cancel
Showing results for 
Search instead for 
Did you mean: 
davcad
Level 7
Report Inappropriate Content
Message 1 of 10

AntiSpam only processing mail from one receive connector

Jump to solution

Hi,

I am running Exchange 2010 SP2 with cas, hub & mailbox roles.  I am also running edge role on another server in the dmz with an edge subscription configured.

I have deployed MSME 7.6 + HF735863 on the internal cas/hub/mailbox server and whilst the antivirus agent is working for all email, the antispam agent is not.  The internal hub server has three receive connectors configured and two send connectors.  The antispam agent only processes emails for one of the three internal receive connectors and none of the send connectors.  Due to this, inbound email from our edge server is not spam checked, and all outbound mail, including that from ActiveSync, OWA and RPC-over-HTTP clients is not checked either.

I want MSME to process ALL mail for antispam - just like it does with antivirus.  How do I configure this?  I have inbound, outbound and internal mails checked in the Transport Scan Settings arleady.  I have reinstalled the product several times both through ePO and locally via the standlone install package, compared configuration settings of our exchange connectors to try and ascertain why MSME only choses to work on the same single receive connector, but I cannot deduce why.  No errors are logged in the product log, event viewer and the transport agents are installed ok.

Any input or suggestions would be greatly appreciated.

Regards,

Dave.

1 Solution

Accepted Solutions
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

dave,

i found an article that shows how to change Forefront so it doesn't apply an scl rating of -1 to mail that isn't marked as spam. 

http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/e559341d-8995-4149-8bd1-dbb149d85bfc...

i think once the scl score changes to a 0 or higher then msme will start spam scanning mail from the internet.

9 Replies
Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 2 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

MSME AntiSpam is designed to scan mail On Inbound mail from external sources.  It will not scan Internal Mails for spam.

The fact that  the system is accepting mail from the Edge may mean it will not be determined as an External Source as it receives the mail.

Solution would be to have MSME on the Edge Server doing the spam scanning on Incoming Mail.

Please have a look at best practice gude detail on Edge Server -  https://kc.mcafee.com/corporate/index?page=content&id=PD23545  

davcad
Level 7
Report Inappropriate Content
Message 3 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

Hi,

thanks for the quick response.

The reason we deployed on the internal hub server was because we are already using Microsoft Forefront on the edge server and wanted to layer our protection whilst increasing security for internal mail and clients.  

I would be interested to know the logic behind why MSME chose the receive connector it did for enabling antispam, as it was being used for internal only mails.  Surely there must be some way to force the product to spam check all mail, or some configuration setting I can set to make it process mails from the send/receive connectors I specify?

Best regards,

Dave.

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

dave,

we don't install to a particular receive/send connector.  our av scanner triggers when the email gets to the Categorizer on the hub (OnCategorisedMessage event) and the spam scanning occurs when the email gets to the OnEndOfData event in the transportpipeline.  you can see this by opening the ex shell on the hub and typing get-transportpipeline.

just curious did you install the anti-spam agents for exchange on the hub server?  when you run get-transportagent are there more than 5 agents listed including our own?

davcad
Level 7
Report Inappropriate Content
Message 5 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

The exchange anti-spam agents are not installed on the hub server.  The McAfee av and antispam agents are installed, enabled and prioritised 4th and 5th, below the main exchange agents.

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

what's most likely happening is that since emails are getting scanned for spam on the edge server they are having the scl set to either 0 or -1 for emails that aren't seen as spam which will then cause msme to ignore scanning the email again for spam. 

if you enable msme diagnostic logging and then send an email through from external it will show whether this is the case or not.

in the gui select settings & diagnostics\diagnostics

set level to high

set folder path to any folder location.  make sure that folder shows network service to have full control.

to disable just set level to 0

davcad
Level 7
Report Inappropriate Content
Message 7 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

I enabled high level diagnostic logging which produced a multitude of different log files and having looked through them, none of them mentions anything about mail headers or even anything that I could decipher that mentioned emails in general; the general content of all was similar to the below:

McThreadPool.cpp,254,0 returned by m_pTransportLayer->Connect(m_pStream)

However, I did compare the mail headers from mails received internally (which MSME does spam check) with those which came in externally through the edge server, and indeed the external mails all have the X-MS-Exchange-Organization-SCL: -1 header stamp (the internal mails have no such headers as they are sent directly to the internal hub servers receive connector and the exchange antispam agents are not installed there).

So, I done some testing using a few transport rules in Exchange on the internal hub server.  Firstly, I stripped the SCL header completely from all emails received which had no effect.  I then changed the SCL header value to 2, then 5 but MSME anti spam agent still did not process them, however the Outlook client, seeing the positive SCL values, did deliver these messages to the junk mail folder.  Failing that, I tried comparing the headers in more detail and started stripping as much as I could but in all instances MSME did not process mails sourced externally.

I also temporarily enabled NAT on inbound edge traffic to the internal hub server to make MSME think emails were sourced from a local internal IP, but this had no effect either.  This makes me wonder if there is something in the receive connector configuration that may be the deciding factor on whether MSME decides to process for spam or not.  As you recall, we have three internal receive connectors, and MSME will only spam check mails received on one of these.  MSME always choses the same connector on repeated installations.  The connector chosen differs from the other two in that its authentication methods are different.  The first two connectors only accept TLS or basic auth after TLS, wheras the third connector is configured to permit basic auth without TLS.  This connector is used for receiving internal emails from systems that do not support TLS auth for smtp such as WSUS and ePO itself.  Could this possibly have anything to do with it?

Reliable Contributor Aidan
Reliable Contributor
Report Inappropriate Content
Message 8 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

Internal mail or mail determined not to be from External source will not be scanned for spam and as TLange aready explained we use Transport Agents are used  - specifically McAfeeTxAgent agent is used for AntiSpam.

Is there a possibility you can make the logs available?? 

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

dave,

i found an article that shows how to change Forefront so it doesn't apply an scl rating of -1 to mail that isn't marked as spam. 

http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/e559341d-8995-4149-8bd1-dbb149d85bfc...

i think once the scl score changes to a 0 or higher then msme will start spam scanning mail from the internet.

Highlighted
davcad
Level 7
Report Inappropriate Content
Message 10 of 10

Re: AntiSpam only processing mail from one receive connector

Jump to solution

Hi,

Success!  Configuring Forefront with that powershell cmdlet on the edge server changed the negative SCLs in inbound external mail headers and MSME is now processing this with the antispam agent

Many thanks for the advice, I greatly appreciate it.

Regards

Dave.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center