Symantec Messaging Gateway is getting a bad reputation at my site for false positives, resulting in deleted (ie, gone forever) mail. As a result SMG is about to get quarantined and maybe deleted itself.
About a week ago, we replaced the VM that was running SMG. The new SMG was reconfigured from scratch. In doing so, I enabled Symantec Global Bad Senders under Reputation. I hoped that this would catch spam or viruses that were sent by known, active bots. That was a mistake. As a result, many users have had some inbound mail inappropriately deleted, which didn't become obvious until in the last 24 hours. Now I have to explain why this mail was lost.
The issue is that senders (our users & others) send mail from home or mobile ISPs that wind up at our site. The bottom-most (oldest) of the Received headers looks like
Received: from mumble-1-2-3-4.example.com ([1.2.3.4]) by mailhost.,.....com with esmpta ... 20 Jun 2013 01:02:03 -0700
If you look up the reputation of the IP at http://ipremoval.sms.symantec.com/lookup/ you see it is marked as
The host is unauthorized to send email directly to email servers
That makes sense. It is just a mobile or home site (and may be a dynamically assigned to different computers at different times) and should deliver to some mail submission (port 587) host after authentication. For this mail, it did just that, as indicated by the "with esmtpa" clause in the Received, as per RFC3848.
However, I find that SMG 9.5.1-6 (yes, that's old) deletes this message, with a verdict that indicates OPL (open proxy list) triggered a static delete. All the other IP addresses do not have bad reputations.
Jun 20 02:25:34 smsinscan smsinscan bmserver: 1371720334|826b4363-b7b1fae0000054c0-08-51c2ca8da569|VERDICT|user@example.com|opl|default|static delete
I see no way to adjust SMG so it obeys RFC3848 for this kind of reputation. Is there a way to fix this? Is anyone aware whether this has been fixed in newer versions?
(Oh, and if you aren't thinking, you might suggest just adding 1.2.3.4 to the Local Good Senders IP list, but of course that won't work. You might send me mail from your home IP address, triggering this mail deletion, and I'd never get it and know I'd have to add your (temporary) IP to that list.)
Then there's the matter of why SMG is deleting the message. I can't find any policy that would do this. What enabled this deleting was enabling "Symantec Global Bad Senders" under Reputation > Bad Senders, which has the action "Reject SMTP Connection". What gives that the right to delete a message is not apparent.
Seeing no generic way of avoiding losing incoming mail, I'm again disabling Symantec Global Bad Senders. Too bad, as it threw out a lot of bath water with the baby.
P.S. I'll be sure to warn our users that tripped over this, that their mail to other sites might just disappear into the ether if those other sites are running SMG with this configuration. (I hope Symantec's sales department will take note of that.)