Difference between revisions of "When Spam Gets Through"

From Roaring Penguin
Jump to: navigation, search
(Original Message and Headers)
(Handling False Negatives)
Line 6: Line 6:
 
=== Original Message and Headers ===
 
=== Original Message and Headers ===
  
NOTE that many diagnostic steps require the ''original'' spam message, complete with the ''original'' headers.  Make sure your users don't delete the original message until you have a copy of this important information. Here are instructions on how to get the [[Internet Headers From Outlook]], for example.
+
NOTE that many diagnostic steps require the ''original'' spam message, complete with the ''original'' headers.  Make sure your users don't delete the original message until you have a copy of this important information.
  
 
To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted.  This is why we require ''original'' headers.  If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.
 
To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted.  This is why we require ''original'' headers.  If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.
  
There are many ways to make a good copy of the original message and/or headers. One way is to view the original headers (often by right-clicking on the message to find its Properties and then find the headers) and then copy-paste them to a text file.  Another way is to save the complete original message in EML format -- again, the right-click context menu usually offers an option to save as a file.  Another option that may work is to drag and drop the original message into another email as an attachment.  Whichever option you choose, please ensure all original data is preserved before deleting the original.
+
There are many ways to make a good copy of the original message and/or headers. We have a specific information on how to get the [[Internet Headers From Outlook]] if your user has it as their client. In general, most mail clients will make the original headers available via the menu system (often by right-clicking on the message to find its Properties and then find the headers) and then copy-paste them to a text file.  Another way is to save the complete original message in EML format -- again, the right-click context menu usually offers an option to save as a file.  Another option that may work is to drag and drop the original message into another email as an attachment.  Whichever option you choose, please ensure all original data is preserved before deleting the original.
  
 
=== Did CanIt Process the Message? ===
 
=== Did CanIt Process the Message? ===

Revision as of 10:40, 27 October 2017

Handling False Negatives

Sometimes, despite our best efforts, spam will get through. If this happens, please do not contact Roaring Penguin support until you have performed all the diagnostic steps listed below.


Original Message and Headers

NOTE that many diagnostic steps require the original spam message, complete with the original headers. Make sure your users don't delete the original message until you have a copy of this important information.

To be clear, many of the headers in a forwarded / re-sent / bounced / re-directed message are altered or deleted. This is why we require original headers. If a user forwards (or re-directs, re-sends, or bounces) a copy of a spam to you, this copy is not useful for diagnostics.

There are many ways to make a good copy of the original message and/or headers. We have a specific information on how to get the Internet Headers From Outlook if your user has it as their client. In general, most mail clients will make the original headers available via the menu system (often by right-clicking on the message to find its Properties and then find the headers) and then copy-paste them to a text file. Another way is to save the complete original message in EML format -- again, the right-click context menu usually offers an option to save as a file. Another option that may work is to drag and drop the original message into another email as an attachment. Whichever option you choose, please ensure all original data is preserved before deleting the original.

Did CanIt Process the Message?

Open the complete headers of the spam message. There should be a header similar to this:

X-Scanned-By: CanIt (www . roaringpenguin . com) on ip.of.scanning.machine

If this header is not present, then the message did not pass through CanIt. You can figure out how it got in using the Received: headers in the original message.


Was the Message Whitelisted?

Next, check for a header that starts with X-Spam-Score:. It should contain a numeric score and a list of tests that fired. If, however, it looks something like this:

X-Spam-Score: undef - something is whitelisted.

then there was an always-allow rule for something and that is why the message got through. Please don't contact support unless you are unable to find and remove the rule on your own, or unless you need to discuss options with our team.


Are the Spam Thresholds too High?

If the X-Spam-Score: header does have a score, there should also be a tag that looks like this:

[Hold at threshold]

where threshold is a number. If threshold is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold.

Please do not contact Roaring Penguin. Relaxing the filtering allows more to pass through the filter. Accept this or restore the default threshold. Contact support only if you need assistance finding a more specific solution to the issue that lead to relaxing the threshold originally.


Is there a negative-scoring Custom Rule?

In the X-Spam-Score: header is a list of tests, something like this:

HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)

The interesting tests are the ones that look like Cnnn(score). If a custom rule with a large negative score is hit, then it may inappropriately be allowing spam through. Find the custom rule with ID nnn and adjust.


Occasional Incidents

Reporting false negatives to Roaring Penguin is rarely helpful unless you receive a large number of similar mails. For single / occasional incidents, after you have confirmed that nothing is awry using the above basic diagnostics, the best course of action is to vote the message as spam (or as a phish if you think it's malicious) using the Voting Links added to the message body. If you have not configured CanIt to add voting links to the body, check the complete headers for headers that look something like this:

X-Antispam-Training-Phish: https://canit.example.com/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
X-Antispam-Training-Spam: https://canit.example.com/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001

If you think the email is a phish, copy and paste the X-Antispam-Training-Phish: URL into the browser. If you think it's spam, copy and paste the X-Antispam-Training-Spam: URL into the browser.

Reporting Spam to Roaring Penguin

Please do not report occasional spams to Roaring Penguin. It won't be helpful. Please do report spams if they are part of a large spam run of similar messages, or if they contain highly-malicious attachments or links to highly-malicious URLs.

If you do report spam to Roaring Penguin, we need the original, unmodified spam complete with original headers. A forwarded message will not do. A message imported into Microsoft Word or sent as PDF is no good. Please send the original message as an attachment.