false positives message sniffer
Question asked by Richard Frank - November 11, 2015 at 4:41 AM
Unanswered
i have message sniffer as add on
I have a lot of FPs for perfectly legit mail.
sending server not blacklisted, rdns passed etc.
 
this is just one of the many messages being weighted too much.
 
where/how can i report false positives?
 
[2015.11.11] 12:12:03 [01064] Delivery started for b at 12:12:03
[2015.11.11] 12:12:13 [01064] Spam check results: [_SPF: None], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS- ZEN: passed], [SPAMRATS: passed], [SPAMRATS DYNA: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_MESSAGESNIFFER: 20,code:20], [_DK: None], [_DKIM: None], [BARRACUDA: passed], [PSBL: passed], [WPBL: passed]
[2015.11.11] 12:12:18 [01064] Sending remote mail for bssec -at-ecn.nl
[2015.11.11] 12:12:18 [01064] This message is not being delivered to destination-adres due to an incoming gateway's spam settings. Weight: 20
[2015.11.11] 12:12:18 [01064] This message is being rerouted from destination-address to destination--alternative-address due to incoming gateway spam settings. Weight: 20

7 Replies

Reply to Thread
0
i have opened a ticket for this
 
0
Hi Richard. I will be happy to help you with this issue. Code 20 means the source IP has a bad reputation. A quick way to safely clear a GBUdb false positive is to use the -drop command causing GBUdb to forget what it knows about the IP and to start learning from scratch. Please check out the following article for instructions on how to do that: <a target="_blank" href="http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_list--1143817730.shtml.">http://know.mailsbestfriend.com/how_to_drop_an_ip_from_the_gbudbtruncate_list--1143817730.shtml</a>; Also, please report the urgent false-positive to Arm Research using the procedure at the following link: <a target="_blank" href="http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepositives-1858720502.shtml.">http://know.mailsbestfriend.com/how_to_handle_urgent_message_sniffer_falsepositives-1858720502.shtml</a>; As for why this is happening... can you please provide a bit more information for me? Do you have an upstream server that might be seen as the source for all messages and since most are spam that would force the IP into bad reputation status?
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
I did a check with snfclient on an IP number that received spam weight from Message Sniffer
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\SNF>SNFClient.exe -test 145.255.128.10
GBUdb Record for 145.255.128.10
  Type Flag: ugly
  Bad Count: 25
 Good Count: 11
Probability: 0.388889
 Confidence: 0.369283
      Range: normal
       Code: 0
 
 
 
0
Hi Richard. These results show that Sniffer sees that IP as a spamming IP. Since it is not, please remove it from your GBUDB Truncate list using the procedure that is outlined at the first link I gave you above and then report the false-positive to Arm Research using the procedure outlined in the 2nd link above. Thanks.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 
0
message sniffer flagging outlook.com servers though it seems fine at the moment of testing.
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\SNF>SNFClient.exe -test
157.56.112.104
GBUdb Record for 157.56.112.104
  Type Flag: ugly
  Bad Count: 11
 Good Count: 11
Probability: 0
 Confidence: 0.318533
      Range: normal
       Code: 0
 
but the delivery log had it flagged, so probably at that time it was flagged. Isn't that strange?

[2015.11.30] 09:04:31 [35142] Delivery started for breg@industrielinqs.nl at 9:04:31
[2015.11.30] 09:04:37 [35142] Spam check results: [_SPF: PermError], [FIVE-TEN: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - WHITELIST: passed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMCOP: passed], [SPAMHAUS- ZEN: passed], [SPAMRATS: passed], [SPAMRATS DYNA: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_MESSAGESNIFFER: 19,code:57], [_DK: None], [_DKIM: None], [BARRACUDA: passed], [PSBL: passed], [WPBL: passed]
[2015.11.30] 09:04:41 [35142] Sending remote mail for breg@industrielinqs.nl
[2015.11.30] 09:04:41 [35142] This message is not being delivered to wouter@bondis.nl due to an incoming gateway's spam settings. Weight: 20
[2015.11.30] 09:04:41 [35142] This message is being rerouted from wouter@bondis.nl to spambox@bondis.nl due to incoming gateway spam settings. Weight: 20
 
0
Received: from MAIL4.bondis.local (10.10.100.8) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Mailbox
Transport; Mon, 30 Nov 2015 09:04:42 +0100
Received: from MAIL4.bondis.local (10.10.100.8) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 30 Nov
2015 09:04:42 +0100
Received: from mail.soko.nl (80.242.238.152) by MAIL4.bondis.local
(10.10.100.8) with Microsoft SMTP Server (TLS) id 15.0.1076.9 via Frontend
Transport; Mon, 30 Nov 2015 09:04:42 +0100
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0104.outbound.protection.outlook.com [157.56.112.104]) by mail.soko.nl with SMTP
0
Hi Richard. At what time did you run the test? I'm asking because it is very possible that at the time you ran the test, the IP was ok, but when this message arrived, the IP may have been considered bad.
Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com
Authorized SmarterTools Reseller
Authorized Message Sniffer Reseller
 

Reply to Thread