Jump to content

Unexpectedly high false negative SPAM occurrence


Recommended Posts

Servus Community,

For a week now we have been flooded by a spam tsunami and we don't know why. The spam filter on our Exchange servers filters out spam, as we can see from the logs, but there is still a lot of spam arriving in the users' mailboxes. We have already sent over a hundred samples to ESET, but the storm continues. There are mails that should be clearly identified as spam, but the filter lets them through.

At first we thought that this would fix by itself in a few days, when ESET reacts with new patterns, but now it takes so long that we have to assume that the problem is in our setup. What actions can we take to get the problem under control? The matter is getting more and more serious, we have users who get over a hundred spam mails per day and there might be serious threats among them.

Thank you in advance for your attention

Bye Tom

 

Link to comment
Share on other sites

  • Administrators

Please raise a support ticket with your local ESET distributor. For antispam to work the server must be able to communicate with ESET's servers on UDP port 53535. Couldn't this be the reason that the communication is blocked?

Please carry on as follows:

- enable diagnostic logging
- receive a spam email that is not recognized
- disable diagnostic logging
- collect logs with ESET Log Collector and supply the generated archive to technical support along with the unrecogized spam in the eml or msg format.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Please raise a support ticket with your local ESET distributor. For antispam to work the server must be able to communicate with ESET's servers on UDP port 53535. Couldn't this be the reason that the communication is blocked?

If you haven't changed anything on the network layout, I don't think that's the reason. We haven't changed anything and it was working fine until a week ago. I'm on vacation right now but I'll pass this on to my colleague to check.

Thx & Bye Tom

Link to comment
Share on other sites

I've taken a closer look at the this issue with my colleague now and we have some answers but also a few questions.

We have two Exchange servers (MTA-1 and MTA-2) and only one (MTA-1) accepts mails from external. While analyzing the ESET logfiles we noticed that the second server (MTA-2) has had an empty logfile for over a week. Obviously, nothing was filtered here, which didn't worry us at first, because everything has to pass through the filter of the first server (MTA-1).

Furthermore, we took a closer look at the spam mails that were passed through and noticed that there are no ESET X-tags in the headers of these e-mails. This worried us, because it is obvious that some mails did not pass the filter at all.

Days ago we restarted the ESET services on both servers and today we restarted both servers. Now the filters on both servers are working again and since then no spam mail has arrived at least in my mailbox. However, since this time, five to ten unrecognized spam mails would be expected. This is a good sign.

This would also answer the question why some spam mails were filtered and others not because the filter on only one server was working. But the question that arises now is, why is the filter on the second server necessary at all, if everything should go through the filter of the other server first? Is there any documentation on how the ESET filters work in an Exchange DAG, or a short explanation that does not go beyond the scope of this post? After all, this final question is on the edge of beeing off topic but the answer would help us at least to understand the issue...

Thx & Bye Tom

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...