Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1843 Views 8 Replies Latest reply: Dec 3, 2013 2:15 AM by Aidan RSS
resourcegroup Newcomer 24 posts since
Jul 11, 2012
Currently Being Moderated

Apr 10, 2013 5:55 AM

MSME not scanning emails on occasion

We have recently upgraded from Groupshiled 7.0.2 to MSME8, in order to be more in line with the newest updates, and because 7.6 wouldn't play ball

 

The transition has been fine, and apart from a minor glitch when upgrading to Exhchage SP3, for which a hot fix was available, this has all gone fine.

 

However, we are runnining into issues in certain cases with emails which are not being scanned by our Anti Spam agent. The system was letting through emails on occasion, with no idication why, so we configured MSME to add a spam report to all emails. This has led us to the conclusion that some emails are not hitting the filter.

 

An example of two email headers, both through the same server; The first legitimate, the second an email which clearly should have been filtered, and which copies off have been

 

Received: from by

with Microsoft SMTP Server (TLS) id

14.3.123.3; Tue, 9 Apr 2013 23:40:59 +0100

Received: from  by  with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 9 Apr 2013

23:40:57 +0100

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.co.uk;

    s=global1; t=1365547135; i=billing@1and1.co.uk; bh=EZp8vLIYKJllynpN

    5t43nYcFFd/3AE/aaitxmSm/Mc0=; h=MIME-Version:From:Subject:To:

     Content-Type:Content-Transfer-Encoding:Message-Id:Date; b=GB8fMQYS

    OhNztHOjBf8st8oYd7Qfq1sSbpg4hWXnf/EyvUgmsjIvSznRVgb2XM3pmBe30X57RbY

    ITVm9tXCNfkZMNBN+NYlYYuoF2WjJCyDdnPss5OY0Bl7oRaPbpD7P3bC+ANgXn/bW8z

    XXwPLaunuWJNzClYCkPNU2pPNZ5Bc=

Received: from omsmail (streamserve3.mt.einsundeins.de [172.19.7.103])    by

(node=mbulk0) with ESMTP (Nemesis)    id

0LrMKX-1UZYYd1WhA-013hyy; Wed, 10 Apr 2013 00:38:55 +0200

MIME-Version: 1.0

From:

Subject: Please update your payment details

To:

X-Message-ID: 89492489688122046#2

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Message-ID:

Date: Wed, 10 Apr 2013 00:38:55 +0200

X-Provags-ID: V02:K0:v8MXmLauG1lRzdKkMLXJ++3oeazuovkHu9FE0ygBOTT

lp7GTRh7qt6bGKe7EqHnQWjJ7xJyrN9CmcIeQiquQbuk5o2p2g

JMWFTsyDMivm9V1ge894gIeOjKeA/xU1xf4Kc970wyzCsjAuk/

rWPc8/L5r8MnCpMYzo1iCKEeg1TA0+JDYWJbLiCeYnlqzlHiXU

m3rBotApi4THtLwG3WY4Qx+H7RYmj4iyu9J4InMNmwqMzhbxXf

qR+HQ8SYeLSBOSospB+m8Aqa1GpqlL3tAmgFZHRNMo/PVcce+C

FDiO9u1mqnvqo8syjXVWvLN3ctTVFnv6+vVv4eNmVa3kFulgQ=

=

Return-Path: 89492489688122046.2.2131162278@bounce.unitedinternet.com

X-NAI-Spam-Flag: NO

X-NAI-Spam-Level: **

X-NAI-Spam-Threshold: 5

X-NAI-Spam-Score: 2.7

X-NAI-Spam-Rules: 4 Rules triggered

    MID_AT_DLCD_DOM=1.5, MSGID_CAMEL_22=1, GEN_SPAM_FEATRE=0.2, RV4544=0

X-NAI-Spam-Version: 2.2.0.9309 : core <4544> : streams <937945> : uri

<1389573>

X-MS-Exchange-Organization-SCL: 2

X-Auto-Response-Suppress: DR, OOF, AutoReply

X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;54071558;0;novirus

X-MS-Exchange-Organization-AuthSource:

X-MS-Exchange-Organization-AuthAs: Anonymous

 

 

Received: from  by

  with Microsoft SMTP Server (TLS) id

14.3.123.3; Wed, 10 Apr 2013 10:28:21 +0100

Received: from HSI-KBW-046-005-063-122.hsi8.kabel-badenwuerttemberg.de

(46.5.63.122) by with Microsoft SMTP

Server id 14.3.123.3; Wed, 10 Apr 2013 10:28:20 +0100

Message-ID: <20130410112616.96B26A91A5DB32E05839.8A425@HSI-KBW-046-005-063-122.hsi8.kabel-bad enwuerttemberg.de>

Date: Wed, 10 Apr 2013 11:26:16 +0200

From: e-Dating Online <6AFA1F3DBD@aisucairo.com>

To:

Subject: bob, you have 5 new notifications!

