This help topic describes how spam detection works. It includes the following information:
Any unsolicited and unwelcome email message. It includes commercial email messages, the electronic equivalent of junk mail, and unwanted non-commercial email messages, such as virus hoaxes, jokes, and chain letters.
Frequently, spammers (who create spam) forge the headers of their email messages to hide their true identity, often deflecting retaliation toward innocent parties.
Some spammers specialize in spoofing email messages to persuade unsuspecting users to disclose personal identity and information about financial accounts. Having stolen the information, spammers can fraudulently obtain goods and services. This specialized form of spam is known as phishing.
Anti-spam and anti-phishing use the same technology. You will see the anti-phishing option only if the anti-spam option is also available.
Although you can enable and disable them independently, you gain no significant change in performance by disabling or enabling one option and not the other.
Email messages that contain spam are quarantined in the Spam Quarantine. Phishing messages are quarantined in the Content Quarantine.
The anti-spam software matches a large set of rules against every email message. Each rule has a score — positive or negative. Rules that match spam-like characteristics give a positive score. Rules that match characteristics of legitimate messages give a negative score. When added, the scores give each message an overall spam score. Some rules are simple, and match only on popular phrases. Others are more complex and match on the header information and structure of email messages.
In a similar way, the anti-spam engine uses the anti-phishing rules to detect phishing attacks. Rules that match anti-phishing characteristics add to the overall phish score, while rules that match non-phish characteristics reduce the overall phish score.
The anti-spam software examines the overall anti-spam score and overall anti-phish score to determine if the anti-spam or anti-phish policy should be applied to the email message. If it should, the email message is categorized as spam or phish.
The score for each rule in the anti-phish rule set is fixed and cannot be changed. The score for each anti-spam rule can be changed.
The software contains many anti-spam rules that it applies against email messages. You can disable rules that might not be appropriate for your organization.
For example, advertisements for unproven slimming aids are common, so a rule that detects the phrase weight loss is useful for identifying possible spam. However, if your organization produces health products, you might not want to apply this rule against your email messages.
To prevent certain types of email messages being treated as spam (or not), you can change the score associated with each of the anti-spam rules.
The anti-spam scores have been carefully optimized, and you should change a score only if you are fully aware of the consequences of that change.
You cannot change the score associated with phish rules.
When spam is detected the anti-spam software can be configured to take the following primary actions:
You can also specify secondary actions, including:
You can respond to the changing nature of spam by regularly downloading the latest anti-spam files.
The anti-spam files help you maintain a balance between the email messages you want to filter out because they probably contain spam, and those that you want to let through because they are unlikely to contain spam.
You can download:
Bayesian learning is another way of assigning scores to email messages that could be spam. The software uses a Bayesian database to calculate the probability that an email message contains spam.
Users can help to train the database to recognize spam by sending spam samples to the administrator. The administrator can decide which email samples to submit to the database. The content of the sample is then analyzed and its spam-like phrases are learnt for future reference.
If users receive email messages that have been incorrectly identified as spam, they can send the email messages to the administrator for non-spam learning.
The more email messages that are correctly submitted and used for training, the greater the chances of spam being correctly identified in the future.
Email messages that contain spam or that are not spam but have been mistakenly identified as spam can be submitted for spam or non-spam learning.
You can:
McAfee Quarantine Manager is a software product that allows you to consolidate quarantine management and spam learning for a range of McAfee products.
Instead of each product maintaining its own quarantine area, the McAfee products can be configured to send email messages that need quarantining to a central McAfee Quarantine Manager server.
If you have McAfee Quarantine Management enabled on a McAfee Quarantine Manager server, you can configure the software to use the server for spam learning. The server receives email messages for spam learning and forwards them to the software.
You can:
For more information about McAfee Quarantine Manager, refer to the appropriate Administrator's Product Guide and User's Product Guide.
A blacklist is a list of email addresses that are probably senders of spam or phishing email messages. Email messages from blacklisted senders will receive a high spam score, so they are more likely to have a high overall spam score and more likely to be treated as spam by the software.
A whitelist is a list of email addresses that are probably senders of email messages that look like spam, but which you do not want to be treated as spam. For example, you might want to receive certain promotional email messages, which would otherwise be treated as spam by the software. Email messages from whitelisted senders will receive a low spam score, so they are more likely to have a low overall spam score and be treated as non-spam by the software.
We recommend the following tips to reduce unwanted email messages. Make these tips available to users to help them reduce the spam they receive: