Messaging Gateway

Our company uses BM 6.05 in an Exchange 2003 environment w/IMF. We've recently had an influx of spam that forges the sender to look like it's coming from a domain user. There's also some mail that does not forge the sender, but in all cases, I've noticed this when looking at the message header:

 

X-Whitelist: TRUE

 

It would seem that BM is not processing the message because it thinks the sender is on a whitelist (I'm not sure how to verify whether or not this is true). However, neither Exchange nor BM have anything listed under their whitelist/allowed senders. Any idea how to stop this? I've made some jokes with my colleagues who've received spam from me, but it's becoming tedious to delete 10-20 messages a day and explain why the filters aren't doing their job.

 

Any help would be appreciated.

 

Thanks.

Hi,

 

I'm almost certain (!) that the brightmail engine will not bypass scanning any messages with that header, unless there is anything configured with Exchange to bypass SBMF.  It will provide a verdict for anything passed to it for inspection.

First I suggest checking the message logs on the Brightmail server for examples of these messages and verify that they are being passed to Brightmail for a verdict.

 

HTH

 

//ian

Thanks for the reply.

 

How can I check to see if BM has checked the messages? The logs don't reveal anything like that (only system event messages). I have enabled SPF/SenderID on the server, but I'm still interested to know if BM is/isn't checking these messages (it seems like it is not).

Hello,

 

If you set the server logs up to notices, it will show you the verdict on the message. You can search for the sender or recipient and see what we did.

 

The Whitelist verdict is something we will put on the message if we have the sender in the Allowed Senders list, and only in that situation. If you go to your allowed or blocked senders and export the list, do a search for your own domain, or if there are any IPs in the list, verify that those aren't where the messages are coming from.

 

Thanks!

OK, I set the server to log notices. Hopefully that will clear up what's going on with BM. As I stated before, there is nothing to export from Allowed Senders because it is blank. So does that X-Whitelist: TRUE mean that BM is ignoring the message? Is there another BM whitelist I should be looking at?

I would wait and see what the logs say. That tag should only be put in the header if the email is actually on your whitelist, which you've said it isn't. Maybe the tag is being put in the header by someone else before it comes to your environment?

 

Are you using the LDAP authentication for users? Also is fastpass enabled in Brightmail?

 

One suggestion that I have, (it will most likely not fix this but would be good to do) would be to get to 6.1. It is the latest build of Brightmail.

I just got one of those spam messages. Here's what the log says:

 

18 Dec 2008 13:37:56 (NOTICE:17768.18384): [27165] Message for: <***@mydomain.com> returned Disposition: <allow>. Query against Policy: <Default> returned Destination: <null> and Action: <modify>.

 

Is there a message ID in the mail header to compare against the log? I'm just going by time and receiver. What does the above log entry mean? As I said, I don't know why it would be whitelisting messages when I have none defined. The default policy allows company-specific content, but I have no custom filters defined, so I'm not sure what it does. Acceleration and LDAP are not used.

Hello,

 

I understand that you say you don't have anything in the allowed senders, but just in case we think we have something there could you humor me and take a look at the allowedblockedlist.txt and make sure that there is nothing in there that is preceded by "AS:" and then domains or IPs. You can find this in the /Symantec/SBAS/Scanner/Config folder.

 

"Disposition <allow>" means exactly that. It means that we have something with a disposition of allow triggered on the email. Do you have any custom filters that have an action of "Treat as allowed sender"?

 

This could also be what is going on.

Here's what I found in allowedblockedlist.txt:

 

##Permit list

#

dn: cn=mailwall, ou=bmi

objectclass: top

objectclass: bmiBlackWhiteList

AS: *@mydomain.com:+

 

Is that the problem? If so, why is that entry there when there is no such entry in Control Center? How shall I edit this config file?

 

Thanks.

Hello,

 

"AS: *@mydomain.com:+" means that you do have all users at your domain on the allowed senders list. I am not sure as to why this would not show in the UI. What you can do is edit the text file to say "AS: *@mydomain.com:-" and import it back to the UI and it will disable the allowed sender entry.

 

Hope this helps!

Tom

hi,

please i need help with an issue with bmi bcc login which just stopped allowing the users to log into the quarantine web page to view their quarantined suspected spam mails. it gives an error of invalid username and password.

The client network was hit by confliker worm/ downadup virus and this affected their exchange server. All the users except the administrator for the bcc on the BMI server.

i have checked all the logs on the server and there is no visible error. i don't know what the problem is. The SEP on the network has deleted the downadup virus.

i really need your help to resolve this issues urgently.

 

You should probably start up a new thread for this as it's totally unrelated to the original message.  If you look at your LDAP settings, is the test login still working?  Any chance you changed the password of the account you are using to bind?  The Brightmaillog.log might give some indication as to what the problem is...

 

Kevin