How do I automatically generate a Spam exclusion list from my outbound recipient list?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • How do I automatically generate a Spam exclusion list from my outbound recipient list?
  • I want to create a list to bypass anti-spam rules by harvesting my outbound recipient addresses.
  • If I send someone an outbound message, I want to exclude that recipient from Spam filtering.
  • I want to reduce Spam false triggers in email from legitimate business partners.

Procedure:

One very effective way of building an Allow list to reduce Spam false triggers is to harvest all outbound recipient addresses.  The assumption is that if you send a message from your company to an address, then the recipient is a legitimate user.  When that legitimate user sends a message to your company, their address should not be tested against your Spam rules. 

Warning: The Allow list can grow very large, and could affect configuration reloading and server performance.

  • To avoid issues that can result from a very large list, in current versions of SEG you can automatically remove older unused entries. See Trustwave Knowledgebase article Q12772.

Note: There is an important exception to address harvesting: Messages sent from "postmaster" addresses and other addresses where non-delivery or abuse reports originate SHOULD NOT be added to the Allow list. This exception is included in the steps below.

Current versions of SEG include an "auto harvest" rule in the Automated Responses policy group of default rules. If this rule already exists, simply enable it. Steps 1 and 2 below are not required in this case.

Step 1: Create a Postmaster exception list.

Create a new usergroup: "Postmaster Addresses".

The contents of the usergroup should be the following addresses:

abuse@*.*
admin@*.*
administrator@*.*
mailer-daemon@*.*
mailmarshal@*.*
postmaster@*.*
root@*.*

Step 2:  Create an outbound harvesting rule.

This rule will add outbound recipients to a user group "Sender Allowed" if the recipient is not already a member of the group, unless the sender is a member of the Postmaster group.

Standard Rule: Harvest Sender Allow list
When a message arrives
Where message is outgoing
Except where addressed to 'Sender Allowed'
     Or except where addressed from 'Postmaster Addresses'
Add message recipients into 'Sender Allowed'
And pass message to the next rule for processing.

Step 3:  Modify your inbound Spam rules to use the Allow list.

One option is to create a rule at the top of your Anti-Spam ruleset, which checks to see if the message came from one of your harvested recipients from the Harvest Sender Allow list rule above.  If it triggers, the remaining Spam rules are bypassed.  

For current versions of MailMarshal, you could simply add the harvested Allow list to the global whitelist. A rule to allow the global whitelist is already present and enabled by default.

Standard Rule: Allow Senders in Harvested Sender Allow list
When a message arrives
Where message is incoming
Where addressed from 'Sender Allowed'
Pass the message on to the next policy group

Alternatively, modify your existing Spam rules by adding an exclusion for the Sender Allow list as follows:

Standard Rule: Block Suspect Spam
When a message arrives
Where message is incoming
Except where addressed from 'Sender Allowed'
Where message size is less than '100 KB'
    And where message is categorized as 'Spam'
Move the message to 'Spam - Suspect' 

This article was previously published as:
NETIQKB45156

Last Modified 3/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10217.aspx