Home » GFI User Forums » Kerio Connect » Kerio Antispam - Scoring 10.0 all of a sudden (Kerio Antispam)
 Kerio Antispam - Scoring 10.0 all of a sudden [message #145355] |
Tue, 26 March 2019 12:41  |
Howard
Messages: 12
Registered: March 2019
|
|
|
|
Over the last week we've seen multiple Connect servers incorrectly scoring perfectly legitimate mail with a score of 10.0
I've seen masses of genuine mail (historically over years allowed through with low scores, all good domain config with SPF, rDNS, DKIM etc) that since approx Tue 19th March 2019 been rejected by Kerio Antipam (Bit Defender). We maintain around 60+ Connect servers for our customers and this is a widespread issue and also 2 large SaaS Connect instances exhibiting the same behaviour.
Has anyone else seen this behaviour. As a work around, turn off Kerio Antispam (BitDefender) and enable the Bayes (Spam Assassin) instead. All the other anti spam filters will still be active so it doesn't appear to have increased visible spam in the Inboxes of our customers.
GFI support I don't believe will deal or escalate this in a timely manner, so I'm hoping one of the Dev team is in this forum to allow them for this to be flagged as an issue (most likley) with the Bit Defender service or the GFI API to it.
Hope this helps someone.
|
|
|
|
| Re: Kerio Antispam - Scoring 10.0 all of a sudden [message #145366 is a reply to message #145355] |
Wed, 27 March 2019 13:15  |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
First of all, Kerio's bitdefender does NOT increase the spam score to 10. The added score is defined by the slider in the antispam settings. Maybe someone changed it?
I tuned my settings in a way, that bitdefender adds 5 to the spamscore. Needs 6.5 Points to be blocked, so even IF it would generate a false positive, if everything else checks out, it still should be marked as spam but not blocked.
So I would suggest someone changed the spam rules / scores. Also it could be that the domain or ip address ranges of the previously rightful mails were compromised and blocked in an open blacklist.
I also checked my logs and even the debug log (running antispam there for over a month, because of tuning) - I could not see any false positve, at least one week +- from your suggested date. Personally I would check the Security log for the blocked mails (gives you more insight what the mail scored for) and would also check the mail header itself.
Also not a bad idea to check the domain of the mails against some blacklists etc. with historic entries.
|
|
|
|
| Re: Kerio Antispam - Scoring 10.0 all of a sudden [message #145369 is a reply to message #145366] |
Wed, 27 March 2019 13:42 |
Howard
Messages: 12
Registered: March 2019
|
|
|
|
Thank you for your reply Maerad, although I'm not sure you read my post fully. I didn't say Bitdefender made the score 10. I'm saying genuine mail is being scored at 10 and as a work around turning off Bit Defender solved it, so what ever Bit Defender adds (default being 5) its taking it over the threshold to reject it.
Most mail systems we've configured both the tag and block score lowered from the default installation, and for very good reason.
We've found in years of working with Connect installation, to get the perfect level we use the highlighting feature in spam log for keywords "detected" and "rejected" and set them to orange and green respectively. You probably already know you can right-click any log and use the highlighting feature. This gives a traffic light system for spam scoring and enables us to bed in a customer with exactly the right slider scores. This is massively better than using the installation defaults (our server for example tags at 3.5 and rejects at 4.4).
This observation of mine was across multiple servers, and I of course checked the domains - which is why in my post I deliberately stressed the
"genuine mail (historically over years allowed through with low scores, all good domain config with SPF, rDNS, DKIM etc".
If this was happening on a single instance I would not have posted this thread. The fact it's happening on a few servers then I suspect the scoring of BitDefender is not working correctly or there is an issue in how Kerio interacts with the BitDefender service.
Of course your mileage may vary but in my experience and the troubleshooting I took the time to do, I don't believe someone played with the sliders (or "maybe someone changed it" to quote you properly).
|
|
|
|
| Re: Kerio Antispam - Scoring 10.0 all of a sudden [message #145372 is a reply to message #145355] |
Wed, 27 March 2019 15:08 |
freakinvibe
Messages: 588
Registered: April 2004
|
|
|
|
Can you check the header of such a false positive and paste the Spam-related parts here? It should look like this:
X-Spam-Status: Yes, hits=9.2 required=5.0
tests=DNSBL_DNSBL.SORBS.NET: 2.00, BAYES_95: 3.514, HTML_MESSAGE: 0.001,
LOTS_OF_MONEY: 0.001, MILLION_USD: 3.247, MIME_HTML_MOSTLY: 0.428,
T_FILL_THIS_FORM_SHORT: 0.01, TOTAL_SCORE: 9.201,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: *********
With that, you should see what contributed to the Spam score (in your case more than 10).
In Debug log, you should also enable "Spam Filter", so you see what exactly scored how much. It should look like:
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: calculating spam rating for message 5c9af363-00000293 from <[email]fu@magiplanet.com[/email]> to <support<_at_>example.com>...
