7 Replies Latest reply: Oct 28, 2013 11:20 AM by Aidan RSS

    MSME failing to detect Spam

    resourcegroup

      We are currently experiencing issues with our mail servers acurately detecting and filtering spam

      We have emails which, to our users, appear identical, and, whilst I appreciate there are differences underneath the body, they should not be providing the level of disparity they are

      As an example, see the following two emails, which have very similar bodies, both quite clearly spam regarding working from home

       

      Received: from xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.138) by

      xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.156) with Microsoft SMTP Server (TLS) id

      14.3.123.3; Mon, 28 Oct 2013 10:21:29 +0000

      Received: from wifimedia-R (91.117.117.36) by xxxxxxxxxxxxxxxxxxxxxxxxxxxx

      (10.0.1.138) with Microsoft SMTP Server id 14.3.123.3; Mon, 28 Oct 2013

      10:21:28 +0000

      From: Craft Mandy <Mandyc1bca@w8net.com>

      To: <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

      Subject: ###SPAM### Job openings in your area!

      Date: Mon, 28 Oct 2013 11:22:23 +0200

      MIME-Version: 1.0

      Content-Type: multipart/alternative;

        boundary="----=_NextPart_000_0015_01CED3CF.F96A3020"

      X-Priority: 3

      X-MSMail-Priority: Normal

      X-Mailer: Microsoft Windows Mail 6.0.6002.18005

      X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005

      Message-ID: <f97c32c1-0fa7-4fce-8500-bab95ccabfe9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

      Return-Path: Mandyc1bca@w8net.com

      X-NAI-Spam-Flag: YES

      X-NAI-Spam-Level: *****

      X-NAI-Spam-Threshold: 5

      X-NAI-Spam-Score: 5.4

      X-NAI-Spam-Rules: 6 Rules triggered

        META_JOB_OFFERS_1=2, META_JOB_OFFERS_5=2, FROM_ADDR_NAME_NUM_LC=1,

        FROM_NAME=0.2, SHT_CLCK_HRE=0.2, RV4744=0

      X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams

      <1063679> : uri <1578574>

      X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;56073478;0;novirus

      X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

      X-MS-Exchange-Organization-AuthAs: Anonymous

       

       

      Received: from 135-173-18-190.fibertel.com.ar (190.18.173.135) by

      xxxxxxxxxxxxxxxxxxxxxxxxxxxx (10.0.1.138) with Microsoft SMTP Server id

      14.3.123.3; Mon, 28 Oct 2013 09:19:48 +0000

      From: Snider Yesenia <Yeseniaa74c@fibertel.com.ar>

      To: <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

      Subject: Successful Business

      Date: Mon, 28 Oct 2013 06:20:43 -0300

      MIME-Version: 1.0

      Content-Type: multipart/alternative;

        boundary="----=_NextPart_000_0018_01CED3A5.D50D3440"

      X-Priority: 3

      X-MSMail-Priority: Normal

      X-Mailer: Microsoft Windows Mail 6.0.6002.18005

      X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005

      Message-ID: <d74f20e7-a7ec-4ee9-8eef-dc5c881bfc03@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

      Return-Path: Yeseniaa74c@fibertel.com.ar

      X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

      X-MS-Exchange-Organization-AuthAs: Anonymous

      X-NAI-Spam-Flag: NO

      X-NAI-Spam-Level: *

      X-NAI-Spam-Threshold: 5

      X-NAI-Spam-Score: 1.7

      X-NAI-Spam-Rules: 3 Rules triggered

        FROM_NUM_1LC=1.5, FROM_NAME=0.2, RV4744=0

      X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams

      <1063644> : uri <1578531>

      X-MS-Exchange-Organization-SCL: 1

      X-Auto-Response-Suppress: DR, OOF, AutoReply

      X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;56073478;0;novirus

       

      We are currently running Exchange 2010 SP3

      The MSME version is 8.0.7987.100, no SP, HF840437; Patch1

      Anti Virus Engine 5600.1067, Dat 7241

      Anti Spam engine 9309, Core 4744, Inlines 180, Streams 1063686, uri 1578579

       

      We do report these emails using the Mcafee Outlook addon, but it doesn't seem to make any difference, and we are getting users have hundreds of these emails coming through. We don't currently use IP Reputation filtering, as we cannot see the emails being blocked, which is of concern to our higher ups.

       

      Has anyone else had a similar issue, and can offer any advise on why this might be occuring?

        • 1. Re: MSME failing to detect Spam
          Aidan

          Well its quite clear that they were scanned by different sets of rules and about an hour apart

           

          Mon, 28 Oct 2013 09:19:48 - X-NAI-Spam-Score: 1.7
          X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams <1063644> : uri <1578531>

           

          Mon, 28 Oct 2013 10:21:29 - X-NAI-Spam-Score: 5.4
          X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams <1063679> : uri <1578574>

           

          Rules are updated very regularily (done by McAfee AntiSpam Rules Updatrer Service) and there is a possibility that there was a change in the rules between the arrival of first mail and second mail with regard to this type of mail.

