Video Screencast Help

Spam Verdict

Created: 06 Aug 2009 • Updated: 21 May 2010 | 4 comments

There have been more spam email message getting though the spam filter recently.  Looking at the message audit logs, there is a large list of "Untested verdicts".  I am trying to figure out why these spam messages are getting though without being tested and being delivered normally.  Any help would be appreciated.

Untested verdicts:  Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, User allow, User reject, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Bounce Attack, Blocked language, Known language
Discussion Filed Under:

Comments 4 CommentsJump to latest comment

fsg's picture

I believe 'Untested verdicts' are policies / rules that were not triggered by the mail in question.

In case of missed spam however you should be looking at the message Tracker.
If the Tracker is other than " AAAAAA ==  "  (without quotes) the mail is not 'clean'. 
It could be 'suspected spam' , in witch case try lowering the 'Suspected Spam Scoring' value with 3-4 points  (ie. if it is on default 72, lower it to 68) and check the action for the 'Suspected Spam policy'.

Sample below:
----------------------------------------------------------------------

Message Data
ID: ac140c75-bxxx000005427-d4-4a1477b1aff7
Message-ID: <feb98e9xxxxa94bc0732fbc900339e@sidneygoulart>
Tracker: AAAxxxx+0O9irL
Accepted From: 200.xxx.78.94
Scanners: Local Host
Time accepted: Wednesday, May 20, 2009 06:35:45 PM BRT
Direction: Inbound
---------------------------------------------------------------------
Cheers


Ian McShane's picture

Hi,

Untested means that something stopped the scanning process before it reached those tests.
What does Message Audit Log show for the actual verdict?

//ian 

Dena's picture

Below is a copy of the message audit log of a spam message where there are untested verdicts. I already have the suspected spam scoring down to 25 (been there since day 1 for about a year now). The email spam policy is set "If a message is spam or suspected spam" -> Hold message in Spam Quarantine.  How do I figure out why the message is not being completely tested?

 

Message Data
ID: c0a800e4-b7baaae000001146-4b-4a7b6eb3cf21
Message-ID: <20090807041822.lwlcopvmgff@mx16.cheerfulhappy.com>
Tracker: AAAAAwHRh6cK/yrzC4HM5Q==
Accepted From: 91.121.232.99
Scanners: Local Host 
Time accepted: Thursday, Aug 06, 2009 08:00:51 PM EDT
Direction: Inbound
Sender: stopim@cheerfulhappy.com
Original recipients:
Original Subject: create the life you've always wanted
Full attachment list: image001.png, image002.jpg, image003.jpg, image004.png, image001.png, image002.jpg, image003.jpg, image004.png, image001.png, image002.jpg, image003.jpg, image004.png, image003.jpg, image004.png, image003.jpg, image004.png, image003.jpg, image004.png
Suspect attachments: None
Recipient Data
Intended recipient:

Verdict: Verdict Filter Policy Group Details
         None  default  default      None 
Actions taken: Deliver message normally 

Delivery: Delivered To Delivery Time
192.168.0.225  Thursday, Aug 06, 2009 08:00:56 PM EDT

Untested verdicts:   Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, User allow, User reject, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Bounce Attack, Blocked language, Known language
fsg's picture

If the email spam policy is configured to hold the message in the Quarantine (for both spam and suspected spam) and the mail is delivered normally, even with a Tracker as per the above (Tracker: AAAAAwHRh6cK/yrzC4HM5Q==) while the Spam Scoring is set to 25 (minimum configurable value in the web-ui), it means that the numerical weight of the mail in question is under 25.

In this instance you will have to:

  - manually submit the missed spam to Symantec, as per the following document:
    http://service1.symantec.com/SUPPORT/ent-gate.nsf/...
 
 - as a temporary blocking measure (until Symantec includes the characteristics of the submitted mail in the spam rulesets) perform the following:
      - Using the Message Audit Logs data, determine some re-occurring characteristics of the spam mail (sender address, subject, body text, connecting IP, etc.)
      - Create a Temporary Policy to block these emails:
         Add the connecting IP /  sender email address / sender domain to the Local Bad Sender Lists (IP or Domain based).  If using the local bad sender lists review the Message Audit logs carefully, to ensure you are not blocking possible shared IP-s or an entire domain if you expect valid emails as well as have noticed spam from the domain in question.

Cheers.