Back to Community Threads
1
false positives message sniffer
Question asked by Richard Frank - 11/11/2015 at 4:41 AM
Unanswered
i have message sniffer as add on
I have a lot of FPs for perfectly legit mail.
sending server not blacklisted, rdns passed etc.
 
this is just one of the many messages being weighted too much.
 
where/how can i report false positives?
 
[2015.11.11] 12:12:03 [01064] Delivery started for b at 12:12:03
[2015.11.11] 12:12:13 [01064] Spam check results: [_SPF: None], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS- ZEN: passed], [SPAMRATS: passed], [SPAMRATS DYNA: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_MESSAGESNIFFER: 20,code:20], [_DK: None], [_DKIM: None], [BARRACUDA: passed], [PSBL: passed], [WPBL: passed]
[2015.11.11] 12:12:18 [01064] Sending remote mail for bssec -at-ecn.nl
[2015.11.11] 12:12:18 [01064] This message is not being delivered to destination-adres due to an incoming gateway's spam settings. Weight: 20
[2015.11.11] 12:12:18 [01064] This message is being rerouted from destination-address to destination--alternative-address due to incoming gateway spam settings. Weight: 20

7 Replies

Reply to Thread
0
Richard Frank Replied
11/13/2015 at 5:22 AM
i have opened a ticket for this
 
0
Linda Pagillo Replied
11/13/2015 at 9:22 AM
Hi Richard. I will be happy to help you with this issue. Code 20 means the source IP has a bad reputation. A quick way to safely clear a GBUdb false positive is to use the -drop command causing GBUdb to forget what it knows about the IP and to start learning from scratch. Please check out the following article for instructions on how to do that: <a target="_blank" href="http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_list--1143817730.shtml.">http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_list--1143817730.shtml</a>; Also, please report the urgent false-positive to Arm Research using the procedure at the following link: <a target="_blank" href="http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepositives-1858720502.shtml.">http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepositives-1858720502.shtml</a>; As for why this is happening... can you please provide a bit more information for me? Do you have an upstream server that might be seen as the source for all messages and since most are spam that would force the IP into bad reputation status?
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Richard Frank Replied
11/16/2015 at 6:02 AM
I did a check with snfclient on an IP number that received spam weight from Message Sniffer
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\SNF>SNFClient.exe -test 145.255.128.10
GBUdb Record for 145.255.128.10
  Type Flag: ugly
  Bad Count: 25
 Good Count: 11
Probability: 0.388889
 Confidence: 0.369283
      Range: normal
       Code: 0
 
 
 
0
Linda Pagillo Replied
11/16/2015 at 8:59 AM
Hi Richard. These results show that Sniffer sees that IP as a spamming IP. Since it is not, please remove it from your GBUDB Truncate list using the procedure that is outlined at the first link I gave you above and then report the false-positive to Arm Research using the procedure outlined in the 2nd link above. Thanks.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Richard Frank Replied
11/30/2015 at 3:59 AM
message sniffer flagging outlook.com servers though it seems fine at the moment of testing.
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\SNF>SNFClient.exe -test
157.56.112.104
GBUdb Record for 157.56.112.104
  Type Flag: ugly
  Bad Count: 11
 Good Count: 11
Probability: 0
 Confidence: 0.318533
      Range: normal
       Code: 0
 
but the delivery log had it flagged, so probably at that time it was flagged. Isn't that strange?

[2015.11.30] 09:04:31 [35142] Delivery started for breg@industrielinqs.nl at 9:04:31
[2015.11.30] 09:04:37 [35142] Spam check results: [_SPF: PermError], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS- ZEN: passed], [SPAMRATS: passed], [SPAMRATS DYNA: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_MESSAGESNIFFER: 19,code:57], [_DK: None], [_DKIM: None], [BARRACUDA: passed], [PSBL: passed], [WPBL: passed]
[2015.11.30] 09:04:41 [35142] Sending remote mail for breg@industrielinqs.nl
[2015.11.30] 09:04:41 [35142] This message is not being delivered to wouter@bondis.nl due to an incoming gateway's spam settings. Weight: 20
[2015.11.30] 09:04:41 [35142] This message is being rerouted from wouter@bondis.nl to spambox@bondis.nl due to incoming gateway spam settings. Weight: 20
 
0
Richard Frank Replied
11/30/2015 at 4:21 AM
Received: from MAIL4.bondis.local (10.10.100.8) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Mailbox
Transport; Mon, 30 Nov 2015 09:04:42 +0100
Received: from MAIL4.bondis.local (10.10.100.8) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 30 Nov
2015 09:04:42 +0100
Received: from mail.soko.nl (80.242.238.152) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Frontend
Transport; Mon, 30 Nov 2015 09:04:42 +0100
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0104.outbound.protection.outlook.com [157.56.112.104]) by mail.soko.nl with SMTP
0
Linda Pagillo Replied
11/30/2015 at 6:29 AM
Hi Richard. At what time did you run the test? I'm asking because it is very possible that at the time you ran the test, the IP was ok, but when this message arrived, the IP may have been considered bad.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Reducing ClamAV False PositivesSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
My spool is full of pending messages. What do I do?SmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Behavior of Drafts in Mail Clients Using IMAPSmarterMail > Desktop and Mobile Synchronization