Starting around 5:30AM this morning a lot of our outbound e-mail began testing as positively identified SPAM. In our environment I have positively identified outbound SPAM setup to go to a quarantine.
In looking at the e-mails they are legitimate e-mails.
My first attempt was to lower the positively identified SPAM threshold from 75 to 50, had no effect.
My second attempt was to exclude our internal domains so that e-mail hitting our IronPort appliances for internal recipients would be allowed through, positively identified SPAM or not.
EDIT: Reviewing some of the e-mails, some are a simple e-mail with text only and a single .pdf attachment. Tested as positively identified SPAM. Some have multiple hyper links but are to legitimate URLs.
What changed this morning that is causing all of these false positives?
What can I do differently to not let this occur again?
I've seen an uptick in incoming mail that is being identified as Suspect Spam and is being redirected to my local spam quarantine. A lot of the messages caught are legitimate messages from our clients we email every day. I am wondering if a new CASE update is causing issues?
I've also noticed legitimate messages getting identified as both spam and suspected spam. Some of these false positives are internal e-mail messages, so I'm performing some emergency maintenance to disable spam scanning on our internally generated messages, even though we purposely set it up to scan internal mail for other reasons.
If your outbound mail is coming from public IP addresses, then you should turn off SBRS in the listener. In the GUI it's
Network -> Listeners -> Advanced. If your outbound mail is all coming from private IP space then SBRS is not an issue but for public IP addresses you don't want to use the reputation since that has a noticeable effect on the overall spam/ham decision.
The SBRS score is listed in Message Tracking. It should say "not enabled" for the outbound listener and most messages should have a valid score for the inbound stuff.
Really appreciate the replies...
Bob, SBRS is disabled on my outbound mail and it also comes from private/internal IP addresses, does show "not enabled" in message tracking...
After my post this morning our appliances (two C660s) were still false positiving a lot of outbound mail that was for external recipients (my filter was excluding internal domains).. but after 1:00PM central or so they started declining and since 3:00PM there hasn't been a single one.. Could be the volume of e-mail is starting to go down a little but I'm guessing there was a CASE rules update...
Now I just need to decide if I'm going to set the SPAM threshold back to what it was or just leave it alone.. We have had a problem with internal users getting their mail accounts compromised and send out a lot of phishing e-mails that I have been trying to block.
We're seeing the same problem. Our outbound mail goes through a private listener with SBRS turned off. We scan for outbound spam to detect cracked accounts, and route spam positive messages to a quarantine. We've seen lots of false positives today. My first thought was that an update to the CASE rules did it.
just a quick update on this, the antispam team has found a misbehaving rule in place during January 1st and 2nd, this has been corrected by now, so false positive rate should have dropped by now. However, anybody still seing false positives at a high number is encouraged to contact customer support with samples, so we can check the rules for these cases.
And of course, sorry for the trouble caused by this.