Messaging Gateway

In the last month, I personally have received two spam messages which made it through the gateway.  Up until that point, I had not experienced (and had not heard from any users) of any spam being let through at all.  The message is quite plainly a spam message also - doesn't seem particularly tricky to me.  Any advice on what I can tweak to tighten up the spam filtering rules on the appliance?  For the most part, we're using the default scanning settings.  Spam definitions are up to date, also.  Details of the message below:



Received: from sbg.domain.com (192.168.xxx.x) by exchangeserver.domain.com
 (10.xxx.xx.xx) with Microsoft SMTP Server (TLS) id 8.1.393.1; Mon, 8 Feb 2010
 09:48:03 -0800
X-AuditID: c0a8cc06-b7c27ae000002466-43-4b704e517172
Received: from host108-25-static.231-95-b.business.telecomitalia.it
 (host108-25-static.231-95-b.business.telecomitalia.it [95.231.25.108]) by
 sbg.domain.com (Symantec Brightmail Gateway) with SMTP id
 E5.E5.09318.25E407B4; Mon,  8 Feb 2010 09:48:03 -0800 (PST)
Received: by host108-25-static.231-95-b.business.telecomitalia.it (Postfix,
 from userid 33) id 098545A09B; Mon, 8 Feb 2010 18:58:54 +0100
To: <first.last@domain.com>
Subject: __Percocet-Adderall-Vicodin.ES-Brand Ritalin__
Message-ID: <2010185854.098545A09B@host108-25-static.231-95-b.business.telecomitalia.it>
Date: Mon, 8 Feb 2010 18:58:54 +0100
From: <noreply@message.myspace.com>
Content-Type: text/html; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAABAEWYfYSuTijErk4tBK9jmw=
MIME-Version: 1.0
Return-Path: noreply@message.myspace.com


Thanks!

Hi,

From the X-Brightmail-Tracker, we can tell this message actually had a filter in place to give the message a spam verdict at the time it passed through the Symantec Brightmail Gateway.

Have you whitelisted any senders or IPs that might have allowed this message to pass? What does the Message Audit Log say for the verdict of this message?

Thanks,
Amanda

Hi Mike,

As Amanda pointed, this message should have triggered spam verdict on your appliance, but if this spam message got thru, then it is most likely due to whitelisted senders.  To find out exactly why it got thru, we should start by taking a look at the message audit log for this message.  Can you please provide a screenshot or the details from the Message Audit Logs for this message?

Regards,

Adnan

@Amanda:

I have the following configuration under the reputation section of the appliance:

Local Good Sender Domains - none configured
Local Good Sender IPs - One entry configured - 207.102.122.196 - this does not match the source of the spam
Third Party Good Senders - none configured
Symantec Global Good Senders - enabled, default configuration
Fastpass - enabled, default configuration

I myself personally have no whitelist configured on the appliance for my email address.  I have one entry in my personal blacklist.

Message Audit Log Entry:

Message Data
	ID:	c0a8cc06-b7c27ae000002466-43-4b704e517172
	Message-ID:	<2010185854.098545a09b@host108-25-static.231-95-b.business.telecomitalia.it>
	Tracker:	AAAABAEWYfYSuTijErk4tBK9jmw=
	Accepted From:	95.231.25.108
	Scanners:	Symantec Brightmail Gateway
	Time accepted:	Monday, Feb 08, 2010 09:48:01 AM PST
	Direction:	Inbound
	Sender:	noreply@message.myspace.com
	Original recipients:	firstname.lastname@domain.com
	Original Subject:	__percocet-adderall-vicodin.es-brand ritalin__
	Full attachment list:	None
	Suspect attachments:	None
Recipient Data
	Intended recipient:	firstname.lastname@domain.com
	Verdict:	Verdict Filter Policy Group Details Spam  default  firstname.lastname@company.com  None
	Actions taken:	Deliver message normally
	Delivery:	Delivered To Delivery Time 10.x.x.x  Monday, Feb 08, 2010 09:48:03 AM PST
	Untested verdicts:	Suspected spam, Message was sent from a suspect spammer, Locally identified suspected virus, Suspected virus, Content Compliance violation: Delete Executable Files Violations, Content Compliance violation: Delete Email Policy Violations, Content Compliance violation: Legal Disclaimer, Content Compliance violation: Delete True Type Executable Files Violations, Unknown recipient, Connection Class, Default Connection Class, Connection Class 1, Connection Class 2, Connection Class 3, Connection Class 4, Connection Class 5, Connection Class 6, Connection Class 7, Connection Class 8, Connection Class 9, Bounce attack signature present, Known language
	Other recipients:

Upon reviewing these results, I realized that I myself am set up with a different set of spam policies than the rest of the organization.  Under the administration tab > groups, I personally have the following spam actions configured:

Email
	Enable inbound email spam scanning for this group   Inbound email antispam policy:     Inbound email suspected spam policy:

The rest of the organization has the inbound email antispam policy configured as "delete message"

What I find interesting, is why the message was delivered normally to my mailbox, instead of quarantined.

Thanks for providing the detailed info.

The Email Spam Polcy that applies to your specific group (firstname.lastname@company.com) is diabled (indicated by a hypen, instead of the check mark, next to the policy name under Enabled column).  Please check the Email Spam Policies page (Spam > Email).  Here is a sceenshot to show what I mean:




Hope this helps to solve the mystery of missed spam :)

Regards,

Adnan

You might also try tightneing down your suspected spam by lowering your threshold. This can be accessed under Spam->Scan Settings. The lower number the more items it will identify as suspeted spam.

But only getting 2 peiced of missed spam should normally not be a big deal, we won't catch everything.

Bingo!  Thanks AdnanH!

Hi J,

Just to clarify here, adjusting the Suspected Spam threshold here isn't going to help as we know these message recieved a spam verdict and were actually caught as spam.  2 missed spam shouldn't be that big a deal but in this case these weren't missed spam and we did actually catch them.