When Spam Gets Through

From Roaring Penguin
Jump to: navigation, search

Handling False Negatives

Sometimes, despite our best efforts, spam will get through. If this happens, please do not contact Roaring Penguin support until you have performed all the diagnostic steps listed below.


Original Message and Headers

NOTE that many diagnostic steps require the original spam message, complete with the original headers. Make sure your users don't delete the original message until you have a copy of this important information.

To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted. This is why we require original headers. If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.

There are many ways to make a good copy of the original message and/or headers. We have a specific information on how to get the Internet Headers From Outlook if your user has it as their client. In general, most mail clients will make the original headers available via the menu system (often by right-clicking on the message to find its Properties and then find the headers) and then copy-paste them to a text file. Another way is to save the complete original message in EML format -- again, the right-click context menu usually offers an option to save as a file. Another option that may work is to drag and drop the original message into another email as an attachment. Whichever option you choose, please ensure all original data is preserved before deleting the original.

Did CanIt Process the Message?

Open the complete headers of the spam message. There should be a header similar to this:

X-Scanned-By: CanIt (www . roaringpenguin . com) on ip.of.scanning.machine

If this header is not present, then the message did not pass through CanIt. You can figure out how it got in using the Received: headers in the original message.

If this is the case, you should ensure that the mail server is only willing to accept mail from CanIt. We have information on this for Office 365 and Google Apps. On-site Exchange can be restricted within the Exchange admin console, similar to Office 365, by creating "Connector" restrictions, or by blocking port 25 at the firewall for other sources. The acceptable sources for Hosted CanIt are listed as "Relay Addresses" from the My Domains->My Domains page.

Was the Message Whitelisted?

Next, check for a header that starts with X-Spam-Score:. It should contain a numeric score and a list of tests that fired. If, however, it looks something like this:

X-Spam-Score: undef - something is whitelisted.

then there was an always-allow rule for something and that is why the message got through. This rule might exist in a number of places depending on your inheritance structure. As of version 10.1.6 CanIt now shows rules that are inherited from further up the chain if you click the "Show Inherited Rules" link at the top of the relevant Rules page. So it is easiest to locate the rule from the recipients stream and if it is not seen there, then use that link to locate it. If the something above is an email address then you will find this from Rules->Senders, and if it is a domain you will find it from Rules->Domains.

Please don't contact support unless you are unable to find and remove the rule on your own, or unless you need to discuss options with our team.

Are the Spam Thresholds too High?

If the X-Spam-Score: header does have a score, there should also be a tag that looks like this:

[Hold at threshold]

where threshold is a number. If threshold is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold.

Please do not contact Roaring Penguin. Relaxing the filtering allows more to pass through the filter. Accept this or restore the default threshold. Contact support only if you need assistance finding a more specific solution to the issue that lead to relaxing the threshold originally.


Is there a negative-scoring Custom Rule?

In the X-Spam-Score: header is a list of tests, something like this:

HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)

The interesting tests are the ones that look like Cnnn(score). If a custom rule with a large negative score is hit, then it may inappropriately be allowing spam through. Find the custom rule with ID nnn and adjust. If the rule does not exist on the Rules->Custom Rules page for the recipients stream, you can use the "Show Inherited Rules" link at the top (in version 10.1.6 and later) to find out where it is defined.

Occasional Incidents

Reporting false negatives to Roaring Penguin is rarely helpful unless you receive a large number of similar mails. For single / occasional incidents, after you have confirmed that nothing is awry using the above basic diagnostics, the best course of action is to vote the message as spam (or as a phish if you think it's malicious) using the Voting Links added to the message body. If you have not configured CanIt to add voting links to the body, check the complete headers for headers that look something like this:

X-Antispam-Training-Phish: https://canit.example.com/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
X-Antispam-Training-Spam: https://canit.example.com/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001

If you think the email is a phish, copy and paste the X-Antispam-Training-Phish: URL into the browser. If you think it's spam, copy and paste the X-Antispam-Training-Spam: URL into the browser.

Reporting Spam to Roaring Penguin

Please do not report occasional spams to Roaring Penguin. It won't be helpful. Please do report spams if they are part of a large spam run of similar messages, or if they contain highly-malicious attachments or links to highly-malicious URLs.

If you do report spam to Roaring Penguin, we need the original, unmodified spam complete with original headers. A forwarded message will not do. A message imported into Microsoft Word or sent as PDF is no good. Please send the original message as an attachment.