Spam is not detected when Symantec Mail Security for Microsoft Exchange (SMSMSE) transport agents have a low priority

Article:TECH95584  |  Created: 2009-01-17  |  Updated: 2014-05-21  |  Article URL http://www.symantec.com/docs/TECH95584
Article Type
Technical Solution


Issue



Premium AntiSpam is enabled  but Symantec Mail Security for Microsoft Exchange (SMSMSE) does not detect spam.

The "spam scans" count under Activity Summary on the SMSMSE homepage does not change.

Conditions

  • SMSMSE has been configured to scan messages even if marked with an SCL value of minus one (-1).  See the following article for details: Messages not Scanned for Spam When Marked by Microsoft Exchange with an AntiSpam X-Header. Transport Agent Debug Log Shows Message: "Whitelisted by other, bypass SPA".
     
  • Microsoft's antispam agents are installed and have a higher priority then the SMSMSE antispam agents.

    To verify the priority of the antispam agents follow these steps:
      1. On the Exchange server, open the Exchange Management Shell.
      2. At the prompt, type the command "Get-TransportAgent".  The results should look like the following:
        Identity Enabled Priority
        -------- ------- --------
        Transport Rule Agent True 1
        Journaling Agent True 2
        AD RMS Prelicensing Agent False 3
        Connection Filtering Agent True 4
        Content Filter Agent True 5
        Sender Id Agent True 6
        Sender Filter Agent True 7
        Recipient Filter Agent True 8
        SMSMSERoutingAgent True 9
        SMSMSESMTPAgent True 10
        Protocol Analysis Agent True 11
     
      3. If the SMSMSE agents have a lower priority (are lower on the list and have a higher priority number), this conditions is met.

 


Environment



  • Exchange 2007/2010/2013

Cause



If the Microsoft antispam agents have a higher priority than the SMSMSE antispam agents, the message may not be passed to the SMSMSE antispam scanner for verification. If Premium AntiSpam is partially working, but not detecting all spam emails, please review the following document: How to Troubleshoot Symantec Mail Security for Microsoft Exchange (SMSMSE) When Premium AntiSpam Fails to Detect Spam or Spam Effectiveness is Low.


Solution



Use one of the following workarounds:

  • Configure the SMSMSE agents to be higher priority than any other filtering transport agents listed below. The SMSMSE transport agents should not be priority 1 or 2.

1. Open the Exchange Management Shell.
2. Example commands:

Set-TransportAgent -identity "SMSMSERoutingAgent" -priority 4
Set-transportagent -identity "SMSMSESMTPAgent" -priority 5

Note: Prioritiy 4 and 5 were selected in this example to ensure the "SMSMSERoutingAgent" and "SMSMSESMTPAgent" were placed before the Microsoft "Connection Filtering Agent".
Please review the output of the "Get-TransportAgent" command on your system to select an appropriate priority for the SMSMSE agents.

3. Run the following command from the Exchange Management shell to restart the transport agent service:

restart-service -force MSExchangeTransport

  • Disable Exchange agents

1. Open the Exchange Management Shell.
2. Run each of the following commands:


disable-transportagent -identity "Sender Id Agent"
disable-transportagent -identity "Sender Filter Agent"
disable-transportagent -identity "Recipient Filter Agent"
disable-transportagent -identity "Protocol Analysis Agent"
disable-transportagent -identity "Content Filter Agent"
disable-transportagent -identity "Malware Agent
"

3. Run the following command from the Exchange Management shell to restart the transport agent service:

restart-service -force MSExchangeTransport

You might encounter an error when executing the commands, about not being able to edit the config file. This can be resolved by opening the Exchange Management Console as administrator and executing the commands again.

Technical Information

Some examples of different configurations of the Exchange pipeline:

Configuration #1 - Premium AntiSpam detects spam
Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Journaling Agent True 2
AD RMS Prelicensing Agent False 3
SMSMSERoutingAgent True 4
SMSMSESMTPAgent True 5
Connection Filtering Agent True 6
Content Filter Agent True 7
Sender Id Agent True 8
Sender Filter Agent True 9
Recipient Filter Agent True 10
Protocol Analysis Agent True 11

Event TransportAgents
----- ---------------
OnConnectEvent {Connection Filtering Agent, Protoco...
OnHeloCommand {}
OnEhloCommand {}
OnAuthCommand {}
OnEndOfAuthentication {}
OnMailCommand {Connection Filtering Agent, Sender ...
OnRcptCommand {Connection Filtering Agent, Recipie...
OnDataCommand {}
OnEndOfHeaders {Connection Filtering Agent, Sender ...
OnEndOfData {SMSMSESMTPAgent, Content Filter Age...
OnHelpCommand {}
OnNoopCommand {}
OnReject {Protocol Analysis Agent}
OnRsetCommand {Protocol Analysis Agent}
OnDisconnectEvent {Protocol Analysis Agent}

