Solved: Re: Most of our inbound email erroneously marked as [P-Suspected Spam]

bvj197222 · ‎09-17-2019

THIS IS A BIT OF AN EMERGYCY: I installed two new virtual Ironports, C100V. I copied the config from our old Ironports. Now, for some reason, most of the incoming email are falsely being marked as [P-Suspected Spam]. From the logs it looks like everything is being queued for delivery directly to the offbox Quarantine.

One example;

Tue Sep 17 18:17:59 2019 Info: Start MID 1274 ICID 14339
Tue Sep 17 18:17:59 2019 Info: MID 1274 ICID 14339 From: <xxx@xxx.xx>
Tue Sep 17 18:17:59 2019 Info: MID 1274 ICID 14339 RID 0 To: <xxx@xxx.xx>
Tue Sep 17 18:18:00 2019 Info: MID 1274 SPF: helo identity postmaster@EUR03-AM5-obe.outbound.protection.outlook.com Pass (v=spf1)
Tue Sep 17 18:18:00 2019 Info: MID 1274 SPF: mailfrom identity <xxx@xxx.xx> Pass (v=spf1)
Tue Sep 17 18:18:00 2019 Info: MID 1274 DMARC: Message from domain xxxx.com, DMARC pass (SPF aligned True, DKIM aligned True)
Tue Sep 17 18:18:00 2019 Info: MID 1274 DMARC: Verification passed
Tue Sep 17 18:18:00 2019 Info: MID 1274 Message-ID '<61cd825976e04ed78c5837bdc388aded@fxxx.com>'
Tue Sep 17 18:18:00 2019 Info: MID 1274 Subject 'Some subject '
Tue Sep 17 18:18:00 2019 Info: MID 1274 SDR: Domains for which SDR is requested: reverse DNS host: mail-eopbgr30105.outbound.protection.outlook.com, helo: EUR03-AM5-obe.outbound.protection.outlook.com, env-from: xxx.com, header-from: Not Present, reply-to: Not Present
Tue Sep 17 18:18:01 2019 Info: MID 1274 SDR: Consolidated Sender Reputation: Neutral, Threat Category: N/A. Youngest Domain Age: 5 years 3 months 21 days for domain: xxxx.com
Tue Sep 17 18:18:01 2019 Info: MID 1274 SDR: Tracker Header : sY3eaBOXop21Gk5+83C2qdeMmyI69B+IgFwHp0plRjqhYRbfE/KqJgH6Fx1cc2K1iR5ZYHbTI8w6o6i+DSWCB/0EMY/ZiipsZg/h8ZC8UKM7LYv5ZcPFXloOnmZ5ZdFEYSEL1yBRQD95CfLWIFpu92tRhB57nWMCDIl2TNH74r2BX7MRAy0cE9Ydqt7XJN+5UBSRJ/Jhj6Iwx7PSOH4avu6YrB3IYM99+EJ6W9DeBP0l60eG06tUOuay43bnCvTP7fg2faF6NsPv3KqASgwW+X8whQquJlR9mofT3L5Fgrq9m0SWII9Yt4xfJUPMh7iw
Tue Sep 17 18:18:01 2019 Info: MID 1274 ready 10257 bytes from <xxxx.com>
Tue Sep 17 18:18:01 2019 Info: MID 1274 matched all recipients for per-recipient policy DEFAULT in the inbound table
Tue Sep 17 18:18:04 2019 Info: MID 1274 interim verdict using engine: CASE spam negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 using engine: CASE spam negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 interim AV verdict using Sophos CLEAN
Tue Sep 17 18:18:04 2019 Info: MID 1274 antivirus negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 using engine: GRAYMAIL negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 Outbreak Filters: verdict negative
Tue Sep 17 18:18:04 2019 Info: ISQ: Tagging MID 1274 for quarantine (X-Ironport-Quarantine)
Tue Sep 17 18:18:04 2019 Info: MID 1274 queued for delivery
Tue Sep 17 18:18:04 2019 Info: Delivery start DCID 1801 MID 1274 to RID [0] to offbox IronPort Spam Quarantine
Tue Sep 17 18:18:04 2019 Info: Message done DCID 1801 MID 1274 to RID [0] (external quarantine)
Tue Sep 17 18:18:04 2019 Info: MID 1274 RID [0] Response 'ok: Message 81016

My anti-spam settings on the inbound mail policy is default.

pchakra2 · ‎09-17-2019

Hey,

The emails are landing in the Offbox Spam Quarantine as per the Mail Logs but that isn't been done by the Antispam engine. As per the logs you shared, the verdict for CASE is Negative which means the AS isn't tagging this email as positive/suspect spam.

Tue Sep 17 18:18:04 2019 Info: MID 1274 interim verdict using engine: CASE spam negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 using engine: CASE spam negative

Now emails landing in the Spam Quarantine is happening due to possibly a header X-Ironport-Quarantine being inserted in the email by any of the configured Content Filters or Message Filters. Please check the existing filters in the appliance, any filters having an action to Add/Edit Header --> X-Ironport-Quarantine needs to be checked.

Best Regards,

View solution in original post

pchakra2 · ‎09-17-2019

Hey,

The emails are landing in the Offbox Spam Quarantine as per the Mail Logs but that isn't been done by the Antispam engine. As per the logs you shared, the verdict for CASE is Negative which means the AS isn't tagging this email as positive/suspect spam.

Tue Sep 17 18:18:04 2019 Info: MID 1274 interim verdict using engine: CASE spam negative
Tue Sep 17 18:18:04 2019 Info: MID 1274 using engine: CASE spam negative

Now emails landing in the Spam Quarantine is happening due to possibly a header X-Ironport-Quarantine being inserted in the email by any of the configured Content Filters or Message Filters. Please check the existing filters in the appliance, any filters having an action to Add/Edit Header --> X-Ironport-Quarantine needs to be checked.

Best Regards,

bvj197222 · ‎09-18-2019

That is correct. It was the content filter below that erroneously marked everything as spam. All tho I can't understand why. The filter says that if both receipient and receiver is company.com, then mark it as spam. It worked fine in my old C170, running 10.0.0-203. But in the new virtual applicance, C100V, 12.5.0-059, the filter is behaving differently and was marking almost all email as spam.

pchakra2 · ‎09-18-2019

Thanks for sharing the filter snapshot.

As we can see in the conditions, it says "If One or more conditions match" in the top right hand side in the filter. With the current condition, if the sender OR the recipient is company.com then the filter will trigger. That is the expected behavior of the filter.

If you want that the filter should trigger only if Sender AND Recipient both are company.com, you will have to select from the dropdown "Only if all Conditions match"

Best Regards,

bvj197222 · ‎09-18-2019

Perfect, that explains it. In my old environment is was set correctly, but I missed out on it when transferring the config to the new VM.