Solved: Incoming Email Final verdict using engine: CASE spam suspect

anil.gupta3 · ‎01-04-2016

Hi Guys,

I am facing one issue in Ironport Antispam troubleshooting. Ironport antispam CASE engine mark one of the email from (xxxx@yahoo.com) userid into suspected mail and delivered to alternate email ID as per incoming mail policy configuration.

I am not able to understand what condition or content marked that mail as suspected spam. Please help me to understand, why antispam CASE engine below mail as suspected spam mail.

below is log from Ironport antispam device for same mail logs.

Sat Jan 2 11:59:51 2016 Info: New SMTP ICID 880125 interface Data 1 (x.x.x.x) address 72.30.239.19 reverse dns host nm38-vm3.bullet.mail.bf1.yahoo.com verified yes
Sat Jan 2 11:59:51 2016 Info: ICID 880125 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 5.5
Sat Jan 2 11:59:51 2016 Info: Start MID 775241 ICID 880125
Sat Jan 2 11:59:51 2016 Info: MID 775241 ICID 880125 From: <xxxx@yahoo.com>
Sat Jan 2 11:59:51 2016 Info: MID 775241 ICID 880125 RID 0 To: <xxxx@domain.com>
Sat Jan 2 11:59:52 2016 Info: MID 775241 SPF: helo identity postmaster@nm38-vm3.bullet.mail.bf1.yahoo.com None
Sat Jan 2 11:59:52 2016 Info: MID 775241 SPF: mailfrom identity xxxx@yahoo.com Pass (v=spf1)
Sat Jan 2 11:59:52 2016 Info: MID 775241 Message-ID '<696945026.6123655.1451721575079.JavaMail.yahoo@mail.yahoo.com>'
Sat Jan 2 11:59:52 2016 Info: MID 775241 Subject 'Payment'
Sat Jan 2 11:59:52 2016 Info: MID 775241 ready 3232 bytes from <xxxx@yahoo.com>
Sat Jan 2 11:59:52 2016 Info: MID 775241 matched all recipients for per-recipient policy 20Mb incoming mail size for MD in the inbound table
Sat Jan 2 11:59:53 2016 Info: ICID 880125 close
Sat Jan 2 11:59:54 2016 Info: MID 775241 interim verdict using engine: CASE spam suspect
Sat Jan 2 11:59:54 2016 Info: MID 775241 using engine: CASE spam suspect
Sat Jan 2 11:59:54 2016 Info: MID 775241 rewritten to MID 775242 by antispam (alt-rcpt-to)
Sat Jan 2 11:59:54 2016 Info: MID 775242 ICID 0 From: <xxxx@yahoo.com>
Sat Jan 2 11:59:54 2016 Info: MID 775242 ICID 0 RID 0 To: <eadmin@domain.com>
Sat Jan 2 11:59:54 2016 Info: Message finished MID 775241 done
Sat Jan 2 11:59:54 2016 Info: MID 775242 interim AV verdict using Sophos CLEAN
Sat Jan 2 11:59:54 2016 Info: MID 775242 antivirus negative
Sat Jan 2 11:59:54 2016 Info: MID 775242 Outbreak Filters: verdict negative
Sat Jan 2 11:59:54 2016 Info: MID 775242 queued for delivery
Sat Jan 2 11:59:54 2016 Info: New SMTP DCID 404821 interface (x.x.x.x) address (x.x.x.x)port 25
Sat Jan 2 11:59:54 2016 Info: Delivery start DCID 404821 MID 775242 to RID [0]
Sat Jan 2 11:59:54 2016 Info: Message done DCID 404821 MID 775242 to RID [0]
Sat Jan 2 11:59:54 2016 Info: MID 775242 RID [0] Response 'Message accepted for delivery'
Sat Jan 2 11:59:54 2016 Info: Message finished MID 775242 done

Doug Maxfield · ‎01-05-2016

I would recommending opening a TAC on the problem. You will need to be able to forward the email as an attachment to Cisco. That way, they can investigate and fix the issue. Normally this is caused by a Spam rule that is a "little aggressive".

View solution in original post

Doug Maxfield · ‎01-05-2016

I would recommending opening a TAC on the problem. You will need to be able to forward the email as an attachment to Cisco. That way, they can investigate and fix the issue. Normally this is caused by a Spam rule that is a "little aggressive".

rolfwolff · ‎05-27-2016

Hello,

we have also the problem, but only overnight. Any ideas?

Kind regards,

Rolf

Robert Sherwin · ‎05-27-2016

Report the FPFN and open a support case:

ESA FAQ: How do you report Content Security Anti-Spam false positives or missed spam?

Cheers,
Robert Sherwin

zalali · ‎05-27-2016

Doug,

You're correct, you need to provide TAC the original sample as an attachment with the header intact to be reviewed and analyzed, the anti-spam team should publish a new structural rules covering such messages in the future. Alternatively, you can submit the sample directly to our anti-spam team on the email addresses listed in the following kb: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117822-qanda-esa-00.html

Of course, you need to ensure your appliance is running a supported version (least supported is 8.0.1) and you need to verify the CASE structural rules are up to date (from CLI using the command "asstatus"). Also, you need to verify the CASE thresholds on your policy are fine (the default are 50-90).

Regards,

Zaid

rolfwolff · ‎05-27-2016

Hello Zaid,

I have opned an Call. Thank you.

keithsauer507 · ‎08-23-2017

Hi, I know this is an old thread, but can you remember what the outcome of your TAC support case was?

We are expereincing the same issue. I've released the suspected spam message and instructed our CIO to forward it to the ham@access.ironport.com email address. Will that be enough, or should I also open a TAC case on it as well?

In our case it was from a very important person sending mail from a gmail account which was connected via TLS, Dmarc, dkim and spf all passed. So this was a weird one.

Libin Varghese · ‎08-23-2017

I do not see a TAC case number mentioned in the post so would be difficult to look that up.

Can you confirm what email address the false positive sample was submitted from?

I can try and confirm if the rules were updated for that.

Regards,
Libin Varghese