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: SPF check failed, adding score 5.00
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: Sender IP is on blacklists, adding score 9.00 (DNSBL_DNSBL.SORBS.NET: 2.00,DNSBL_DNSBL-1.UCEPROTECT.NET: 3.00,DNSBL_B.BARRACUDACENTRAL.ORG: 2.00,DNSBL_SPAMRBL.IMP.CH: 2.00)
[27/Mar/2019 04:52:04][2836] {spam} SpamAssassin result string for message file C:\Program Files\Kerio\MailServer\store/queue/33/5c9af363-00000293.eml, intrinsic time 0.41s, total time 0.41s: Yes, 23.37,5,ADVANCE_FEE_3_NEW_MONEY: 3.599,AXB_XMAILER_MIMEOLE_OL_024C2: 0.001,BAYES_99: 4.07,BAYES_999: 0.2,FORGED_MUA_OUTLOOK: 1.927,FORM_FRAUD_3: 1.846,FROM_MISSPACED: 0.001,FROM_MISSP_MSFT: 0.001,FROM_MISSP_REPLYTO: 0.001,FROM_MISSP_USER: 0.001,FROM_MISSP_XPRIO: 0.001,FSL_CTYPE_WIN1251: 0.001,FSL_NEW_HELO_USER: 0.631,LOTS_OF_MONEY: 0.001,MISSING_HEADERS: 1.021,MISSING_MID: 0.497,MONEY_ATM_CARD: 1.476,MONEY_FORM_SHORT: 1.26,MONEY_FROM_MISSP: 0.001,NSL_RCVD_FROM_USER: 0.02,REPLYTO_WITHOUT_TO_CC: 1.552,TO_NO_BRKTS_FROM_MSSP: 0.699,TO_NO_BRKTS_MSFT: 2.5,T_FILL_THIS_FORM_SHORT: 0.01,US_DOLLARS_3: 1.754,XPRIO: 0.299,autolearn=no
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: SpamAssassin check finished, adding score 23.37
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: Custom spam rules check finished, adding score 0.00
[27/Mar/2019 04:52:04][2836] {spam} Spam Filter: Message 5c9af363-00000293 from <[email]fu@magiplanet.com[/email]> to <support<_at_>example.com> got 10.00 hits, total spam score is 37.370
[27/Mar/2019 04:52:04][2836] {spam} Message rejected as spam with score: 10.00, threshold 9.90, From: [email]fu@magiplanet.com[/email], To: support<_at_>example.com, Sender IP: 219.99.220.103, Subject: XXXX, Message size: 2130
Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
[Updated on: Wed, 27 March 2019 15:11] Report message to a moderator |
|
|
|
| Re: Kerio Antispam - Scoring 10.0 all of a sudden [message #145379 is a reply to message #145369] |
Wed, 27 March 2019 16:44 |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
Howard wrote on Wed, 27 March 2019 13:42Thank you for your reply Maerad, although I'm not sure you read my post fully. I didn't say Bitdefender made the score 10. I'm saying genuine mail is being scored at 10 and as a work around turning off Bit Defender solved it, so what ever Bit Defender adds (default being 5) its taking it over the threshold to reject it.
First of all, please don't get me wrong. It's hard to judge the level of knowledge someone has from some parts of text over the internet. That's why I really can't prevent to tell you something or suggest, that you already know 
I read that part right with the "that since approx Tue 19th March 2019 been rejected by Kerio Antipam (Bit Defender)" and that's why I said I don't believe that Bitdefender is the reason, but something else. If Bitdefender adds a score of 5 if positive, the Mail would also need to trip almost any other Anti Spam Score in Kerio to reach 10 or more points (Kerio wont display more then 10).
That's why the problem is not a false positive from Bitdefender, but something else (with the sender) is going on like a blacklisting, wrong DNS config or whatever. Otherwise the other spam related parts like spam assassin or SPF check wouldn't also set a score of at least 5. Or someone changed the configs or tried something. I don't know you infrastructure, so I can only surmise what could be the reason or how much you customers can do by themself in the admin settings.
Also I didn't find any false positive with Bitdefender in that time frame.
For my installation I run 4.5 mark, 6.5 reject for spam, Bitdefender positive adds a score of 5, SPF miss 5, blacklists 1-4 (depending on the list), caller ID 2 and some additional rules. Also all spam mails get redirected to a special mail address and I also checked those mails, if there was a false positive within the timeframe.
I would suggest that you please look up some mails in the security log in that timeframe, as you can check what spamdetection was tripped and how the score of 10 was calculated for some of those messages. Also the header of the mail would be interesing. That way we could easily see, what was the cause of the score of 10, because bitdefender didn't do that alone.
|
|
|
|
Goto Forum:
Current Time: Wed Mar 22 03:34:25 CET 2023
Total time taken to generate the page: 0.01628 seconds
|
Members
Search
Help
Register
Login
Home