List-Unsubscribe: <mailto:921A01E2B4264D3E4@agroferloja.com.br>

MIME-Version: 1.0

Content-Type: text/html; charset="iso-8859-1"; format=flowed

Content-Transfer-Encoding: 8bit

Return-Path: 6AFA1F3DBD@aisucairo.com

X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;54071558;0;novirus

X-MS-Exchange-Organization-AuthSource:

X-MS-Exchange-Organization-AuthAs: Anonymous

 

 

Even if this wasn't picked up as spam, as is sometimes the case, this email hasn't even been looked at. Has anyone else come accross this?

 

MSME Details

Product NameMcAfee Security for Microsoft Exchange
Product Version8.0.7905.119
Service PackNone
HotfixesHF840437
Buffer Overflow ProtectionNot Applicable


  • Aidan McAfee SME 461 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Apr 10, 2013 6:10 AM (in response to resourcegroup)
    Re: MSME not scanning emails on occasion

    Well the item looks like it was scanned for AV  - is there any diff in routing to the server(s) - would any mail come though another AntiSpam scanner or alternative server .

     

    Is there a method by which you can replicate this and capture in debug logs?? 

    In Interface - Settings & Diagnostics - Diagnostics - set "High" and a Location. 

    (don't use desktop for tshooting transport scanning\spam scanning

    issues - transport logs won't get recorded - use new or empty folder like C:\Debug)

     

    If you can #replicate - then turn debugs off immediately after - zip them up and recommend opening a case and adding logs for examination.

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009
    Currently Being Moderated
    3. Apr 10, 2013 7:57 AM (in response to resourcegroup)
    Re: MSME not scanning emails on occasion

    Hi,

     

    another hint: is not there a size restriction of mails over which they are not submitted for spam scanning? If yes, please check sizes of unscanned mails, too.

     

    Attila

  • Aidan McAfee SME 461 posts since
    Nov 4, 2009
    Currently Being Moderated
    4. Apr 10, 2013 8:28 AM (in response to Attila Polinger)
    Re: MSME not scanning emails on occasion

    Correct - and good shout Attila - the default max size is 250Kb - if mail is over that it is not presented to spam engine.

    Max Size configurable in Anti-Spam Settings - Advanced Tab - in Gateway Policy.

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    5. Apr 10, 2013 8:46 AM (in response to Aidan)
    Re: MSME not scanning emails on occasion

    MSME not scanning emails on occasion

    If it is the matter of just scanning, why dont you set a content filtering rule and add it into your defaut policy, and then send an email from your public email id  to your internal org having such conenet and see whetger is it blocked or not?

     

    I think in this way you can also check whether your rule are working or not plus scanning as well.

     

    Regds

    Alexn


    Post Timings: 6.00 AM to 3.00PM PDT
  • dq72 Newcomer 13 posts since
    Feb 21, 2011
    Currently Being Moderated
    6. Apr 24, 2013 3:24 PM (in response to resourcegroup)
    Re: MSME not scanning emails on occasion

    We have an issue with MSME 8 frequently failing to assign a spam score (and allowing all those messages through) as well.

    The ticket is currently open with McAfee and has went all the way up to the development team for a fix.

    They are hoping that it may be resolved by next week.

  • jwilker Newcomer 3 posts since
    Mar 8, 2010
    Currently Being Moderated
    7. Dec 2, 2013 7:52 PM (in response to resourcegroup)
    Re: MSME not scanning emails on occasion

    Just wondering if you ever got this issue resolved.  We are having the same exact issue and our support ticket got us no where.

  • Aidan McAfee SME 461 posts since
    Nov 4, 2009
    Currently Being Moderated
    8. Dec 3, 2013 2:15 AM (in response to jwilker)
    Re: MSME not scanning emails on occasion

    MSME 8  P1 RU1

     

    11. Certain spam email messages were not categorized
        correctly and therefore not detected by
        McAfee Security for Microsoft Exchange.

        Reference ID: 850605

     

    Is available for download with your grant number.

     

    If already applied - would recommend opening a case with support.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points