Loading...

Knowledge Center


How to Whitelist or Blacklist Sub-domains Using Wildcards in Email Gateway 7.x
Technical Articles ID:   KB78819
Last Modified:  7/12/2016
Rated:


Environment

McAfee Email Gateway 7.x

On October 22, 2015, McAfee announced the five year End of Life (EOL) for McAfee Email Gateway (MEG) software and appliances. For details, see KB85857

Problem

You want to whitelist or blacklist a domain for the MEG 7.x Spam rules, but the domain in question also has several sub-domains that also need to be whitelisted or blacklisted.

Sometimes you may need to whitelist or blacklist not only a top level domain, but all of its sub-domains. If there are several sub-domains, adding individual entries of them may be challenging since they may not all be known, and listing them individually would result in the list growing very large.

Solution

You can whitelist or blacklist a domain and its sub-domains using a  wildcard (*), but this may not always be necessary.

To whitelist or blacklist an entire domain, the entry for the domain should look like this:
*@domain.name

This entry should trigger when the email address is in the format  user@domain.name or user@sub.domain.name.

However, if the email address is potentially in the format user@sub.domain.name or user@sub1.sub2.domain.name or you are not sure if the domain might contain sub-domains, you can utilize a wildcard (*) both before and after the @ symbol:
 
*@*domain.name

 
This will trigger if the email address is like user@domain.nameuser@sub.domain.name, or user@sub1.sub2.domain.name.
NOTE:  It should also trigger on user@sub1.sub2.sub3.domain.name, but email addresses like that are rare.

If you have SMTP conversation logging enabled (see KB74815), you can easily verify if a whitelist or blacklist rule triggered for a message because the conversation log will contain lines similar to the following.

Example: If a whitelist triggers, the conversation log entry after Starting antispam scan will look like:

        No detection from Spam engine. Spam engine version 2.3.0.9362 : core <4601> :
        streams <975085> : uri <1440148>. Spam score -5000. Phish score is 0.

Spam score -5000 indicates a whitelist entry was applied. The Email Report for the message will  contain an entry in the Scanner Category column that says Legitimate.

Example: If a blacklist triggers, the conversation log after Starting antispamscan will look like:

        Spam scan detection. Spam engine version 2.3.0.9362 : core <4630> : streams
<994640> : uri <1467969>. Spam score is 5000. Action

                Accept and then drop the data (Block)
                Quarantine

Spam score is 5000 indicates that a blacklist entry was applied. The Email Report for the message will show a Scanner Category of Spam/Phish, the Scanner will show as Anti-Spam and the Data column will list BLACKLISTED=5000.

NOTE: This method of using wildcards (*) in the format *@*domain.name will work for blacklisted senders, blacklisted recipients, whitelisted senders, or whitelisted recipients.

To create a whitelist or blacklist entry:
  1. Log on the Appliance Management Console.
  2. Select EmailEmail Policies.
  3. Under the Spam heading for the policy to which you want to add a whitelist or blacklist entry, click Spam.
  4. Click Blacklists and Whitelists.
  5. Select Blacklisted Senders, Blacklisted Recipients, Whitelisted Senders, or Whitelisted Recipients, depending upon which type of entry you want to create.
  6. Click Add Address.
  7. In the text box, enter the domain for which you want to create an entry, using the preceding examples (such as *@*domain.name).
  8. Click OK.
  9. Click Apply Changes

Rate this document

Affected Products

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.