1 2 Previous Next 10 Replies Latest reply: May 2, 2014 9:18 AM by itguymd2 RSS

    Continually increasing amounts of spam passing through the filter.

    systemsmanager

      Over the past few months we have noticed a rather continuous rise in the number of pure spam messages and messages with virus attachments making it through the filter. We have continually reported the bad messages during this time but they continue to increase in numbers.

       

      We also have noticed the spam score of extremly similar messages varies greatly. We have been on this service for several years now, with MX Logic prior to the McAfee purchase. I don't feel it is a matter of our settings need adjusting, although I have now tightened them significantly. It  is more a matter of items that used to be stopped at the gate are finding their way through with increasing frequency. When I used to report 1 a month, I now personally get 4+ a day. Nigerian Scams, Insurance Scams, Credit report Scams, Health Scams, etc. Even key words will not keep us safe, today I had a user recieve a non-encrypted zipped trojan file in an e-mail proclaiming to be a PO. Those type of e-mails are the worst as there is no good way to stop them. I can spot the scams and a lot of our users can spot them but there are a lot of our users that have absolutely no clue and click away.

       

      If I go hardcore on attachments and verbiage, there will be a backlash from our users and more importantly our customers and vendors. I mean really the only suggestions I am getting from support are to block words. I need to block the word Insurance to stop Spam? What happens when my customer e-mails in a PO and states in the e-mail they want it insured? We have many vendors and thousands of customers, I can't whitelist ever domain we may need e-mail from nor should I as the system can't seem to detect spoofed addresses. I really don't feel that a constant manual intervention/tweeking should be necessary on an admin level just in order to get clean e-mail.

       

      Whether this increase is a result of snowshoeing or not I don't know, but I am wondering how many other users are seeing this? Are we the only ones experiencing it?

        • 1. Re: Continually increasing amounts of spam passing through the filter.
          Brad McGarr

          Without knowing more, it's difficult to ascertain what the root cause is that you're experiencing. A few questions to help us better understand the issue:

           

          - Are there any patterns to these messages, e.g. are they spoofing the recipient's email address or another email address at the same domain?

          - If you look at the headers of any of the messages, what does the X-SPAM line say?

          • 2. Re: Continually increasing amounts of spam passing through the filter.
            steveohmygod

            We have been getting a similar backlash from our customers -- the basic information that i know is as follows (in unofficial discussion with tech support and thru tickets i created) :

             

            Increase in spam emails found in January 2014

            In February 2014 the number of spam emails getting thru doubled, and found this was a common occurrence industry-wide -- a fix was not yet found

            McAfee found a way to internally fix their own product (but not the industry-wide problem), and that internal fix was put in place Monday April 7th.

            That internal fix should resolve a number of previous issues by next week.

             

            It sounds like that this fix would help with the heavy increase of spam emails getting thru - i was trying to find out if this fix also helps with the virus attachments getting thru.

             

            Once again i have not found this in any current McAfee documentation, only so far in unofficial discussions - trying to get some official statement but not as of yet

            I don't believe this is related to the Official Fix in March 2014 : Restoration of the Messaging Reputation server and database used for spam filtering (McAfee GTI Messaging Reputation database server experienced a hardware failure and impact to the database)

             

            Hope that helps and i am in an active search for updates and improvements - this is affecting our reputation as a company and in supporting the product.

            Thanks for your time

            • 3. Re: Continually increasing amounts of spam passing through the filter.
              systemsmanager

              Everything varies. There is no solid pattern, but virtually everything so far has been spoofed.

               

              I do have some of the reports from the auto reporting tool still in sent items and here are some samples for the X-SPAM line.

               

              X-Spam: [F=0.2000000000; B=0.500(0); spf=0.500; STSI=0.500(-1); STSM=0.500(15); CM=0.500; MH=0.500(2014041107); S=0.200(2010122901); SC=]

              X-Spam: [F=0.2000000000; B=0.500(0); spf=0.500; STSI=0.500(-1); STSM=0.500(15); CM=0.500; MH=0.500(2014041105); S=0.200(2010122901); SC=]

              X-Spam: [F=0.2000000000; B=0.500(0); spf=0.500; STSI=0.500(-1); STSM=0.500(15); CM=0.500; MH=0.500(2014041107); S=0.200(2010122901); SC=]

              X-Spam: [F=0.8400000000; B=0.500(0); spf=0.500; STSI=0.700(43); STSM=0.900(59); CM=0.500; MH=0.500(2014021909); S=0.200(2010122901); SC=]

              X-Spam: [F=0.4666666667; B=0.500(0); spf=0.500; STSI=0.600(22); STSM=0.700(38); CM=0.500; MH=0.500(2013111913); S=0.200(2010122901); SC=]

              X-Spam: [F=0.3982466225; B=0.500(0); spf=0.500; STSI=0.500(-1); STSM=0.700(37); CM=0.500; MH=0.500(2014021812); S=0.220(2010122901); SC=]

