Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
4
Replies

False Positives on Meeting notices from Exchange 2010?

Jason Meyer
Level 1
Level 1

‎12-11-2014 07:23 AM

I have outgoing e-mails scanned for SPAM at the highest thresholds to prevent compromised accounts from sending phishing attempts out from my environment.

 

In the last week or two I have seen a huge increase in the number of false positives on meeting notices going out to external recipients.  Am trying to find a way to write a content filter to exclude meeting notices but thus far have not been able to.

 

I have the thresholds set to Suspected 89 and Positive Identified set to 100.

 

Any advice on fixing the false positives or writing a content filter to exclude meeting notices?  

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Paul Cardelli
Level 1
Level 1

‎12-11-2014 07:57 AM

Bypassing the Spam filters is a bit of a trick, and I'm not sure how to do it within a filter, mainly this is done on the level of the policy or HAT table. I'm guessing there are real phishing messages currently being reported that pretend to be notifications. You may need to adjust your Spam thresholds a bit and do some testing until you find that happy medium.

0 Helpful

Jason Meyer
Level 1
Level 1
In response to Paul Cardelli

‎12-11-2014 08:47 AM

Bypassing the SPAM filters is easy, just set the action on the SPAM to deliver and add a custom header to the message, then use content filters to trigger on that header and do what you want to the message.  I was quarantining the messages but because of all the false positives I was having to release I've changed it to deliver the e-mails, now, also allowing all of the real SPAM to be allowed out when an internal account becomes compromised.

My thresholds are as high as they can go so not sure how I can adjust them to make this better.  

In my mind it just boils down to the Cisco/IronPort SPAM filter definitions becoming more and more inaccurate over time.  

Currently looking for a header that message invites have that no other e-mails have that I can exclude on, haven't found it yet.

 

 

0 Helpful

Paul Cardelli
Level 1
Level 1
In response to Jason Meyer

‎12-11-2014 11:45 AM

Yes, I was going to suggest finding the header to filter on for the notification. There is probably something in the header that is used to identify the object type in outlook and other clients. I find Quarantines a good place to start. I usually duplicate the target messages in the quarantine and look at the headers in the captured messages.

 

I believe your on the right track. Really interested in what you find out as far as the header on the notifications.

0 Helpful

Jason Meyer
Level 1
Level 1
In response to Paul Cardelli

‎12-12-2014 08:31 AM

I did not find a usable header that I could exclude on so I opened a TAC support call for this.  They had me submit some of the false positives and they are analyzing them now.

0 Helpful
Customers Also Viewed These Support Documents