We are running the latest version and spam slips through frequently. All of the spam messages are in HTML format. They are not addressed directly to any users on our domain.
Here is a sample header:
Received: from BMGATEWAY (192.168.2.7) by abcdef.local
(192.168.2.10) with Microsoft SMTP Server id 8.1.393.1; Wed, 14 Apr 2010
01:20:10 -0400
X-AuditID: c0a80207-b7b16ae000007c6c-80-4bc550b93588
Received: from blu0-omc4-s16.blu0.hotmail.com (blu0-omc4-s16.blu0.hotmail.com
[65.55.111.155]) by BMGATEWAY (Symantec Brightmail Gateway) with SMTP id
6D.30.31852.9B055CB4; Wed, 14 Apr 2010 01:20:58 -0400 (EDT)
Received: from BLU102-W2 ([65.55.111.135]) by blu0-omc4-s16.blu0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.3959); Tue, 13 Apr 2010 22:20:56 -0700
Message-ID: <
BLU102-W254C32DB1EF169AE1D725DC100@phx.gbl>
Return-Path:
jenniferzwbcrxom@hotmail.com
Content-Type: multipart/alternative;
boundary="_91f6a342-8afc-4811-b0a2-f73a1c54a067_"
X-Originating-IP: [72.50.8.243]
From: Emalee Kirkelie <
jenniferzwbcrxom@hotmail.com>
To: <
info@zenmotostore.com>
Subject: Software Retail price too high ? Buy 0EM version h
Date: Wed, 14 Apr 2010 05:20:56 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Apr 2010 05:20:56.0775 (UTC) FILETIME=[42E8ED70:01CADB92]
X-Brightmail-Tracker: AAAAAhO1vgQTtlhU
The question is:
The messages have different X-Originating-IP values. When I run 'IP Reputation Lookup' on the IP address - [72.50.8.243], it is found under 'Bad Reputation/Global Bad Senders'. I have setup the policy to reject SMTP connection for Symantec Global Bad Senders. Why did Brightmail let these messages through?
I have forwarded these spam messages to Security Response Center.
Any suggestions to make Brightmail gateway more effective at blocking these obvious spam messages?
-Naren