Video Screencast Help

Spam issues with Messaging Gateway 10

Created: 02 May 2013 | 3 comments

My organization has recently switched from GFI Mail Essentials to SMG 10.0.1. While we initially had great results, a few problems have surfaced. We needed to disable rDNS checking as some of our clients don't have DNS records configured correctly, and simply adding their domain and the domain of their mail server to the good senders reputation list was ineffective (seems to check rDNS and bounce before ever processing any other filters?). 

As expected, there has been a marked increase in spam, which has made quite a rash on my hide over the last two days. Here are a couple examples of headers from the illicit mail:

 

Microsoft Mail Internet Headers Version 2.0

Received: from our.mail.server ([its ip]) by mail.ourdomain.com with Microsoft SMTPSVC(6.0.3790.4675);

                 Thu, 2 May 2013 14:47:05 -0700

Received: from our.brightmail.appliance (its ip) by

 our.mail.server (its ip) with Microsoft SMTP Server id

 14.2.342.3; Thu, 2 May 2013 14:46:56 -0700

X-AuditID: c0a800e5-b7fd36d0000070b8-a6-5182deca79cd

Received: from oik.communicatelonggovernment.net (Unknown_Domain

 [193.142.111.66])            by our.brightmail.appliance (Symantec Messaging

 Gateway) with SMTP id F9.60.28856.BCED2815; Thu,  2 May 2013 14:46:52 -0700

 (PDT)

To: <user@ourdomain.com>

Subject: Trending Video on How to Lose Fat by Dr Oz

Date: Thu, 2 May 2013 17:45:51 -0400

From: the dr oz video <Alba_Berg@communicatelonggovernment.net>

MIME-Version: 1.0

Message-ID: <6889883781357630454@oik.communicatelonggovernment.net>

Content-Type: text/plain; charset="us-ascii"

Content-Transfer-Encoding: 8bit

Content-Disposition: inline

X-Brightmail-Tracker: H4sIAAAAAAAAA12SfUgTYRzH99ymO9ceu91Mz+mKrogSNMsgS4lKqKB/WpCFRHbq6Q7Pm9zd

                dCakaC8o5EsQ1iyNigrFClFYr+T1YplQqH9Eb1BpsIrS/opB1j3bTc/+uh+f7/2e7/e+z+FG

                ctLswFmfzIoCw9OxFtNQi2d7+uiHBlfm6fbU7K7ANbAV7AoMNpn3gAJLbgnLc1WsuHbLYYt7

                4t5wTOWX9b5TVzrN9eBYWjOIwyliA/Vr+I45MidSrz7cjG0GFpwk3gKq6dwLgIQEwkk9+TIZ

                g2Y7kUX1TFwOcxOxknrZ22JEcyyxjeoaua/OOA4JG/UnYEcYEnnUyNAlE5qNRBr1ejaIReZl

                VONgZ/h1I5FCXZvF24DVP7/s1y34dQv++YWLwNQDnMy6IpErc8vVoiClS6UZ6CmwcgbvKWb4

                fqA29PC6YSoAhjtyFUDggLZC34kGFxnDVEk1FQooxzF6Cfz7WkXxRZ6SGjcjuQtFL89KdALk

                3qsYzuEiL19OO+BZRO1zVGCrJZ6V1Suhl8JlpKolzWmSV6rkijmPVyr0irwCKNyoHht6gI4t

                YWqOsKInYqYADDcroEH9PKJ7KLTfYRI8AktTMBGZ2US2jPWVcrxqooVLgvI7VSH0SjifE84O

                qEKiXtBFXA4fHalzkQ69/H9KDI9TQBluVaPGhRuQKpkKiSvTrO3wPrK2RmnYNhkOIEhGoc7S

                CadtKFFUWmg3BpwOOwQGg4G0VrJiBSdrNtrP/QbEk+EyHBr4BGx40EzGWjBWIHIiRX0FxerV

                2uFqFNfKCfJ8WhJOoGCLNBgOS8GniNk0psuaCguUehe5RFMWRv2qloKppdxGDUJJZmR9Ke7a

                OlSKRrVSShEko3BBKRySEqPSQidHPbi4+bNBzLk1+T3zRW/J+bNtSvld7Nvu0M/UM5a947dn

                LPsOFM4sbb0kYoeSn/mDF360tmzquHC37+rv1oM7Vy6eqn18lF5zIyu78XrGjrpH4vHRkRV/

                fSP5yWnj8VkZqwL3fhz8/tFXH+xzrNoYUsjA1MDV/vyUsen2zu7nxWtq8/pO0ibJzaxLM4oS

                8w/s03rRdwQAAA==

Return-Path: Alba_Berg@communicatelonggovernment.net

X-GFI-SMTP-Submission: 1

X-GFI-SMTP-HelloDomain: our.brightmail.appliance

X-GFI-SMTP-RemoteIP: brightmail.ip

X-OriginalArrivalTime: 02 May 2013 21:47:05.0078 (UTC) FILETIME=[9624F960:01CE477E]

