ESET Mail Security blocking GMail??

[JPVG 0]

A company I do occasional ad-hoc consulting for has raised a serious issue concerning emails not being delivered to them, they have asked me to take a look. 

I discovered they are running ESET Mail Security on their Exchange 2016 server, I have zero experience with this software.

When checking the mail quarantine list, I found what appears to be some examples of missing emails according to the sender and timeframes given to me. 

Strange thing is the emails originate from gmail. Not exactly a blacklisted domain is it?

Here is the error on one of those quarantined emails:

Reason: "Rule system classified mail as SPAM, IP (209.85.208.175) isn't found on cloud black list"

Well if it isn't found on the blacklist, why quarantine it?

This company is suspecting a high volume of missing emails from customers, but of course they cannot tell the extent of it. I am also suspicious it is blocking other good emails.

Any ideas why this software is blocking trusted email? I cannot see anything in the Filtering and Verification list.

Does this software not send a quarantine report to end users? It will be hell to administer if not.

There is a serious routing issue going on in South Africa due to undersea fiber break, for what it is worth - not sure if this could be causing such issues though. But the company seems to agree that these missing emails started before the fiber break. I suppose spf records and IP's could be affected by massive re-routing issues.

Any help will be appreciated.

Thanks.

[M.K. 17]

Hi,

from your description it seems that the email has been marked as a spam because of it's content ("Rule system classified mail as SPAM"), despite the fact that it came from a trusted source ("IP (209.85.208.175) isn't found on cloud black list").

Ad. "Any ideas why this software is blocking trusted email?":

In order to answer this, please open a ticket with our support and provide them with sample(s) of mis-classified email(s).

Ad. "Does this software not send a quarantine report to end users?":

Yes it can, please refer here (https://help.eset.com/emsx/7.1/en-US/idh_scheduler_task_qreports.html).

Matej

[JPVG 0]

Thanks for the response M.K.

I have gone through the article and enabled the quarantine report. Hope it works as intended. Will trial this for a few days and warn them to expect the first report later today.

As for the blocked email. All I've been able to discern about the content via the report is that it had a PDF attachment and a few JPG's - likely a signature or something of the sort created the JPG's. It was a quotation an internal employee forwarded via their private gmail to some users in the company. I haven't seen the email itself though so I'm not sure what caused the block, but it's the only tangible example they have to confirm the suspicion of missing emails.

I don't want to spend too much time on it as my work is billable by the hour, so I'm not going to go through the ticket and extensive troubleshooting process just yet and especially as this isn't software I'm familiar with, but I'm hoping that enabling the quarantine report works and is useful for them.

Edited January 31, 2020 by JPVG