              X-Spam: [F=0.7714285714; B=0.500(0); spf=0.500; STSI=0.600(22); STSM=0.900(56); CM=0.500; MH=0.500(2014031914); S=0.200(2010122901); SC=]

              X-Spam: [F=0.4666666667; B=0.500(0); spf=0.500; STSI=0.600(22); STSM=0.700(38); CM=0.500; MH=0.500(2013121908); S=0.200(2010122901); SC=]

              X-Spam: [F=0.8899049912; B=0.500(0); spf=0.500; spf=0.500; spf=0.500; spf=0.500; spf=0.500; spf=0.500; spf=0.500; STSI=0.500(11); STSM=0.500(11); CM=0.969; MH=0.500(2014032915); S=0.200(2010122901); SC=]

              X-Spam: [F=0.4666666667; B=0.500(0); spf=0.500; STSI=0.600(22); STSM=0.700(38); CM=0.500; MH=0.500(2014030711); S=0.200(2010122901); SC=]

               

              Most also seem to contain softfails for SPF authentication and some are set to none.

               

              Domains of "senders" include: sytemsolutions.net, informationhub.co, firstfacts.co, simpleadvice.co, rightsolutions.us, @pressureblast.eu, @holidaysecurityplan.co, adampolski.pl, personalizedquotes.net

               

              Today's trojan came in from "sukhtian.com.jo" supposedly but the header indicates it was champagnegraphics.com. It gets better check out the X-SPAM lines:

              X-Spam-Flag: YES

              X-Spam: [F=0.9999951111; B=0.500(0); spf=0.500; STSI=0.500(-4); STSM=0.450(-4); CM=0.999; MH=0.500(2014040930); S=0.200(2010122901); SC=]

               

              Unfortunately organization wide, I haven't reviewed many in months and other users are not using your tool they just delete them and purge deleted items. I have been working on getting the users to use the button to report true spam, but many think a legitimate e-mail form xyz retailer is spam when they can simply opt out and be done with it. And other users think they don't need to do anything to help improve the system it should just work.

              • 4. Re: Continually increasing amounts of spam passing through the filter.
                systemsmanager

                Brad, I meant to reply to you with the above post.

                • 5. Re: Continually increasing amounts of spam passing through the filter.
                  Brad McGarr

                  Thanks for that information, that helps quite a bit.

                   

                  The first set of x-spam lines you provided all show scores that are neutral, some are trending higher than others, but non eare meeting that .9 threshold. Definately indicative of either new campaigns or snowshoe spam, so getting those examples in will help Messaging Security write rules for those specific campaigns.

                   

                  The trojan x-spam line is of concern, as the .9 is a triggerable spam score. This should have triggered a filter action.

                   

                  Would you mind sending me a private message with your domain name? I'd like to take a peek at your policies, something appears to be amiss.

                  • 6. Re: Continually increasing amounts of spam passing through the filter.
                    systemsmanager

                    This is the same sort of thing I was finding when I started to look into it. We were noticing beginning mid-last summer that there was spam coming in regularly that we never had in the past. I mean we went from litterally never having spam to a trickle and then you are right about the end of December / Early January it started to get annoying. I'm not sure when the upticks really started but it would be nice for all to be able to end it. The X-Spam lines above represent a random sampling of the ones I have seen. As you can see I threw in a few new ones and a few older ones as well.

                    • 7. Re: Continually increasing amounts of spam passing through the filter.
                      systemsmanager

                      Brad,

                       

                      I sent the information. Feel free to contact me directly as needed.

                       

                      Thanks

                      • 8. Re: Continually increasing amounts of spam passing through the filter.
                        atlsky

                        I started to noticed SPAM in my inbox in late Jan 2014. I asked around, but not many users had the same experience as I did, so I thought I must be the unlucky one. But now I heard more and more users are having SPAM in their inbox. That was what brought me here. Actually this is what bought me back from Outlook 2013 to Outlook 2007, since the Delete as SPAM button isn't supported in Outlook 2013. I am afraid it is getting more wide spread in my company than I thought. We are moving to Outlook 2013. What can we do to help McAfee to improve the filter? We don't want to manually tighten up our SPAM policies, which was one of the main reasons that bought us to McAfee SAAS Email protection service.

                         

                        Thanks

                         

                        Byron

                        • 9. Re: Continually increasing amounts of spam passing through the filter.
                          josebyron

                          Just for confirmation: you are not alone. We are going through the exact same issue and have been through all the support steps, including the use of dictionaries (which created more problems than they solved) and creating custom ones.

                           

                          Still waiting to hear on the latest, which includes (for us) the fact that the samples we thought were being submitted both manually and through the SUbmission Tools.... never made it to McAfee. They were blocked by the appliance!

                           

                          Regards.

                          1 2 Previous Next