Suspected Spam Rating

Unanswered Question
Mar 13th, 2012

We are getting a lot of phishing email and email with malicious links.  We are bringing down our suspected spam level to 30 to see if that will help.

It would be nice if like the SBRS, we could get a spam rating on the email so that we could guage our efforts.  CLEAN just doesn't cut it...

Viruses - We would rather Drop or at least Quarantine so called Repaired messages rather than Deliver.  Any way to do that? For example, we stripped the infected attachment from this email but it still gets delivered and confuses the recipient.

 

From: FedEx Express Services [mailto:customer-shipments@fedex.com]
Sent: Wednesday, March 07, 2012 1:03 PM
To:
Subject: Track your parcel ID5631

FedEx notice,

The delivery service couldn’t deliver your package.
The package weight exceeds the allowable free-delivery limit.

You have to receive your packagen personally.
Print out the "Invoice Copy" attached and collect the package at our office.

Please read carefully the attached information before receiving your package.

Thank you for attention. FedEx Customer Services.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
doug.l.maxfield Thu, 03/15/2012 - 07:24

Starla,

All of that can be changed under Incoming Mail Policies, Anti-Virus.  We have our default policy set to Scan for Viruses and if a virus is found, drop the messasge.

As for the Spam score, not going to be able to get that.  I've tried...no luck.

Doug

andmuell Fri, 03/16/2012 - 01:23

Hi Starla,

I second Doug's recommendation about the anti virus settings. In the mail policies you will find that you can set the behavior of antivirus to either "Scan for viruses only", or  "Scan and Repair".  If you select the latter, it makes well sense that there is no option to drop a repaired message, because you#d drop it just as being infected withoutthe efford to repair it first. Quarantining such an repaired message is possible if you add a header (option can be found under "Advanced" in the repaired Message section), and then use a content filter matching on that header and  redirecting the message to a local quarantine. BTW, you cold use that filter as well to drop the message, but like I said before, there is an easier way for that.

Regarding the antispam score not directly visible in the headers, two notes about that. First one from my personal experience, when it comes to IPAS and positive spam, the scores are either very high (above 90), or very low (false positives,that is), below 10. Rates between 80 and 30 are relatively rare (compared to the amount of messages getting scanned I mean), means that some cusomer may have to lower their threshold for positive spam from 90 to 80, but that's all of finetuning usually needed. So in other words, lowering the suspected spam level won't get you any better result - actually, by IronPort definitions, suspected spam is not considered spam at all, it's more of messages we consider legitimate, but also come with patters that relate to the usual spam nobody wants. That's why this option is here.

BTW, what version of AsyncOS are you using Starla? Because the Virus Outbreak Filters in the newer AsyncOS version are better on detecting malicous links in emails.

Second note about the spam score not being visible in message -  to prevent reverse engineering of the antispam engine and algorithms. It's as simple as that, just think about how easy it would be for some people to adjust their messages not to be caught by antispam.

Hope that helps,

Andreas

StarInSD1189 Fri, 03/16/2012 - 09:06

I'm still running 7.1.5-017 and had already planned to upgrade during our March downtime.  good thing since I got the security vulnerability warning today.  And I'm looking forward to the better detection of malicious links. 

Anything I should know about when I go to upgrade directly from 7.1.5-017 tp 7.5.1-102?

I do have my settings at "Scan for viruses only" (with the radio button selected to strip infected attachments) and then Drop Virus Infected Messages.  Is the selection of stripping the attachments confusing Ironport so that the messages aren't getting dropped?

Thanks

Starla

Actions

Login or Register to take actions

This Discussion

Posted March 13, 2012 at 1:52 PM
Stats:
Replies:3 Avg. Rating:
Views:862 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard