Checking effectiveness of Symantec Brightmail and Symantec Mail Security spam filtering

Article:TECH83454  |  Created: 2005-01-13  |  Updated: 2013-10-28  |  Article URL http://www.symantec.com/docs/TECH83454
Article Type
Technical Solution


Environment

Issue



A Symantec Brightmail or Symantec Mail Security product is installed and the spam effectiveness seems to have dropped. More spam is reaching end users in the network.


Solution



There are several reasons for spam to be getting through. Use these troubleshooting steps and the spam reporting information to help determine where the spam effectiveness issue is.

Basic troubleshooting steps to make sure that Symantec Brightmail or Symantec Mail Security is running properly:
· Confirm that the rulesets are current at the time the missed spam messages came through. Check to see that the rulesets are updating across the board.
· Assure that the spam messages are not by-passing the Symantec servers. Check the IP addresses on the "Received from:" headers and the sender on the "From" header - ensure the IP or domain were not whitelisted (on the Allowed Senders List / Safe Senders List / Good Senders list)
· Verify that you are running the latest version of the product to avail of the latest technologies
· Verify that you are using all features in the product to block spam. For Symantec Brightmail Gateway this includes Global Bad Senders list, Connection Classfication, Stop DHA feature, Bounce Attack Prevention, SPF, Probe Participation etc. For more complete information on this topic check this article: 'Symantec Brightmail Gateway (SBG) - Best Practices: Spam Control'
· Verify that none of the Symantec Brightmail services (Server, Client, or Conduit) were down when these messages came through. Verify that the various components and modules are functioning with no errors reported in the logs. Some troubleshooting steps may require you to temporarily change the log levels to INFO or DEBUG in order to see sufficient data in the logs. Be sure to reset the log levels to lower levels once you have completed troubleshooting to avoid incurring unnecessary overhead from verbose logging.
· Verify that you are running the Full or Enterprise ruleset and not the Express ruleset

Useful information to provide to Technical Support:
· Note the time period that the suspected spike in missed spam occurred
· Note the type of spam being received and have 2-5 sample email attachments with full internet headers available for reference.
· How are you tracking the increase in spam? Are these end user inbox complaints, management complaints or statistical in nature?
· What is the average percentage of spam or total threat messages from the Brightmail Control Centre and has it decreased since the missed spam began?
· Have you made any other changes to your environment that might have contributed to effectiveness issues? This includes server, OS, or datacenter changes. It also includes changes made to Symantec or other products in the mail stream that might negatively impact effectiveness.

Actions to improve spam detection:
· Ensure you are submitting missed spam for filter creation to the Symantec Security Response Center as email attachments following the procedure in this article: 'Manually submitting spam and false positive messages to the Symantec Security Response Center'
· If you are using Symantec Brightmail Gateway version 9 onwards, considering enabling the Probe Partipation feature to provide Symantec analysts with visibility into localised spam patterns.
· Try adjusting the suspect spam thresholds. For more information on this, see this article: ‘Suspected Spam Feature in Symantec Brightmail Gateway, Symantec Mail Security for SMTP 5.0.x, Symantec Brightmail Message Filter, and Symantec Premium Antispam
 

Information on global spam levels and the latest spam threats is available from www.symantec.com/spam and www.brightmail.com/IQservices





Article URL http://www.symantec.com/docs/TECH83454


Terms of use for this information are found in Legal Notices