Difference between revisions of "When Spam Gets Through"

From Roaring Penguin
Jump to: navigation, search
m (Reporting Spam to Roaring Penguin)
m (If All Else Fails)
Line 41: Line 41:
  
 
  X-Antispam-Training-Phish: https://''canit.example.com''/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
 
  X-Antispam-Training-Phish: https://''canit.example.com''/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
 
 
  X-Antispam-Training-Spam: https://''canit.example.com''/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001
 
  X-Antispam-Training-Spam: https://''canit.example.com''/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001
  

Revision as of 10:49, 27 October 2017

Handling False Negatives

Sometimes, despite our best efforts, spam will get through. If this happens, please do not contact Roaring Penguin support until you have performed all the diagnostic steps listed below. Note that many diagnostic steps require the original spam message complete with the original headers, so make sure your users don't delete the message if they want you to diagnose the problem.

Did CanIt Even See the Message?

Open the complete headers of the spam message. There should be a header similar to this:

X-Scanned-By: CanIt (www . roaringpenguin . com) on ip.of.scanning.machine

If this header is not present, then the message did not pass through CanIt and you need to figure out how it got in using the Received: headers in the original message.

Was the Message Whitelisted?

Next, check for a header that starts with X-Spam-Score:. It should contain a numeric score and a list of tests that fired. If, however, it looks something like this:

X-Spam-Score: undef - something is whitelisted.

then there was an always-allow rule for something and that is why the message got through.

Is the Spam Threshold too High?

If the X-Spam-Score: header does have a score, there should also be a tag that looks like this:

[Hold at threshold]

where threshold is a number. If threshold is greater than 5, then CanIt's normal spam threshold has been relaxed; if the score is 5 or more, CanIt would have caught it with the default threshold and you should not contact Roaring Penguin.

Is there a negative-scoring Custom Rule?

In the X-Spam-Score: header is a list of tests, something like this:

HTML_IMAGE_ONLY_28:0.726,HTML_MESSAGE:0.001,SPF(pass:0),DKIM(none:0),C71(0.3)

The interesting tests are the ones that look like Cnnn(score). If a custom rule with a large negative score is hit, then it may inappropriately be allowing spam through. Check the custom rules for the rule with ID nnn and adjust.

If All Else Fails

Reporting false negatives to Roaring Penguin is rarely helpful unless you receive a large number of similar mails. The best course of action is to vote the message as spam (or as a phish if you think it's malicious) using the voting links added to the message body. If you have not configured CanIt to add voting links to the body, check the complete headers for headers that look something like this:

X-Antispam-Training-Phish: https://canit.example.com/canit/b.php?c=p&i=01og4aVuQ&m=e762bd72b378&t=20151001
X-Antispam-Training-Spam: https://canit.example.com/canit/b.php?c=s&i=01og4aVuQ&m=e762bd72b378&t=20151001

If you think the email is a phish, copy and paste the X-Antispam-Training-Phish: URL into the browser. If you think it's spam, copy and paste the X-Antispam-Training-Spam: URL into the browser.

Reporting Spam to Roaring Penguin

Please do not report occasional spams to Roaring Penguin. It won't be helpful. Please do report spams if they are part of a large spam run of similar messages, or if they contain highly-malicious attachments or links to highly-malicious URLs.

If you do report spam to Roaring Penguin, we need the original, unmodified spam complete with original headers. A forwarded message will not do. A message imported into Microsoft Word or sent as PDF is no good. Please send the original message as an attachment.