Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best practices for spam prevention in InterScan Messaging Security Virtual Appliance (IMSVA)

    • Updated:
    • 19 Jan 2021
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • Interscan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • Interscan Messaging Security Virtual Appliance 9.1
    • Platform:
    • N/A

Learn about the key features you should consider to maximize Spam Prevention in your environment using IMSVA.


Email reputation blocks IP addresses of known spam senders that Trend Micro maintains in a central database. There are two possible service levels:

  • Standard is a DNS single-query-based service. Your designated email server makes a DNS query to the standard reputation database server whenever an incoming email message is received from an unknown host. If the host is listed in the standard reputation database, Email reputation reports that email message as spam.
  • Advanced is a dynamic, real-time antispam solution. To provide this service, Trend Micro continuously monitors network and traffic patterns and immediately updates the dynamic reputation database as new spam sources emerge, often within minutes of the first sign of spam. As evidence of spam activity ceases, the dynamic reputation database is updated accordingly.

Like Email reputation: Standard, Email reputation: Advanced is a DNS query-based service, but two queries can be made to two different databases - the standard reputation database and the dynamic reputation database (a database updated dynamically in real time). These two databases have distinct entries (no overlapping IP addresses), allowing Trend Micro to maintain a very efficient and effective database that can quickly respond to highly dynamic sources of spam. Email reputation: Advanced has blocked more than 80% of total incoming connections (all were malicious) in customer networks. Results will vary depending on how much of your incoming email stream is spam. The more spam you receive, the higher the percentage of blocked connections you will see.

For more information on configuring the IP Reputation in InterScan Messaging Security products, refer to KB 1101697.

Known hosts include trusted Mail Transfer Agents (MTAs) and the Cloud Pre-Filter that are deployed before IMSVA on your network. If you have one or multiple MTAs configured upstream from IMSVA on your network, enable the known host setting and add these MTAs as known hosts. IMSVA then traces the nearest upstream MTA that is not in the known host list and queries its IP address against the email reputation database for IP filtering and graymail scanning.

To configure:

  1. Go to Administration > IMSVA Configuration > Known Hosts.
  2. Select the Enable Known Hosts check box.
  3. Specify the IP address and description for the host to add.
  4. Click Add.

IP Profiler helps protect the mail server from attacks with smart profiles from the Intrusion Detection Service (IDS). Rules are set to monitor the behaviour of all sender addresses and block them according to the threshold setting. Rules can be set for the following: Spam, Viruses, DHA attacks, Bounced mail, SMTP traffic throttling (Feature available since IMSVA 9.1).

To enable:

  1. Go to IP Filtering > Rules. The Rules screen appears with several tabs, one for each type of threat.
  2. Enable feature, configure threshold to monitor and select action.

SPS uses detection technology based on sophisticated content processing and statistical analysis. Unlike other approaches to identifying spam, content analysis provides high performance, real-time detection that is highly adaptable, even as spammers change their techniques.

To enable:

  1. Under Spam/Phishing/Social Engineering Attack on the scanning conditions selection screen, select the check box next to Spam detection settings.
  2. Click Spam detection settings. The Spam Detection settings screen appears.
  3. Select spam catch rate or threshold. Configure approved and blocked senders.
  4. Click Save.

Phishing email feature is part of Spam Prevention Solution. Phishing is a form of identity theft in which a scammer uses an authentic-looking email from a legitimate business to trick recipients into giving out sensitive personal information, such as a credit card, bank account, social security numbers or other sensitive personal information. The spoofed email message urges the recipient to click on a link to update their personal profile or carry out some transaction. The link then takes the victim to a fake website where any personal or financial information entered is routed directly to the scammer.

To enable this feature, select the check box next to Phishing email under Spam/Phishing/Social Engineering Attack on the scanning conditions selection screen.

Social Engineering Attack Protection detects suspicious behaviour related to social engineering attacks in email messages. When Social Engineering Attack Protection is enabled, the Trend Micro Antispam Engine scans for suspicious behaviour in several parts of each email transmission, including the email header, subject line, body, attachments, and the SMTP protocol information. If the Antispam Engine detects behaviour associated with social engineering attacks, the Antispam Engine returns details about the message to IMSVA for further action, policy enforcement, or reporting.

To enable this feature, select the check box next to Social Engineering Attack Protection under Spam/Phishing/Social Engineering Attack on the scanning conditions selection screen.

C&C Contact Alert Services allows IMSVA to inspect the sender, recipients and reply-to addresses in a message's header, as well as URLs in the message body, to see if any of them matches known C&C objects.

