This article provides recommendations for the following scenario: Default Inbound policy works as expected for the majority of users on the account but some users receive excessive amount of spam. The recommendations are:

  1. Create another inbound policy just for affected user(s) that will have higher priority that the default one:
    • Create Group for affected user(s): login to McAfee Console > Account Management > Groups > New > specify Group name and description > Save > double-click on new Group > Members > Add affected user(s) > Apply.
      NewGroup
    • Create new Policy: navigate to Email Protection > Policies > New > specify Policy name, description and default settings > Save > move new Policy on the first place (higher priority) > Apply > double-click on new policy > Group Subscription > Add recently created Group with affected user(s) > Save.
      NewPolicy
  2. Use more strict settings for the spam type action: double-click on new Policy > Spam > change default actions for High Likelihood, Medium Likelihood, Greymail, enable Real-Time Block lists, etc...
    SpamSettings
  3. Copy the allow lists from the default policy, unless it is not needed for this user: double-click on new Policy > Allow/Deny > Sender Allow / Sender Deny > check the box for Subscribe to the Default Inbound policy Sender Allow/Deny List.
    AllowDeny
  4. Create custom content groups based on the keywords the user encounters most often in the spam email emails:
    • Spam policy: double-click on new Policy > Spam > Content Groups > New > specify group name and add keywords > select Action > check the box Enable > Save.
      Note: Quarantine action for this group allows end-user to release the quarantined messages from his Spam Report or his own McAfee Console. 
      SpamContent
    • Content policy: double-click on new Policy > Content > Custom Content Groups > New > specify group's name and keywords > select Action > check the box Enable > Save.
      Note: Quarantine action for this group does not allow end-user to release quarantined emails himself. Only Administrator may do that for him from account-wide Quarantine.
      ContentGroup
    Note: for testing purposes, we recommend using a safe action like Quarantine; the setting can be adjusted later based on the user(s) experience.
  5. Recommend user(s) to report spam email directly to McAfee via Outlook plugin or McAfee submission email. Read the Knowledge Base article on McAfee: Reporting Suspected Spam for more details. 

    Additionally, let your user(s) know McAfee is a feedback based spam-filtering vendor: once spam email is submitted and evaluated, the changes are applied in 24 hours, and will be implemented enterprise-wide.