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

Received: from our.brightmail.appliance (it's ip) by

 our.mail.server (it's ip) with Microsoft SMTP Server id

 14.2.342.3; Thu, 2 May 2013 08:11:22 -0700

X-AuditID: c0a800e5-b7fd36d0000070b8-16-51828214e245

Received: from mx04.mumrug.com (daily5.myastrologicalguide.com

 [66.172.81.105])               by our.brightmail.appliance (Symantec Messaging

 Gateway) with SMTP id E7.AF.28856.61282815; Thu,  2 May 2013 08:11:22 -0700

 (PDT)

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Reply-To: <AubreySanders@mumrug.com>

Date: Thu, 2 May 2013 08:11:16 -0700

From: Impress Everyone <AubreySanders@mumrug.com>

Subject: Just want to rapidly learn another language?

To: <user@ourdomain.com>

Message-ID: <20130501041734.32547.82115@mx04.mumrug.com>

X-Brightmail-Tracker: H4sIAAAAAAAAA12SfUgTYRzH92xrO9eeuN1yPc3MOioqm2lZSEhUEPVHL47obRB1unO7um1y

                d0vthZlKkPRHBb0oRW4VmL0HvZhhNVN7hTAiMxOR7GVQRET0RnXPebOzv+7H9/Pc7/vl+zyE

                gXpidhJsmcQKQYanTRbjorNuzuWsrHRnf4g68r40nTEvAEuvX9ljLgAeS76X5bmtrDBz/iaL

                /9TP3aaSrgllfRe7TBUgllYDUghE5qKBP+/B4OxAT3ovmGqAhaDILoCq9/abMDCQM1B982dl

                hqQN3a99bRzUM9C1D0cNeKbISSiReKycMZKTUXtblR7PJjIHDZz9oRjYyTnoeO9n5d/RZBq6

                1HjSOLgzD7151zZiH7DWaezqNHZ1Grt6YGgE6UxOocD5/FKpEBRdYnEW/gZZKYsPFTH8ZSA3

                c7tBN3AddBzOjwOSALQVfnLtclMjmK1ieSAOthB6OhU2RCrd1KjCkLfcz4j+jUKYZ0V6NHxR

                IctwSC4M81toJ/yND9uH1CBbKvKsJF8FPR5mUDIbM8TEsFjCFXGhsLgxLPBxgAiDvLZ3LV7r

                Zcq3sUJo0CwO9IQ5DkoJgkawG9vaBNbHlhVzvLxYDTQGHtklE1JLlEzp8KtHBg4t0MSaCFu3

                RdyUU4v/T6YnUuLAR1jleEuwCRRLmIDI+VRrO5yGQ1mTqmI7FqZhkUqKGst0+MmGEyXRcLtO

                kO60Q6DT6ShrCSsEOEm1UR9yNxhFGYOhIOtUhX5gI96bKZNFzwbJeU6FJUCRfJ12qMNxrVxQ

                +peWggtwsJGqqIRFME+pVdU0WcdBT7zCTaWqZHjUhFyKXi6lCTcIRYmRtKX4t0dwKaqqllKM

                RSopDiuFw8iRRMOdnBVgYfXpqsxluo6aiCv2tKfzVQ89ZeeJA7fW9H309Kbc6//x7KB5eXTD

                2Bvr+gK/rkYaVyZWx2IvXvms0qH2l013mh1V58O6kbNzW6zTWlpzZq2J7nQ9evA9O/fd3BNr

                a29uPrZ3PtrxMPvtNz6/4/n+aGCFt/pl9zlvxvpVtXdf3yjInLqYNop+Jme6QRCZv86ppLZj

                BAAA

Return-Path: AubreySanders@mx04.mumrug.com

X-MS-Exchange-Organization-AuthSource: our.mail.server

X-MS-Exchange-Organization-AuthAs: Anonymous

X-GFI-SMTP-Submission: 1

X-GFI-SMTP-HelloDomain: our.brightmail.appliance

X-GFI-SMTP-RemoteIP: brightmail.ip

 

So, is there anyway for me to curb some of this spam without re-enabling rDNS? I realize that blacklisting domains and IP's would be pretty futile... If not, is there anyway to configure SMG 10 to check sender whitelist before it bounces? If any/all of these seem pretty simple, my appologies; I'm still pretty new to SMG/Brightmail and exchange in general.

 

And thanks for your help!

Operating Systems:
Discussion Filed Under:

Comments 3 CommentsJump to latest comment

toby's picture

Have you activated all antispam and reputation filters like Global Bad Senders etc?

Thanks,

toby

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

blcksnds's picture

Besides the customer-specific definitions, yes, they are all enabled. 

Art_P's picture

You may be running into an issue related to the functionality of the scanning service. Please refer to the following KB for confirmation and correction information:

http://www.symantec.com/docs/TECH198258

If you find a useful post, please use the "thumbs up" feature to mark the post as helpful. If your question has been answered, please select the "Mark as solution" for the post that best answered your question. Thank you.