Brightmail 8.0.3 letting spam through
Updated: 09 Sep 2010 | 8 comments
We've been having some problems lately with spam not being detected and ending up in users' mailboxes. It mostly appears to be Spanish, Russian and German spam, though blocking these languages is not an option. Any ideas as to why this might be happening? Below is an example (I replaced the recepients mail address).
| Message Data | ||||||||||
 |
ID: | 0a0a1402-b7ce9ae000001a19-47-4b84c67d0d37 | ||||||||
| Message-ID: | <20100224032556.d5f4b1b2c376a192@ymail.com> | |||||||||
| Tracker: | AAAACgr/BaETB7sSEwe7PBMHxo0TB8aTEwizHRMItdUTCMHqEwjGZRMIxnI= | |||||||||
| Accepted From: | 194.151.226.233 | |||||||||
| Scanners: | Local Host | |||||||||
| Time accepted: | Wednesday, Feb 24, 2010 07:26:05 AM CET | |||||||||
| Direction: | Inbound | |||||||||
| Sender: | certifiquecalidad@ymail.com | |||||||||
| Original recipients: | example@user.nl | |||||||||
| Original Subject: | reunión informativa gratuita - especial empresarios | |||||||||
| Full attachment list: | None | |||||||||
| Suspect attachments: | None | |||||||||
| Recipient Data | ||||||||||
| Intended recipient: | example@user.nl | |||||||||
| Verdict: |
|
|||||||||
| Actions taken: | Deliver message normally | |||||||||
| Delivery: |
|
|||||||||
| Untested verdicts: | Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, User allow, User reject, Virus attack, Directory Harvest Attack, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Blocked language, Known language | |||||||||
| Other recipients: | ||||||||||
discussion Filed Under:
Comments
Spam not detected
Hello Jim,
i just checked the sender IP (194.151.226.233) from your example on my gateways (Brightmail 8.0.3).
The last spam we got from there was on Jun 11, 2009.
The IP is not in the symantec list "Global Bad Senders", but emails from that IP are mostly rejected because the Connection Class on our gateways is 9.
Seems that we had many emails from that IP and they were detected by the signatures.
With the new Brightmail Version 9 (not realesed yet) featuring the "Probe Network Participation" you may benefit from Brightmail Useres like us.
Frank
Hi Frank, Thanks for your
Hi Frank,
Thanks for your reply. We see spam coming in from numerous IP addresses. Most of it is caught, though some users suffer from a lot of spam, and if you look at the subjects and contents of those mails it's obvious that it is spam. I only recently turned on the Connection Classification, since I'm new to the company and Brightmail. Would Sender Authentication also help against this type of spam?
I'm looking forward to the Brightmail 9.0 release, do you know if we can expect a final version soon?
Best regards,
Jim
Connection Classification / SPF
Hi Jim,
it was a huge step for us when we upgraded from Brightmail 7 to Version 8 with Connection Classification. Now as you enabled this feature on your device, the detection of spam senders will get better and better every day.
Because only some providers have SPF DNS records, it will not avoid much spam.
Brightmail Version 9 is expected to be available in summer 2010.
Regards
Frank
Hi Jim, Frank has provided
Hi Jim,
Frank has provided some excellent answers and thanks to him for sharing his experience. Here are a few KB artilces that you may find useful in your efforts to combat spam:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/...
http://service1.symantec.com/support/ent-gate.nsf/...
http://service1.symantec.com/support/ent-gate.nsf/...
Regards,
Adnan
In the past few weeks I have
In the past few weeks I have seen a dramatic rise is spam coming through as well running 8.0.3-11. All reputation services are up and running well. Only solution from support was to submit the messages, and that is not an easy thing to do when you have to show your users how to forward the mail correctly with envelope information when they have 30 messages sitting in their mailbox from over the weekend.
Out of a desperate attempt, I lowered the suspected spam threshold to 40 and it caught more legit email than spam. I'm really hoping 9.0 has some magic in it so I don't have to hear the complaints on a daily basis!
See the attached screenshot from this morning - all from
74.63.192.134 - currently has a connection class of 3
Hi Tom, I suppose you have
Hi Tom,
I suppose you have already looked at the KB articles that I pointed in my previous reply. If not, please do so, and try to engage support, to make sure that you have not overlooked or misconfigured something. Can you please provide the Trackers from Message Audit Logs for a few of those messages?
The magic that you are hoping in 9.0 is, as Frank mentioned earlier, a new feature called Probe Accounts that will provide Symantec visibility into spam attacks directed towards specific customers so that antispam rules can be written against those specific attacks.
Regards,
Adnan
Like I said, I already had a
Like I said, I already had a case open and we verified all the settings twice. Here are a few of the trackers:
AAAAARMqI1Q=
AAAAAQKXEeI=
AAAAAgr/HBgSRVrf
AAAAAgr/WyEK/2Ed
I've since added it to the local bad senders IP, received a few more messages after that, then noticed it made it to the global bad senders list.
If the attack had been
If the attack had been detected earlier the IP would have been added to the Global Bad Senders list sooner and you would have not seen more messages from that IP. So, I think the Probe Accounts feature in version 9.0 is going to be useful in these cases.
Would you like to reply?
Login or Register to post your comment.