Troubleshooting Missed Spam

 Print E-mail
User Rating: / 8
PoorBest 

Overview

You may notice, occasionally, that spam has been missed or has not been quarantined by the SpammerTrap.  There are several common causes, and this Guide will assist local administrators in identifying the specific cause and remedying it as applicable.

Where to Start

The first information you will always require, in order to analyze email samples, are the original message headers. Unless you are using some form of email archiving, you will need to retrieve these headers from the desktop of the user who originally received the email.

If you need help in retrieving message headers, this link provides instructions for most popular email clients: http://www.spamcop.net/fom-serve/cache/19.html

If your email client is not listed at this link, a Google search for your mail client's name plus "get headers" will often lead to the applicable instructions, or you may contact SpammerTrap support.


Once You Have The Message Headers

Ask and try to answer the following questions.

  • Was the email received through the SpammerTrap?

The first section of the message headers will be the Receive Trace.  It is a log of all the mailservers that handled that particular message, in chronological order, most recent on top.  You should see several lines beginning with "Received:" for each mailserver along the path.  The received line associated with your SpammerTrap will look something like this:

X-Virus-Scanned: SpammerTrap®VPS-1500 2.10 at mx1.secnap.com.ionspam.net
Received: from mx1.sender.com (mx1.sender.com [IP address])
(Using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id CA65C2B7C07
for: Mon, 11 Jan 2010 17:49:36 -0500 (EST)

The important line to look for is underlined above ("X-Virus-Scanned:"). Your own model number (VPS-1500), version number (2.10) or hostname (mx1.secnap.com.ionspam.net) will differ from what is shown in the example above.

If you DO NOT see this line, it means that the email was never received or processed by the SpammerTrap, and your problem is with email routing, not with SpammerTrap accuracy and tuning.  Consult your DNS administrator and/or firewall administrator to troubleshoot.

If you DO see this line, it means that your email was processed by the SpammerTrap. Continue reading this troubleshooting Guide to determine why.

 

  • Was the sender whitelisted?

Now that you know the email was processed by the SpammerTrap, it is time to look further down the message headers at the Score and Tests section.

They will look something like this:

x-spam-flag:NO
x-spam-score:0
x-spam-status:No, score=x tag=-999 tag2=5 kill=5 WHITELISTED tests=[] autolearn=unavailable

The x-spam-status line will indicate if the sender was whitelisted or not.  The relevant section is underlined above, and shows that in this case the message sender was whitelisted, which explains why the email passed the spam filter and was not quarantined.  It is important to understand that spammers, in sending spam, will frequently forge their sender address (since they do not want to use their own address, for obvious reasons). Therefore, it is wise to use the whitelisting function sparingly.  The trusted email sender address that a user whitelists now could, conceivably, be used by a spammer in the future.

If you DO NOT see the whitelisted flag, as shown in the example above, continue reading this troubleshooting Guide.

 

  • What was the spam score?

The spam flag and spam score are determined by the SpammerTrap and by the filtering policy in use.  By default, any email with a spam score greater than 5.0 is considered to be spam by the SpammerTrap.  The header values will look something like this:

x-spam-flag:NO
x-spam-score:2.568

The first value, "x-spam-flag:" is a Boolean value.  It will read either "YES" or "NO," indicating whether or not the message was categorized as spam by the filtering policy in use. It is important to look at the spam flag, along with the overall spam score, to see if a custom policy may have caused the missed spam.  (More on this later.)

The second value, "x-spam-score:" will be an integer indicating how "spammy" the message was interpreted to be by the SpammerTrap. Again, values above 5.0 are considered spam by default.

If the spam score is 5.0 or higher, it means that the SpammerTrap correctly scored that email as spam. If it was delivered to your user's inbox, then you may need to check to see if that user, or their domain, has created a custom policy which would have permitted the message to be received. SECNAP recommends using either the "Normal" site policy or the "Drop Junk" site policy.  For details on what each policy does, you may read the product documentation at this link:

http://www.secnap.com/support/manuals/

If the spam score is 4.9 or lower, it means that the SpammerTrap legitimately missed this email.  With a spam filtering accuracy rating of 99.9% demonstrated on a consistent basis, very little spam slips by the SpammerTrap. However, some does from time to time (or your accuracy rating would be 100% all the time). If you only notice a few missed spam emails, simply move them to the appropriate SpammerTrap Public Folder (if configured) so the system can learn from them.  For guidance in selecting the appropriate Public Folder, see this FAQ:

http://www.secnap.com/support/faqs/deciding-which-folder.html

If you feel you are experiencing a larger than normal volume of missed spam, and that you're experiencing less than 99.9% filtering accuracy, please contact SpammerTrap Support.  Before doing so, review the "Still Need Help?" section below for important information on how to submit spam samples to SpammerTrap Support.

 

  • Does the subject line contain the word "[SPAM]"?

If the email Subject line contains the prefix "[SPAM]" it means that the SpammerTrap correctly scored and categorized that message as spam.  If your user did not want it in their inbox, the filtering policy should be changed to "Drop Junk." Review the SpammerTrap Administrators Manual for details about the "split-quarantine" and the difference between the "Normal" and "Drop Junk" policies.

http://www.secnap.com/support/manuals/


Still Need Help?

You'll need to gather supporting documentation, such as the original message headers, so that the SpammerTrap Support team can analyze and research the situation.

Please be aware that any information you submit to SpammerTrap Support using the web form and link below will become public domain, so be sure it does not contain any sensitive or private information you want to protect.

ALSO NOTE:  NEVER forward actual spam messages to SpammerTrap Support or to other parties! Doing so will degrade your accuracy, and could cause your mailservers to be listed in global blacklists (because they sent spam). Instead, follow these instructions:

  1. Once you have gathered a few (1-3) sample message headers, copy each set of complete message headers and paste them into the web form at this link: http://secnap.pastebin.com/ Make sure you set the private flag.  You can then set the email address to your email address for confirmation.
  2. Submit the form page, and you will be provided with a link. Include that link in your email to SpammerTrap support.  This will make it easier for our support engineers to assist you.
  3. In as much detail as possible, describe the problem(s) you are experiencing, including the user or users who are reporting this problem, the frequency they are receiving missed spams (for example,"10 per day"), and any other information you think could be important.
  4. It is also helpful to mention that you followed this troubleshooting Guide, and that you still have questions. (This may cause us to add to or enhance the Guide.)

These steps will aid our support engineers in their research and enable them to provide prompt and accurate answers to your questions.

SpammerTrap Support can be reached at:

Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Phone: (561) 948-2254

VOIP:  sip: This e-mail address is being protected from spambots. You need JavaScript enabled to view it ISN: 1254*1300
 
supercilious
supercilious
supercilious
supercilious