Learn about best practices for spam control with Symantec Messaging Gateway (SMG) appliances.
Several variables affect how spam messages can be detected and managed.
If you want to control spam you need to understand the problem. Learn about the protocols, techniques, and technologies involved; the product documentation is an excellent resource to build and strengthen your knowledge.
Symantec Messaging Gateway appliances offer industry-leading antispam technology with unparalleled accuracy and effectiveness. The following document explains in detail how to configure and tune the product for best results. It also provides an overview of antispam effectiveness issues, policies, and procedures that are related to Symantec Messaging Gateway and other Symantec Mail Security products.
Accuracy of less than 1 in a million false positives makes Symantec Messaging Gateway appliances the gold standard of antispam solutions. Spam could represent more than 90% of the total volume of messages you receive. The time that is lost deleting spam costs the most in lost productivity, according to several studies. Therefore, we suggest that you set the anti-spam policies to delete spam automatically. Unless necessary, spam should not be quarantined.
By keeping your Symantec antispam software up-to-date, you can take advantage of the latest technology in antispam software.
Most spam is sent blindly without attention to the recipient name in some sort of brute force attack. This also enables the spammer to discover who the existent or valid recipients are, using a technique called Directory Harvest Attack (DHA). Recipient validation allows you to accept only those messages that have a valid recipient, and reject messages to invalid recipients if Reject Invalid Recipients is enabled. This greatly reduces the volume of spam to be processed.
Spammers employ directory harvest attacks to find valid email addresses at the target site. A directory harvest attack works by sending a large number of possible email addresses to a site. An unprotected mail server rejects messages sent to invalid addresses, so spammers can tell which email addresses are valid by checking the rejected messages against the original list.
See the administration guide to learn how to configure this feature.
By proper implementation of SPF/SenderID/DKIM/DMARC, most spoofed spam can be blocked/quarantined.
The idea behind this is simple; the more you reject, the less you process. Knowing that the vast majority of inbound SMTP traffic received these days is spam (75-90%), this greatly helps in using available resources to process valid messages. When the Drop choice is used, the SMG still accepts the message and takes up further processing power that is not necessary.
To use this feature, the SMG appliance must be deployed at the gateway (receiving SMTP connection from the original IP address). When enabled, it will restrict the quality of service to connections from sources that are known to send spam.
Make use of Symantec Global Bad Senders data to stop a majority of spam at the connection time.
The usage of the good senders is basically a whitelist that allows the sender to skip a full set of filters in the gateway. Symantec suggests reducing at a minimum the list of IP addresses or domains and use it in extreme scenarios. Accepting senders via "good sender list" allows the source to send any kind of email, spam included.
Once this option is enabled you silently accept more spam from the sources specified in the list.
If your concern is that the appliance is blocking legitimate email, submit the false positives to Symantec Security Response.
Bounce Attack Prevention protects your systems from bounce attacks. BATV will identify fake Non-Delivery Reports (NDRs) and prevent backscatter attacks from entering the network with configurable actions, including rejecting or deleting these messages, while still allowing legitimate bounce message notifications to be delivered normally.
Also review: About defending against bounce attacks
SMG provides you with the option to convert your invalid recipient email addresses into probe accounts, which can be used in the Symantec Probe Network. Probe accounts help Symantec track spam and learn from it. The intelligence that Symantec gains from probe accounts enable continuous improvement of the rules that govern spam filters. Better filters mean fewer spam intrusions on your network.
A set of dispositions for newsletters, marketing mail, and suspicious URLs is available in SMG. Although these are not considered spam by Symantec, this feature is designed to give more control to customers in blocking unwanted content. See About Disposition Verdicts in Messaging Gateway.
Help Symantec create better spam filters that block messages based on Uniform Resource Identifiers (URI). When URI reporting is enabled, Symantec Messaging Gateway sends a report to Symantec Security Response. The report contains URIs that appear in the messages that Symantec Messaging Gateway scans for spam.
Symantec uses this information to develop new URI-based filters. These updated filters are received through the Conduit service.
You can obtain custom spam rules specifically for your organization based on the new threat messages that administrators and end-users submit. This feature works best when end-users can dynamically block new threat messages by moving them to the "Report Spam" folder, by deploying Symantec Email Submission Client on Microsoft Exchange servers.
You can enable URL Reputation Filtering to scan emails for URLs and sends DNS queries to Symantec for reputation lookup. This increases the product's ability to detect and protect against spam and phishing attacks.
CAUTION: This feature drastically increases the volume of DNS requests to your DNS servers. Make sure that your DNS servers are capable of handling the increased traffic before enabling this feature.
See the video Enhancing URL Reputation Filtering.