Difference between revisions of "When Spam Gets Through"

From Roaring Penguin
Jump to: navigation, search
m (If All Else Fails)
(Clarifications and additional details for less savvy readers)
Line 2: Line 2:
  
 
Sometimes, despite our best efforts, spam will get through.  If this happens, please ''do not contact Roaring Penguin support'' until you have performed all the diagnostic steps listed below.
 
Sometimes, despite our best efforts, spam will get through.  If this happens, please ''do not contact Roaring Penguin support'' until you have performed all the diagnostic steps listed below.
Note that many diagnostic steps require the ''original'' spam message complete with the ''original'' headers, so make sure your users don't delete the message if they want you to diagnose the problem.
 
  
=== Did CanIt Even See the Message? ===
+
NOTE that many diagnostic steps require the ''original'' spam message, complete with the ''original'' headers.  Make sure your users don't delete the original message until you have a copy of this important information.
 +
 
 +
To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted.  This is why we require ''original'' headers.  If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.
 +
 
 +
 
 +
=== Did CanIt Process the Message? ===
  
 
Open the complete headers of the spam message.  There should be a header similar to this:
 
Open the complete headers of the spam message.  There should be a header similar to this:
Line 10: Line 14:
 
  X-Scanned-By: CanIt (www . roaringpenguin . com) on ''ip.of.scanning.machine''
 
  X-Scanned-By: CanIt (www . roaringpenguin . com) on ''ip.of.scanning.machine''
  
If this header is ''not'' present, then the message did ''not'' pass through CanIt and you need to figure out how it got in using the <code>Received:</code> headers in the original message.
+
If this header is ''not'' present, then the message did ''not'' pass through CanIt.  You can figure out how it got in using the <code>Received:</code> headers in the original message.
  
 
=== Was the Message Whitelisted? ===
 
=== Was the Message Whitelisted? ===
Line 18: Line 22:
 
  X-Spam-Score: undef - ''something'' is whitelisted.
 
  X-Spam-Score: undef - ''something'' is whitelisted.
  
then there was an always-allow rule for ''something'' and that is why the message got through.
+
then there was an always-allow rule for ''something'' and that is why the message got through.  Please don't contact support unless you are unable to find and remove the rule on your own, or unless you need to discuss options with our team.
  
 
=== Is the Spam Threshold too High? ===
 
=== Is the Spam Threshold too High? ===
Line 26: Line 30:
 
  [Hold at ''threshold'']
 
  [Hold at ''threshold'']
  
where ''threshold'' is a number.  If ''threshold'' is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold and you should ''not'' contact Roaring Penguin.
+
where ''threshold'' is a number.  If ''threshold'' is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold.
 +
 
 +
Please do ''not'' contact Roaring Penguin.  Relaxing the filtering allows more to pass through the filter.  Accept this or restore the default threshold.  Contact support only if you need assistance finding a more specific solution to the issue that lead to relaxing the threshold originally.
  
 
=== Is there a negative-scoring Custom Rule? ===
 
=== Is there a negative-scoring Custom Rule? ===
Line 34: Line 40:
 
  HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)
 
  HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)
  
The interesting tests are the ones that look like <code>C''nnn''(''score'')</code>.  If a custom rule with a large ''negative'' score is hit, then it may inappropriately be allowing spam through.  Check the custom rules for the rule with ID ''nnn'' and adjust.
+
The interesting tests are the ones that look like <code>C''nnn''(''score'')</code>.  If a custom rule with a large ''negative'' score is hit, then it may inappropriately be allowing spam through.  Find the custom rules with ID ''nnn'' and adjust.
  
 
=== If All Else Fails ===
 
=== If All Else Fails ===

Revision as of 11:07, 27 October 2017

Handling False Negatives

Sometimes, despite our best efforts, spam will get through. If this happens, please do not contact Roaring Penguin support until you have performed all the diagnostic steps listed below.

NOTE that many diagnostic steps require the original spam message, complete with the original headers. Make sure your users don't delete the original message until you have a copy of this important information.

To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted. This is why we require original headers. If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.


Did CanIt Process the Message?

Open the complete headers of the spam message. There should be a header similar to this:

X-Scanned-By: CanIt (www . roaringpenguin . com) on ip.of.scanning.machine

If this header is not present, then the message did not pass through CanIt. You can figure out how it got in using the Received: headers in the original message.

Was the Message Whitelisted?

Next, check for a header that starts with X-Spam-Score:. It should contain a numeric score and a list of tests that fired. If, however, it looks something like this:

X-Spam-Score: undef - something is whitelisted.

then there was an always-allow rule for something and that is why the message got through. Please don't contact support unless you are unable to find and remove the rule on your own, or unless you need to discuss options with our team.

Is the Spam Threshold too High?

If the X-Spam-Score: header does have a score, there should also be a tag that looks like this:

[Hold at threshold]

where threshold is a number. If threshold is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold.

Please do not contact Roaring Penguin. Relaxing the filtering allows more to pass through the filter. Accept this or restore the default threshold. Contact support only if you need assistance finding a more specific solution to the issue that lead to relaxing the threshold originally.

Is there a negative-scoring Custom Rule?

In the X-Spam-Score: header is a list of tests, something like this:

HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)

The interesting tests are the ones that look like Cnnn(score). If a custom rule with a large negative score is hit, then it may inappropriately be allowing spam through. Find the custom rules with ID nnn and adjust.

If All Else Fails

Reporting false negatives to Roaring Penguin is rarely helpful unless you receive a large number of similar mails. The best course of action is to vote the message as spam (or as a phish if you think it's malicious) using the voting links added to the message body. If you have not configured CanIt to add voting links to the body, check the complete headers for headers that look something like this:

X-Antispam-Training-Phish: https://canit.example.com/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
X-Antispam-Training-Spam: https://canit.example.com/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001

If you think the email is a phish, copy and paste the X-Antispam-Training-Phish: URL into the browser. If you think it's spam, copy and paste the X-Antispam-Training-Spam: URL into the browser.

Reporting Spam to Roaring Penguin

Please do not report occasional spams to Roaring Penguin. It won't be helpful. Please do report spams if they are part of a large spam run of similar messages, or if they contain highly-malicious attachments or links to highly-malicious URLs.

If you do report spam to Roaring Penguin, we need the original, unmodified spam complete with original headers. A forwarded message will not do. A message imported into Microsoft Word or sent as PDF is no good. Please send the original message as an attachment.