Messaging Gateway

Help!  We have been running SMG for several years without any issues.  This past Friday I upgraded to 10.6.0-7 and now it's classifyign a lot of valid emails as spam.  I really don't have the time to keep watching the spam quarantine and releasing valid emails every 15 minutes.  Does anyone know what's going on with that and how to makew it stop???

Hi, We are facing the same issue. The reason is a new Feature in 10.6.0-x called url reputation. My case on this is still open because till now there is no lookup possibility. Your only options are - open a case and/ or - disable url reputation Check Thomas

Thanks for the reply.  I'll look into the URL Reputation thingy right away.

Hi,

We have faced the same problem with SMG 10.6.0 -7. Almoust every legitimate email is treated as spam. I would like to ask you if your problem was resolved.

Thanks, Danute. 

Yes, we still get valid emails classified as spam.  It means I have to spend time everyday going through the spam quarantine making sure we don't miss anything.  I really have better things to do.  I have added the domains of our most important clients & partners to the Good Senders list, but I still have to watch the spam queue daily.  We were already considering dumping our onsite Exchange server and moving to the cloud.  This spam nonsense is making it more attractive with each passing day.  And if I don't need the SMG appliance, perhaps I don't need our entire Symantec security site license.  We have been happy with Symantec for more than a decade, and this is making me seriously look at alternatives for the first time.

We're waiting for a solution too.

In the meantime you could

1. Submit a false-positive: If you've got quarantine enabled forward the mime to Symantec - lookup your appropriate address at https://support.symantec.com/en_US/article.TECH83081.html - Section False Positives Submissions

2. Take a look at Option "Enable URL reputation filtering" in Spam, Settings, Scan Settings. Try to turn it OFF.

I think in 10.6.0-3 this feature was invented and is now filtering mails based on URL-reputation.

But this reputation can't be looked up by anybody, even support has limited possibilities - feature is so called UltraURL.

 

Thomas

Thanks for helping us.

 

But we think that we need to open case too, because the problem still exists.

Could you inform me in future if you find solution?

Danute.

Danuite,

Sure.

In your case i would open a case and let them analyse the reason.

I provided the quarantined message file, submitted it as a false positive and got the answer from the tracking# that the reason for spam detection was ultra url - but there might be several other reasons.

 

Thomas

I was going to perform the upgrade from our current version, 10.5.4-4 to 10.6.0-7 tonight but after reading this unresolved thread, I've decided to hold back until this is resolved. I will be looking forward to Symantec's response to this. Thanks.

 

Mark

 

Hi,

Got feedback from Symantec, they found a bug within the distribution logic of the Ultra-Url feature.

For more than a week one certain blocked url gets through smg without any complaints.

For more than 3 weeks we could not identify any further false positive.

 

Thomas

Just to clarify, this issue has nothing to do with version 10.6 as we were experiencing same problem on version 10.5.1-2 before we upgraded to 10.6.0-7. I think it started when the ThreatCon level moved up to 2: Elevated from level 1: Normal. 

I can't tell what went crazy on Symantec's end because we never experieced this in the past.

What we had to do was to enable end user quarantine and have users manage their emails and whitelist. This almost work perfectly in our case except for broken MX record. Every article I found on end user quarantine states that you need ldap configured but non mentioned anything about MX record. I thought spam notifcations and emails release would use the setting under Protocol -> Domain (and "Administration -> Configuration -> Edit Host Configuration -> SMTP -> Inbound -> Inbound Local Mail Delivery") to deliver emails but instead it looks up mx record for the recipient domain and fails when it does't find it.

We have domains that do not have mx record because we didn't need to have them before we enabled end user quarantine, so recipients in that domain were never notified about quarantined emails. We also could not release any email addresses to those domains from the spam quarantine because the messaging gateway would look up mx and not find it.

We fixed that problem by creating mx record for those domains. The problem we have now is how to notify people who didn't receive spam quarantine notifications before the mx records were created, and do not have new email emails in quarantine in the last 24 hours - which triggers spam summary notification.

Transmo,

I think we are talking about completly different things here.

ThreatCon is just a static status of symantec and has absolutely nothing to do with any functionality, filtering or what so ever on smg. From my point of view its a high level, management summary of the threads beeing detected globaly deepsight.

In your case i would have taken a look at the smtp settings of cc (as you should know, quarantine resides on cc).

Currently you are using "Use existing non-local relay settings", right?

Therefor you need MX records for all you domains. Change it to a relay hop and you dont need the mx records.

Regards

Thomas