Debugview result:

00000000 13.08.48 [5720] SMSMSESMTPAgentFactory: Creating SMTP Agent.
00000001 13.08.48 [5720] SMSMSESMTPAgent: Constructor
00000002 13.08.48 [5720] SMSMSESMTPAgent: OnEndOfDataHandler
00000003 13.08.48 [5720] SMSMSESMTPAgent: SMTP message is inbound; processing for Whitelisting and SPA.
00000004 13.08.48 [5720] SMSMSESMTPAgent: SPA is enabled.
00000005 13.08.48 [5720] SMSMSESMTPAgent: Message size less than or equal to max size for SPA scan.
00000006 13.08.48 [5720] SMSMSESMTPAgent: Writing message to disk prior to SPA scan.
00000007 13.08.48 [5720] 1795bytes SPM msg written.
00000008 13.08.48 [5720] SMSMSESMTPAgent: Process message for SPA
[..]

---------------------------------------------------------------------------------------------------------------------------------------

Configuration #2 - Premium AntiSpam detects spam

Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Journaling Agent True 2
AD RMS Prelicensing Agent False 3
Connection Filtering Agent False 4
Content Filter Agent False 5
Sender Id Agent False 6
Sender Filter Agent False 7
Recipient Filter Agent False 8
Protocol Analysis Agent False 9
SMSMSERoutingAgent True 10
SMSMSESMTPAgent True 11

Event TransportAgents
----- ---------------
OnConnectEvent {}
OnHeloCommand {}
OnEhloCommand {}
OnAuthCommand {}
OnEndOfAuthentication {}
OnMailCommand {}
OnRcptCommand {}
OnDataCommand {}
OnEndOfHeaders {}
OnEndOfData {SMSMSESMTPAgent}
OnHelpCommand {}
OnNoopCommand {}
OnReject {}
OnRsetCommand {}
OnDisconnectEvent {}
OnSubmittedMessage {Journaling Agent, SMSMSERoutingAgent}
OnResolvedMessage {}
OnRoutedMessage {Transport Rule Agent, Journaling Ag...

Debugview result:

00000000 12.29.35 [4492] SMSMSESMTPAgentFactory: Creating SMTP Agent.
00000001 12.29.35 [4492] SMSMSESMTPAgent: Constructor
00000002 12.31.14 [4492] SMSMSESMTPAgent: OnEndOfDataHandler
00000003 12.31.14 [4492] SMSMSESMTPAgent: SMTP message is inbound; processing for Whitelisting and SPA.
00000004 12.31.14 [4492] SMSMSESMTPAgent: SPA is enabled.
00000005 12.31.14 [4492] SMSMSESMTPAgent: Message size less than or equal to max size for SPA scan.
00000006 12.31.14 [4492] SMSMSESMTPAgent: Writing message to disk prior to SPA scan.
00000007 12.31.14 [4492] 678bytes SPM msg written.
00000008 12.31.14 [4492] SMSMSESMTPAgent: Process message for SPA
[..]

---------------------------------------------------------------------------------------------------------------------------------------

Configuration #3 - Premium AntiSpam does not detect spam

Event TransportAgents
----- ---------------
OnConnectEvent {Connection Filtering Agent, Protoco...
OnHeloCommand {}
OnEhloCommand {}
OnAuthCommand {}
OnEndOfAuthentication {}
OnMailCommand {Connection Filtering Agent, Sender ...
OnRcptCommand {Connection Filtering Agent, Recipie...
OnDataCommand {}
OnEndOfHeaders {Connection Filtering Agent, Sender ...
OnEndOfData {Content Filter Agent, Protocol Anal...
OnHelpCommand {}
OnNoopCommand {}
OnReject {Protocol Analysis Agent}
OnRsetCommand {Protocol Analysis Agent}
OnDisconnectEvent {Protocol Analysis Agent}

Identity Enabled Priority
-------- ------- --------
Transport Rule Agent True 1
Journaling Agent True 2
AD RMS Prelicensing Agent False 3
Connection Filtering Agent True 4
Content Filter Agent True 5
Sender Id Agent True 6
Sender Filter Agent True 7
Recipient Filter Agent True 8
Protocol Analysis Agent True 9
SMSMSERoutingAgent True 10
SMSMSESMTPAgent True 11

Debugview result:

00000000 12.55.28 [5920] SMSMSESMTPAgentFactory: Creating SMTP Agent.
00000001 12.55.28 [5920] SMSMSESMTPAgent: Constructor

NOTE:

In each of the working cases, SMSMSE is set as the first "End of Data" agent.
 


Supplemental Materials

SourceETrack
Value2351525


Legacy ID



2009081712352254


Article URL http://www.symantec.com/docs/TECH95584


Terms of use for this information are found in Legal Notices