Messaging Gateway

We are likely to implement Probe Accounts in SBG 9.   Looking for a community discussion of best practices.  I see two use cases:  you have Recipient Validation enabled, or you don't.

In case with Recipient Validataion: 

If you enabled Admin/Reporting/Invalid Recipients, then under Spam/Probe Accounts, the system will suggest e-mail addresses that are invalid recipients as possible probe accounts.

Q: How do you select "good" accounts?
Q: How do you keep track of when a probe account becomes a user's valid account and unsubscribe the probe account?  Particularly in very large environments?
Q: Others?

If you don't do recipient validation, or don't want to use the suggested e-mail addresses:
Q: Choosing good accounts?
Q: Good practices for "seeding" the accounts to attract spammer attention?
      - Postings on blogs,
      - adding address to domain websites as mailto:probeaddress@example.com
      - others?
Q: Others?

Check the release notes for SBG 9.0. In case you have further queries please let us know. We would be glad to assist you.

http://service1.symantec.com/support/ent-gate.nsf/854fa02b4f5013678825731a007d06af/8cf6eca04278f4d1882576bd007df4b7?OpenDocument

I've read that, but it and the manual don't give operational guidance, just how-to drive the gui.

Hi,

The ideal email accounts are ones that don't correspond to actual users and are receiving the highest volume of spam messages. If you have a recipient validation source enabled and are doing invalid recipient lookups, SBG will be able to suggest invalid recipients which receive the highest volume of mail. The theory would be that any email address which doesn't correspond to a real user shouldn't be getting many legitimate emails so these emails would be mostly spam.  You may like to review the messages in these accounts to see what the content is like and does it correspond to your missed spam pain points. Filters won't automatically be created for every message sent over, it must actually meet Symantec's definition of spam i.e. unsolicited bulk email.

Should you later have add a user that corresponds to a probe address, that email address won't receive any external email so it would become apparent quite quickly.

If you have don't have recipient validation enabled, then you need to find another way of identifying email addresses that don't correspond to real users but do receive a lot of spam. You might be able to do this by grepping through mail logs, or use a list of email addresses of users that have left the company.

For seeding, posting the addresses on high traffic blogs / websites is ideal but time-consuming, and you may find yourself blocked quickly or foiled by CAPTCHAS if you try to do it via a script. Also it may not be of that much direct benefit to your company relative to the workload as the additional traffic might be not be what your end users actually receive. You could alternatively place the addresses as mailto: links either visibly or in 'invisible ink' (e.g. white text on white background) on your website. The search engines don't like the invisible ink though. If you place the probe addresses on their own page, I'd recommend linking to that page from a high traffic page so that there would be a higher chance the addresses would be found and harvested. You might like to do this with a certain portion of the probe addresses so that you can compare activity. I'd normally recommend seeding for email addresses that aren't receiving any traffic or low volumes. By selecting email accounts that are already receiving spam this isn't as necessary.

Hope that helps.

Amanda