To enable this feature, select the check box next to C&C email settings under C&C Email on the scanning conditions selection screen.

Graymail refers to solicited bulk email messages that are not spam. IMSVA detects marketing messages and newsletters and social network notifications as graymail. IMSVA manages graymail separately from common spam to allow administrators to identify graymail messages. IP addresses specified in the graymail exception list bypass scanning.

To enable:

  1. Under Graymail on the scanning conditions selection screen, select the check box next to Graymail detection settings.
  2. Click Graymail detection settings. The Graymail Detection settings screen appears.
  3. Select Graumail Scan Categories to detect and configure Graymail Exception List.
  4. Click Save.

Trend Micro Web Reputation technology helps break the infection chain by assigning websites a “reputation” based on an assessment of the trustworthiness of an URL, derived from an analysis of the domain. Web reputation protects against web-based threats including zero-day attacks, before they reach the network. Trend Micro web reputation technology tracks the lifecycle of hundreds of millions of web domains, extending proven Trend Micro anti-spam protection to the Internet.

To enable:

  1. Under Web Reputation on the scanning conditions selection screen, select the check box next to Web Reputation settings.
  2. Click Web Reputation settings. The Web Reputation settings screen appears.
  3. Select security level to apply and Approved List.
  4. Click Save.

If Virtual Analyzer is integrated, IMSVA can submit untested URLs to Virtual Analyzer for further analysis. This is available on IMSVA 9.1 Patch 3. You may refer to KB 1122089: URL sandbox in IMSVA 9.1 Patch 3 for further details and steps on how to enable it.

In addition, IMSVA can enable Web Reputation Services (WRS) policy to automatically extract URLs from file attachments and to check the safety of each URL. This is also available on IMSVA 9.1 Patch 3. To enable the said feature, refer to KB 1122214: Attachment Phishing in InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 Patch 3.

The New-born URLs feature is proven to be effective especially when preventing spam and malicious emails. Web Reputation Service (WRS) and Email Reputation Service (ERS) information is used to scan email messages with URLs unknown by Trend Micro.

For more information about the availability of this feature, refer to KB 1108290.

"Spoofed internal messages" filter validates that email sent from the internal email address and to the internal email addresses was only processed by the internal mail servers. IMSVA blocks all messages if they do not originate from the trusted internal IP address list. This filter triggers only on messages where the sender’s and recipient’s domains are the same.

To enable:

  1. Under Others on the scanning conditions selection screen, select the check box next to Spoofed internal messages.
  2. Click Spoofed internal messages. The Spoofed Internal Messages screen appears.
  3. Add IP addresses to the Trusted Internal IP List.
  4. Click Save.

All edge MTA IP addresses must be added to this list if the feature is enabled. If the IP addresses are not added to the list, all messages from the edge MTAs that are not added will be blocked.

DomainKeys Identified Mail (DKIM) is a signature/cryptography-based email authentication that provides a method for validating a message during its transfer over the Internet. By validating that the message comes from the source it is claiming, IMSVA provides spam and phishing protection for your network. Validated messages are not marked as spam and are not scanned for spam. This means false positives are reduced as is the need for scanning messages from a source that is known to be safe.

To enable this feature, there is a default policy called “Global DKIM enforcement rule” under Policy List. Add domains to verify and enable policy.

Whereas SPF protection is not part of IMSVA, postfix provides the option to enable and configure this feature. You may contact TrendMicro Technical Support to obtain more information.

To configure SPF on Office 365, follow this Microsoft article: Set up SPF to help prevent spoofing .

The Advanced Threat Scan Engine (ATSE) uses a combination of pattern-based scanning and heuristic scanning to detect document exploits and other threats used in targeted attacks.

Major features include:

  • Detection of zero-day threats
  • Detection of embedded exploit code
  • Detection rules for known vulnerabilities
  • Enhanced parsers for handling file deformities
Trend Micro recommends sending messages with probable advanced threats to Virtual Analyzer for further analysis. Virtual Analyzer is a separately licensed and activated product.To configure Virtual Analyzer, navigate to Administration > IMSVA Configuration > Virtual Analyzer Settings.

To enable ATSE:

  1. Go to Policy > Scan Engine.
  2. Select Enable Advanced Threat Scan Engine.
  3. Click Save.
In order to avoid misunderstanding and for easy tracking purposes, Trend Micro suggests to create separate policies for different features: AntiSpam, Web Reputation, Phishing…
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.