McAfee SMEFCE-AI-DA - Email Security Service Inbound Administration Manual page 12

Email Filtering Policies
Spam FilterType
Industry Heuristics
Proprietary Heuristics
URL Filtering
Reputation Analysis
Reputation-Based RBL
Filtering
Sender Policy
Framework (SPF)
Real-time Blackhole List
The Real-time Blackhole List (RBL) is a system for creating intentional network outages
(blackholes) for the purpose of limiting the transport of known-to-be-unwanted mass
email. The RBL is a database of IP addresses that are reported to be spam sources.
4 Proprietary: Not for use or disclosure outside McAfee without written permission.
Email Protection incorporates thousands of successful industry-
wide spam-fighting rules to recognize characteristics of spam.
Email Protection experts write and update thousands of proprietary
rules to block spam, including fraudulent phishing spam, using
real-time data from your service provider's Threat Center.
URL filtering works by comparing embedded links found in emails
with URLs associated with identified spam.
Email Protection constantly monitors inbound email to build a list
of IP addresses and domain names to rate the reputation of the
sender based upon the percentage of spam emails received from
that address in the past.
Using up to 31 real-time blackhole lists (RBLs) of known
spammers provided by the industry, Email Protection creates a
single RBL indicator to help gauge the likelihood of an email being
sent by a known spammer. By using multiple black lists to create a
single vote and by rating the reputation of each RBL based on its
accuracy at distinguishing spammers from senders of legitimate
email helps to minimize the possibility of a non-spammer being
blocked by mistake.
The SPF classifier helps identify and block fraudulent spoofing
emails – those sent by spammers with forged "From" addresses –
from entering your email network. For each inbound email, the SPF
classifier will look up the sending domain's Domain Naming
System (DNS) record and its list of authorized IP addresses.
Emails that carry an IP address not found on the authorized list will
be included within the Stacked Framework Classification System
for the detection of spam. By determining whether or not the
relationship between the DNS record and the IP address is
legitimate, Email Protection is able to more accurately filter out
fraudulent spoofed emails. As a result, Email Protection reduces
risk for users who might be duped by the email into divulging
confidential personal information.
Email Protection Administrator Guide
Description
November 2012