Messaging Gateway

 View Only

  • 1.  SBG False Negative

    Posted Mar 08, 2010 01:15 PM
    I received a report of a false negative from SBG.  The message audit log shows the following:

    Message Data 
    ID: c0a8cc06-b7c27ae000002466-26-4b9278dc1835
      Message-ID: <blu138-w2382d1fbc5452eb7090b62a2370@phx.gbl>
      Tracker: AAAABhMwDsITMDb+EyoXtRMqbX4TKuSCEysKIQ==
      Accepted From: 65.55.111.164
      Scanners: Symantec Brightmail Gateway 
      Time accepted: Saturday, Mar 06, 2010 07:46:36 AM PST
      Direction: Inbound
      Sender: hugoteixeirag@hotmail.com
      Original recipients: scrossley@xxxx.com 
      Original Subject: re
      Full attachment list: None
      Suspect attachments: None
    Recipient Data 
      Intended recipient: shaun.crossley@xxxx.com
       
      Verdict:
    Verdict Filter Policy Group Details
    None  default  default  None 
       
      Actions taken: Deliver message normally 
       
      Delivery:
    Delivered To Delivery Time
    x.x.x.x Saturday, Mar 06, 2010 07:46:36 AM PST 
       
      Untested verdicts:  Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Known language
       
      Other recipients:  
         


    There a couple interesting things to note about this one.  First, the message contents are quite obviously spam:



    From: hugo graça [mailto:hugoteixeirag@hotmail.com]
    Sent: March-06-10 3:49 PM
    To: scrossley@finsvcs.com
    Subject: re
     
    At medrx got top brand name non generic like Cialis Vicodin Phentermine Xanax and more for less than your local pharmacy from home with no doctor hastles with extremely prompt ordering and descreet shipping.
    Hotmail: Free, trusted and rich email service. Get it now.


    Also, the policy for this recipient is using the default, which normally catches things with keywords like this.

    We have the "cannot retrieve LiveUpdates except for rapid response updates" bug currently affecting us.  Since switching to the rapid response updates, I've been noticing this stuff more and more.  I was advised that the upgrade for SBG 9 will resolve this bug.  Is there an updated release date for the version 9 update?  Anything else I can do to help prevent this sort of stuff from getting through?

    Thanks!


  • 2.  RE: SBG False Negative
    Best Answer

    Posted Mar 08, 2010 01:53 PM
    Hi Mike,

    The best thing is to submit samples to Symantec as per the following KB:

    http://service1.symantec.com/support/ent-gate.nsf/docid/2005012415180263

    Additionally, please take a look at the following KB for some useful advice:

    http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008080612113754

    SBG version 9 is coming soon; most likely this month.  A new feature being introduced in SBG version 9 called "Probe Accounts" should help in identifying certain attacks that are specific to customers.

    Regards,

    Adnan