12-11-2014 07:23 AM
I have outgoing e-mails scanned for SPAM at the highest thresholds to prevent compromised accounts from sending phishing attempts out from my environment.
In the last week or two I have seen a huge increase in the number of false positives on meeting notices going out to external recipients. Am trying to find a way to write a content filter to exclude meeting notices but thus far have not been able to.
I have the thresholds set to Suspected 89 and Positive Identified set to 100.
Any advice on fixing the false positives or writing a content filter to exclude meeting notices?
12-11-2014 07:57 AM
Bypassing the Spam filters is a bit of a trick, and I'm not sure how to do it within a filter, mainly this is done on the level of the policy or HAT table. I'm guessing there are real phishing messages currently being reported that pretend to be notifications. You may need to adjust your Spam thresholds a bit and do some testing until you find that happy medium.
12-11-2014 08:47 AM
Bypassing the SPAM filters is easy, just set the action on the SPAM to deliver and add a custom header to the message, then use content filters to trigger on that header and do what you want to the message. I was quarantining the messages but because of all the false positives I was having to release I've changed it to deliver the e-mails, now, also allowing all of the real SPAM to be allowed out when an internal account becomes compromised.
My thresholds are as high as they can go so not sure how I can adjust them to make this better.
In my mind it just boils down to the Cisco/IronPort SPAM filter definitions becoming more and more inaccurate over time.
Currently looking for a header that message invites have that no other e-mails have that I can exclude on, haven't found it yet.
12-11-2014 11:45 AM
Yes, I was going to suggest finding the header to filter on for the notification. There is probably something in the header that is used to identify the object type in outlook and other clients. I find Quarantines a good place to start. I usually duplicate the target messages in the quarantine and look at the headers in the captured messages.
I believe your on the right track. Really interested in what you find out as far as the header on the notifications.
12-12-2014 08:31 AM
I did not find a usable header that I could exclude on so I opened a TAC support call for this. They had me submit some of the false positives and they are analyzing them now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide