Delivery despite spam (confirmed)
-
Hello,
A SPAM message was delivered, although it was clearly identified as SPAM (see yellow marking in the screenshot)
I have the following settings under Security -> Anti-Spam -> Outbreak Protection.
-
Matthew Staff
In this configuration, SecurityGateway is configured to add 5.5 points to a message that Outbreak Protection returns as confirmed spam. While the accuracy of Outbreak Protection is very good, there is always the possibility of a false positive.
On the Security | Anti-Spam | Message Scoring page you can change the score required for a message to be rejected.
If you would like to reject any message that Outbreak Protection returns as confirmed spam, just change the configuration setting. Think of this as a short circuit, the message will be rejected regardless of its final score.
-
Hello Matthew,
unfortunately no points were added to the above mail.
What surprises me is the following:
- Outbreak Protection (Anti-Virus) is started
- the message is recognized as SPAM (see yellow marking in the first screenshot)
- Then Outbreak Protection (Anti-Virus) is terminated.- Then Outbreak Protection (Spam) is started
- and shortly thereafter terminated without detectionDoes Outbreak Protection (Anti-Virus) also have SPAM detection, which is not recognized by SecurityGateway?
Regards
Oliver
-
Matthew Staff
@Oliver the Outbreak Protection lookup returns both virus and spam results. The result is cached by SecurityGateway. The "Outbreak Protection (Spam)" Sieve script should have used this cached result and added points to the message score.
Is the message from a domain mail server, authenticated sender, or sender that is on the allow list which would cause it to be excluded? I need to review the full details/transcript for this message to investigate further.
-
@Matthew, I think I was able to find the problem.
I have two domains. domain1.tld and domain2.tld
The mails to domain1.tld go to SecurityGateway and after checking it sends the mails to mail.server.tld
The mails to domain2.tld go directly to mail.server.tldThere is a mail address info@domain2.tld, which is forwarded to meine@domain1.tld on server mail.server.tld.
The spammer has sent a message to info@domain2.tld. In SecurityGateway, the second line of the recording reads "Sender is mail server of a local domain (mail.server.tld)"
This is probably why the message went through.
I will now also run the message traffic for domain2.tld via SecurityGateway.