           

          If you have mails which you beleive are scored too low (or even mail you beleive is scoring too high) then please submit 

           

          Spam Submission article - KB59415

          https://kc.mcafee.com/corporate/index?page=content&id=KB59415

          • 2. Re: MSME failing to detect Spam
            resourcegroup

            Hi Aiden

             

            Whilst that may be the case between these two emails, I have here an email from the same time as the ignored email, with an even greater disparity

             

            Received: from [195.45.76.212] (195.45.76.212) by xxxxxxxxxxxxxxxxxxxxxxxxxxxx

            (10.0.1.156) with Microsoft SMTP Server id 14.3.123.3; Mon, 28 Oct 2013

            09:22:04 +0000

            From: Roberson Bessie <Bessie109e@0-v-0.com>

            To: <xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

            Subject: ###SPAM### Sick of paying bills?

            Date: Mon, 28 Oct 2013 10:28:07 +0200

            MIME-Version: 1.0

            Content-Type: multipart/alternative;

                      boundary="----=_NextPart_000_0008_01CED3C8.649A8050"

            X-Priority: 3

            X-MSMail-Priority: Normal

            X-Mailer: Microsoft Windows Mail 6.0.6002.18005

            X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18005

            Message-ID: <4aa5e50f-aada-42a9-a6b7-02e15d5863a8@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

            Return-Path: Bessie109e@0-v-0.com

            X-MS-Exchange-Organization-AuthSource: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

            X-MS-Exchange-Organization-AuthAs: Anonymous

            X-NAI-Spam-Flag: YES

            X-NAI-Spam-Level: *********

            X-NAI-Spam-Threshold: 5

            X-NAI-Spam-Score: 9.3

            X-NAI-Spam-Rules: 11 Rules triggered

                      FROM_NUM_1LC_W_BAD_SIP=2, FROM_NUM_1LC_W_FRM_ID_UC_END_LC=2,

                      FROM_NUM_1LC=1.5, BAD_SIP=1, FRM_ID_UC_END_LC=1,

                      RCVD_BAD_SIP_W_FROM_NAME=0.5, RCVD_NUMERIC_HELO=0.5,

                      RCVD_NUMERIC_HELO_W_FROM_NAME=0.5, FROM_NAME=0.2, RCVD_BAD_SIP=0.1,

                      RV4744=0

            X-NAI-Spam-Version: 2.2.0.9309 : core <4744> : inlines <180> : streams

            <1063646> : uri <1578534>

            X-MS-Exchange-Organization-AVStamp-Mailbox: NAI;56073478;0;novirus

             

             

            Furthermore, this is an ongoing issue, which suggests that despite these being reported as soon as they come in using the tool provided in the link, as well as manually forwarding these, there is no improvement being made to the ability to filter these particular emails.

             

            Are there any settings in MSME we can tweak, outside of the filtering level, which miht be causing this behaviour?

            • 3. Re: MSME failing to detect Spam
              Aidan

              The spam thresholfd seems to be 5. Just to be sure - what are your 3 spam score settings for high, med, and low score and what are the actions for each level??

              • 4. Re: MSME failing to detect Spam
                resourcegroup

                If spam score is High          Delete message, Log, Quarantine message

                If spam score is Medium          Route to System Junk Folder, Log, Quarantine message

                If spam score is Low          Route to System Junk Folder, Log:

                 

                The settings are Low 5, Medium 10, High 15

                • 5. Re: MSME failing to detect Spam
                  Aidan

                  Is route to system junk folder working?? Are the mails appearing in Inbox???

                  • 6. Re: MSME failing to detect Spam
                    resourcegroup

                    It is; We are getting emails going into the System Junk folder when they hit the criteria, they just aren't hitting the criteria often enough

                    • 7. Re: MSME failing to detect Spam
                      Aidan

                      Well I think the issue is not the scanning part - as you have provided in the examples the fact that the items "are" getting scanned - the issue is seems to be that sometimse they are marked or scored at too low a value (one of your examples shows it is scanned but scored at 1.7 - below your low threshold)

                       

                      What is the incidence rate of this happening??

                       

                      As stated also above as soon as we get the slight changes in spam that can make them lower scored we get them out as soon as we can via the rules updater. 

                       

                      You could possibly try lower the "low score" setting e.g to 4 or 3 - but the lower you have it the more likelihood to catch normal mail as spam.

                       

                      Also in MSME 8 there are also GTI settings for IP reputation and message reputation - do you have these enabled??

                      (interface Settings and Diagnstics - Anti-Spam)