Messaging Gateway

Hello Guys, I am having a problem. SMG is failing to detect outbound spam and as a result the reputation of the IP is bad. This problem arises in the last two days before that it was running fine and quaranting SPAM . How can I fix and troubleshoot the issue ? Regards

Please confirm that outbound scanning is enabled as per the below article:
http://www.symantec.com/docs/TECH122730

And that SMTP traffic is only allowed outbound via the SMG or from approved internal endpoints only.

As far as the investigation goes, you'd need to know what "bad" emails managed to get out.  Or at the very least check if any unauthorised machines are sending emails out (a good place to start would be to check network logs for anything other than approved IP addresses connecting out on port 25).

Yes outband scanning is enabled as well a policy to quarantine outband spam

A large number of Spam was sent out thats why the reputation of IP is bad and can't see any outband SPAM in the quarantine for the last two days.

In that case, you'll need to confirm if anything is bypassing the SMG and sending emails out directly (typically one for the network admins)

thanks for the reply, I will check with my network admin for that. Regards

Hi Outrageous,

Send a test message and check in message ausit logs to see what happend to that message.

Check teh direction of the email, and also check the verdict.

If you cannpt find that message in message ausit logs than it is bypassing SMG.

Thanks for your reply Mudassar but if it is bypassing SMG then why is the reputation of SMG IP bad and deffering mails from the yahoo domain ?

Hi Outrageous,

Because email go outside using your public IP which is your Firewall. Anything that is going out of your network is using your public IP.

Public IP is the one getting blacklisted and not the Internal IP.

I hope that helps.

Thanks

Whether or not the SMG is using the same NAT as traffic from all other internal addresses is a question for your network admins.

Have you asked them about it yet?  It really does sound as if their involvement will help you in your investigation.

Hi Outrageous,

what is the update? is all working ok now.

Let us know if any further assistance is required.

Thanks

Mudassar

hello Muddassar , thanks for your reply . . . Well Domino does not have direct connection to the internet . I tried to telnet from it onto the internet on port 25 and it was blocked same goes with the internal machine. 

SMLcast the binding or Nat on the firewall is being only configured for the SMG internal Private IP to the public IP , Its basically a 1-1 Nat , so I guess its not the case . 

To be fair, the point is to confirm with the Network admins that the only outbound mail traffic is via the SMG alone.

Once this has been confirmed, then it's a matter of ensuring that you have outbound scanning enabled (which you said you have) and that the SMG is up to date.

That is the preliminary investigation in a nutshell.

Anything beyond that will require you identifying which emails you believe are spam going through your SMG, identifying which machines are generating the spam, and remediating those machine or logging a case with Symantec to investigate.