Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

SBG False Negative

Updated: 21 May 2010 | 1 comment
arrow_203's picture
arrow_203
0 0 Votes
Login to vote
This issue has been solved. See solution.

I received a report of a false negative from SBG.  The message audit log shows the following:

Message Data 
ID: c0a8cc06-b7c27ae000002466-26-4b9278dc1835
  Message-ID: <blu138-w2382d1fbc5452eb7090b62a2370@phx.gbl>
  Tracker: AAAABhMwDsITMDb+EyoXtRMqbX4TKuSCEysKIQ==
  Accepted From: 65.55.111.164
  Scanners: Symantec Brightmail Gateway 
  Time accepted: Saturday, Mar 06, 2010 07:46:36 AM PST
  Direction: Inbound
  Sender: hugoteixeirag@hotmail.com
  Original recipients: scrossley@xxxx.com 
  Original Subject: re
  Full attachment list: None
  Suspect attachments: None
Recipient Data 
  Intended recipient: shaun.crossley@xxxx.com
   
  Verdict:
Verdict Filter Policy Group Details
None  default  default  None 
   
  Actions taken: Deliver message normally 
   
  Delivery:
Delivered To Delivery Time
x.x.x.x Saturday, Mar 06, 2010 07:46:36 AM PST 
   
  Untested verdicts:  Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Known language
   
  Other recipients:  
     

There a couple interesting things to note about this one.  First, the message contents are quite obviously spam:

From: hugo graça [mailto:hugoteixeirag@hotmail.com]
Sent: March-06-10 3:49 PM
To: scrossley@finsvcs.com
Subject: re
 
At medrx got top brand name non generic like Cialis Vicodin Phentermine Xanax and more for less than your local pharmacy from home with no doctor hastles with extremely prompt ordering and descreet shipping.

Hotmail: Free, trusted and rich email service. Get it now.

Also, the policy for this recipient is using the default, which normally catches things with keywords like this.

We have the "cannot retrieve LiveUpdates except for rapid response updates" bug currently affecting us.  Since switching to the rapid response updates, I've been noticing this stuff more and more.  I was advised that the upgrade for SBG 9 will resolve this bug.  Is there an updated release date for the version 9 update?  Anything else I can do to help prevent this sort of stuff from getting through?

Thanks!

discussion Filed Under:
, ,

Comments

AdnanH's picture
08
Mar
2010
1 Vote +1
Login to vote
AdnanH
Symantec Employee
Accredited

Hi Mike, The best thing is to

Hi Mike,

The best thing is to submit samples to Symantec as per the following KB:

http://service1.symantec.com/support/ent-gate.nsf/...

Additionally, please take a look at the following KB for some useful advice:

http://service1.symantec.com/SUPPORT/ent-gate.nsf/...

SBG version 9 is coming soon; most likely this month.  A new feature being introduced in SBG version 9 called "Probe Accounts" should help in identifying certain attacks that are specific to customers.

Regards,

Adnan

SOLUTION

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
259,025