Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
901 Views 7 Replies Latest reply: Oct 28, 2013 11:20 AM by Aidan RSS
resourcegroup Newcomer 24 posts since
Jul 11, 2012
Currently Being Moderated

Oct 28, 2013 5:50 AM

MSME failing to detect Spam

We are currently experiencing issues with our mail servers acurately detecting and filtering spam

We have emails which, to our users, appear identical, and, whilst I appreciate there are differences underneath the body, they should not be providing the level of disparity they are

As an example, see the following two emails, which have very similar bodies, both quite clearly spam regarding working from home

 

Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.138) by

xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.156) with Microsoft SMTP Server (TLS) id

14.3.123.3; Mon, 28 Oct 2013 10:21:29 +0000

Received: from wifimedia-R (91.117.117.36) by xxxxxxxxxxxxxxxxxxxxxxxxxxxx

(10.0.1.138) with Microsoft SMTP Server id 14.3.123.3; Mon, 28 Oct 2013

10:21:28 +0000

From: Craft Mandy <Mandyc1bca@w8net.com>

To: <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Subject: ###SPAM### Job openings in your area!

Date: Mon, 28 Oct 2013 11:22:23 +0200

MIME-Version: 1.0

Content-Type: multipart/alternative;

  boundary="----=_NextPart_000_0015_01CED3CF.F96A3020"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Windows Mail 6.0.6002.18005

X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005

Message-ID: <f97c32c1-0fa7-4fce-8500-bab95ccabfe9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Return-Path: Mandyc1bca@w8net.com

X-NAI-Spam-Flag: YES

X-NAI-Spam-Level: *****

X-NAI-Spam-Threshold: 5

X-NAI-Spam-Score: 5.4

X-NAI-Spam-Rules: 6 Rules triggered

  META_JOB_OFFERS_1=2, META_JOB_OFFERS_5=2, FROM_ADDR_NAME_NUM_LC=1,

  FROM_NAME=0.2, SHT_CLCK_HRE=0.2, RV4744=0

X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams

<1063679> : uri <1578574>

X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;56073478;0;novirus

X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

X-MS-Exchange-Organization-AuthAs: Anonymous

 

 

Received: from 135-173-18-190.fibertel.com.ar (190.18.173.135) by

xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.138) with Microsoft SMTP Server id

14.3.123.3; Mon, 28 Oct 2013 09:19:48 +0000

From: Snider Yesenia <Yeseniaa74c@fibertel.com.ar>

To: <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Subject: Successful Business

Date: Mon, 28 Oct 2013 06:20:43 -0300

MIME-Version: 1.0

Content-Type: multipart/alternative;

  boundary="----=_NextPart_000_0018_01CED3A5.D50D3440"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Windows Mail 6.0.6002.18005

X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005

Message-ID: <d74f20e7-a7ec-4ee9-8eef-dc5c881bfc03@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Return-Path: Yeseniaa74c@fibertel.com.ar

X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

X-MS-Exchange-Organization-AuthAs: Anonymous

X-NAI-Spam-Flag: NO

X-NAI-Spam-Level: *

X-NAI-Spam-Threshold: 5

X-NAI-Spam-Score: 1.7

X-NAI-Spam-Rules: 3 Rules triggered

  FROM_NUM_1LC=1.5, FROM_NAME=0.2, RV4744=0

X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams

<1063644> : uri <1578531>

X-MS-Exchange-Organization-SCL: 1

X-Auto-Response-Suppress: DR, OOF, AutoReply

X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;56073478;0;novirus

 

We are currently running Exchange 2010 SP3

The MSME version is 8.0.7987.100, no SP, HF840437; Patch1

Anti Virus Engine 5600.1067, Dat 7241

Anti Spam engine 9309, Core 4744, Inlines 180, Streams 1063686, uri 1578579

 

We do report these emails using the Mcafee Outlook addon, but it doesn't seem to make any difference, and we are getting users have hundreds of these emails coming through. We don't currently use IP Reputation filtering, as we cannot see the emails being blocked, which is of concern to our higher ups.

 

Has anyone else had a similar issue, and can offer any advise on why this might be occuring?

  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Oct 28, 2013 6:12 AM (in response to resourcegroup)
    Re: MSME failing to detect Spam

    Well its quite clear that they were scanned by different sets of rules and about an hour apart

     

    Mon, 28 Oct 2013 09:19:48 - X-NAI-Spam-Score: 1.7
    X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams <1063644> : uri <1578531>

     

    Mon, 28 Oct 2013 10:21:29 - X-NAI-Spam-Score: 5.4
    X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams <1063679> : uri <1578574>

     

    Rules are updated very regularily (done by McAfee AntiSpam Rules Updatrer Service) and there is a possibility that there was a change in the rules between the arrival of first mail and second mail with regard to this type of mail.

     

    If you have mails which you beleive are scored too low (or even mail you beleive is scoring too high) then please submit 

     

    Spam Submission article - KB59415

    https://kc.mcafee.com/corporate/index?page=content&id=KB59415

  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    3. Oct 28, 2013 7:43 AM (in response to resourcegroup)
    Re: MSME failing to detect Spam

    The spam thresholfd seems to be 5. Just to be sure - what are your 3 spam score settings for high, med, and low score and what are the actions for each level??

  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    5. Oct 28, 2013 8:11 AM (in response to resourcegroup)
    Re: MSME failing to detect Spam

    Is route to system junk folder working?? Are the mails appearing in Inbox???

  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    7. Oct 28, 2013 11:20 AM (in response to resourcegroup)
    Re: MSME failing to detect Spam

    Well I think the issue is not the scanning part - as you have provided in the examples the fact that the items "are" getting scanned - the issue is seems to be that sometimse they are marked or scored at too low a value (one of your examples shows it is scanned but scored at 1.7 - below your low threshold)

     

    What is the incidence rate of this happening??

     

    As stated also above as soon as we get the slight changes in spam that can make them lower scored we get them out as soon as we can via the rules updater. 

     

    You could possibly try lower the "low score" setting e.g to 4 or 3 - but the lower you have it the more likelihood to catch normal mail as spam.

     

    Also in MSME 8 there are also GTI settings for IP reputation and message reputation - do you have these enabled??

    (interface Settings and Diagnstics - Anti-Spam)     

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points