Hi Justin,

Sorry to hear about your frustration with missed spam. It sounds like you have done a bit of diagnosis on your own but I wanted to provide a few extra details here that I think you may find helpful in resolving this issue.

First the basics.

Are your feature keys up to date. If the IPAS feature key expires you will still scan messages for spam but the rule sets will not be up to date. To check the featurekeys you can issue the command featurekey from the CLI.

smurf.run> featurekey

Module                              Quantity   Remaining   Expiration Date

Bounce Verification                 1          Perpetual   N/A

IronPort Email Encryption           0          expired     Sat Jun  4 13:55:51

2011

IronPort Anti-Spam                  1          8 days      Wed Jun 22 19:27:12

2011

Incoming Mail Handling              1          Perpetual   N/A

Virus Outbreak Filters              1          16 days     Fri Jul  1 14:31:12

2011

Sophos Anti-Virus                   1          1 day       Thu Jun 16 15:32:28

2011

McAfee                              1          30 days     Thu Jul 14 17:14:37

2011

Choose the operation you want to perform:

- ACTIVATE - Activate a (pending) key.

- CHECKNOW - Check now for new feature keys.

[]>

The next question is, is IPAS has issues updating? You can check this by issuing the command asstatus or antispamstatus from the CLI. You should see something in the list updated in the last half hour.

murf.run> asstatus

  Component              Last Update                  Version

  CASE Core Files        23 May 2011 19:39 (GMT)      3.1.0-014

  Structural Rules       14 Jun 2011 16:40 (GMT)      3.1.0-014-20110614_051407

  Content Rules          14 Jun 2011 17:00 (GMT)      20110614_165620

  Content Rules Update   14 Jun 2011 17:10 (GMT)      20110614_170905

  CASE Utilities         23 May 2011 19:34 (GMT)      3.1.0-014

  Web Reputation DB      13 Jun 2011 20:56 (GMT)      20110613_205102

  Web Reputation Rules   14 Jun 2011 17:05 (GMT)

20110613_205102-20110614_170206

Last download attempt made on 14 Jun 2011 17:10 (GMT)

smurf.run>

*Case core files and utilities don't typically get updated as often as the other components.

If the system is not updating you can try to verify connectivity to the update server using telnet by attempting a connection to downloads.ironport.com on port 80

smurf.run> telnet

Please select which interface you want to telnet from.

1. Auto

2. Management (10.92.152.67/24: smurf.run)

[1]>

Enter the remote hostname or IP address.

[]> downloads.ironport.com

Enter the remote port.

[25]> 80

Trying 10.92.144.24...

Connected to downloads.ironport.com.

Escape character is '^]'.

If all of this is ok. we then need to look at why the messages are missed? This data can be found in the mail logs.

If you grep for one of these messages. What do we see for the MID and then if you grep for the ICID what do we see.

The MID will provide us with details such as , was it scanned by CASE? was it too large to be scanned? Was there a scanning error? Was it marked clean?

the ICID will tell us what sendergroup and mail flow policy the messages came in on. This can help us further analyze the message to see if its routed through a sendergroup/mail policy that has spam scanning turned off.

Finally if you provide the full header data we can analyze the messages in more detail to determine what the spam score was and why it was missed.

I am providing detailed instructions on the submissions process below. This would be the next logical step in this process. There is no feedback from this system and if you want specific details you will need to open a ticket with support so we can in turn open a ticket with the COG team (Case Operations Group) who manages the rule sets.

How do I report IronPort Anti-Spam false positives or missed spam?

To  send a missed spam or message incorrectly marked as "not-spam" email to  IronPort Systems for examination, there are a number of ways to submit  messages.

• Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
• For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
• (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

• Send false negative (missed spam) to spam@access.ironport.com
• Send false positive (mail marked as spam, but is actually ham) email and false positive marketing mail to IronPort Systems to ham@access.ironport.com
• Send missed marketing mail to ads@access.ironport.com

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Customers using IronPort Anti-Spam or Symantec Brightmail Anti-Spam will want to submit both 'missed spam ' (False Negatives) and messages which are incorrectly classified as  SPAM (False Positives). In either case, the submission must be attached  to an email as an RFC-822 MIME encoded attachment. This ensures that the  submission can be processed quickly and efficiently. The actual steps  to follow are different for each mail program (Mail User Agent).

Report undetected spam to: spam@access.ironport.com
Report false-positives to: ham@access.ironport.com

Microsoft Outlook

1. The most effective way to submit using Outlook is to use the plug-in. found here: Cisco IronPort Email Security Page.
2. Click the submission buttons located in the tool bar
3. To cause all forwarded messages to be an RFC-822 MIME encoded attachment:
   1. Click Tools > Options.
   2. Click Preferences > E-mail Options.
   3. In the drop-down section "When forwarding a message," choose " Attach original message."
   4. Click OK
   5. Click OK.
   6. In the drop-down section "When replying to a message," choose "Attach original message."
   7. Click OK
   8. Click OK
4. If you prefer "in-line" style forwarding generally, you can force Outlook to use RFC-822 for a given message(s).
   1. Navigate the folder that contains the submission.
      1. For example, your In box
   2. Hold down the control key (Ctrl) and highlight at least two messages.
   3. Right Click on the highlighted messages, choose Forward.
   4. This "forces" outlook to use RFC-822, however, Brightmail does not accept multiple submissions in this format.
   5. Brightmail users
      1. Delete all but one "attachment"
      2. Repeat for each message
   6. IronPort Anti-Spam accepts multiple attachments,
      1. Click Send
   7. If you have only one example, delete the additional message.

Lotus Notes

Tested vith Notes versions 6.5.x and 7.0.x

1. From your Lotus Notes inbox
   1. The most effective way to submit using Notes is to use the plug-in - found here: Cisco IronPort Email Security Page
   2. Open the false negative (missed spam) or false positive message
   3. Click View > Show > Page Source
   4. Copy all the data into a text file and save the file with .eml extension. Repeat for each message
   5. Create a new message
   6. Attach the .eml file(s) and send the new message

2. Brightmail Domino Agent -Download from the Cisco IronPort Email Security Page

Outlook Express 6

1. Open Outlook Express 6.
2. Right-click the message that you want to submit, choose Forward As Attachment.

Entourage (Apple Mac)

1. Open Entourage.
2. Right-click the message to submit, choose  Forward As Attachment.

Apple Mail.app

1. Open Apple Mail.app
2. File -> Save As, Format - Raw Message Source, Repeat for each spam message
3. Create a new message
4. Attach raw source file(s) to the new message

Mozilla Thunderbird

1. Open Thunderbird.
2. Select message (message is highlighted)
3. Then click Message -> Forward As -> "Attachment"
   1. "Message" is at the top, next to "File Edit View Go"

Netscape Messenger

1. Open Netscape Messenger.
2. Right-click the message to submit, choose  Forward as an attachment.

I hope this helps. If you need further assistance let us know.

Christopher C Smith

CSE
Cisco IronPort Customer Support