's NIC and the switch, We suggest that you manually select the best possible speed and duplex combination for each Ethernet interface.
• Reject connection from bogons at the edge (usually firewall).
  • If you prefer, these connections can be blocked before they arrive at the SMG appliance.
• Reduce the total volume of spam entering your network.
  • If you need to reduce the total spam volume, you can enable Connection Classification in SMG.