User´s mails sometimes quarantined as SPAM

Hi,

 

one of our client´s user upon sending a mail with a PDF attachment (German Order Confirmation document) sometimes receives the below message:

 

"Your message to the following recipients was quarantined:

 

<xyz@xyz.info>, quarantine reason: Spam ()

 

Please contact your IT administrator for further assistance."

 

What could be the reason for this?

Where can I find further information in the UTM Controll Center on why a particular mail has been rejected as SPAM?

  • I would look in mail manager, although this may not give you the exact answer you are looking for.  If you have the SMTP Proxy enabled then the logs would be in the SMTP Proxy Logs.  As for Spam this is typically related to your spam score, this can get more in-depth as you go down the secure email rabbit hole as well.  Not to mention other settings that are just cut and dry like blocking any email with no subject.  

     

    Personally I like to use https://www.unlocktheinbox.com/spamscore/  and I am not trying to sell anything here just making a recommendation, I think it is 5 or 10 dollars and they will give you a complete remote on your email.

     

  • UTM uses a third party to score a message, and all that is logged is confirmed spam, probable spam or OK.

    Questions to investigate:

    • Was the quarantine action taken by UTM or by the Recipient system?  If UTM, does the recipient system accept the message after it is released from UTM?
    • Does the PDF include any Javascript code?
    • Have you scrubbed the sending PC for every possibility of a malware infection?   The warning might be true.
    • Does the outbound message have a subject and a body as well as an attachment?  Omitting these components can increase your spam score.
    • Does the outbound message have text and html sections, or text only?    HTML-only will also increase your spam score.
  • In reply to DouglasFoster:

    Thank you for the valuable input on this issue.

     

    @badrobot:

    In MailManager I found the mail which was marked as SPAM and it got deleted a day later by one of the Admins. Now I need to wait for the next incident to happen to analyze the mail further. When just taking the text of the mail and pasting it into the analysis of Unlocktheinbox it doesn´t make much sense I think, since it´s just the text of the mail itself without additional Header and Attachment information, etc. When the next mail gets trapped in UTM I would like to have a closer look as to what it looks like and see the SPAM score.

    Is there any further analysis that I can do in mail manager or with the mail score itself?

    Is there a breakdown of the factors that contribute to the mail score and what actually causes the mail to bounce back?

     

    @DouglasFoster:

    So far I only was able to analyze the mail that the user gave me from his Outlook Sent Items folder but not the actual one that quarantined in UTM to which additional content was perhaps added to or removed from after sending it from Outlook.

    Regarding your questions:

    • Was the quarantine action taken by UTM or by the Recipient system?  If UTM, does the recipient system accept the message after it is released from UTM?
      • It was quarantined by UTM
      • Yes, it is accepted by the other party´s Mail System after being released by UTM
    • Does the PDF include any Javascript code?
      • No, it´s a simple 1 page PDF document and is also send in the same format by other users that don´t have the SPAM mail issue
    • Have you scrubbed the sending PC for every possibility of a malware infection?   The warning might be true.
      • The user is running off a Terminal Server profile so I guess if he is infected the other´s would also be and the other peculiar thing is, that it is only happening ocassionally
    • Does the outbound message have a subject and a body as well as an attachment?  Omitting these components can increase your spam score.
      • Yes, it has all these parts and sometimes is also a reply or part of a longer mail thread
    • Does the outbound message have text and html sections, or text only?    HTML-only will also increase your spam score
      • It has both

     

    Additional general information:

    This issue is tied to only one user out of a department of four people that sends the same kind of mails and of which no-one else experiences this issue.

    The Exchange settings are the same for all four users.

    I told the user that we would like to do a test and send the next mail that bounces back for him from another user´s Outlook and see what happens. But I expect it not to bounce from the other user´s exchange account.

     

    Thank you for your help with this!

  • In reply to Julius Mensing:

    Just a couple quick thoughts on all the above,

    Does this user have a unique signature being auto filled in by outlook?  Something with LinkedIn or Facebook or some other link in it?

    Is there any foreign language in it? (This is considered)

    Ok now to mail manager-

    If using Outlook, go to the users computer, look in there sent folder, find the email, double click to open in new window, select actions, resend.

    Also drag the email from the sent folder into a new email so it is added as an attachment and send that to yourself so you have a real copy of the email with attachments, headers and body.

    Once you have an exact copy of the email try running tests from your account and another co-workers, eliminate certain parts of the email until it goes through to determine what is flagging the higher score.

    Although this could also be a situation were many different aspects are simply adding up to create a higher score.  I would also check your basics to see if your email domain is properly configured as well.  This would require access to your Domain DNS records, if you do not have it, you can still check and point out it is not helping anyone to not have the security aspects setup.

    In regards to SPAM scores and overall general email security there are more things to consider than just the subject, body and attachments.  Please note that this is more a general description,  each part will contribute to overall security and specific parts will lower your spam score.  There is SPF, DMARC & DKIM to consider and more, I would suggest purchasing an unlock the inbox report, this would give you a great starter report to go off of, however if you do not want to go that route you can learn much of this manually through various sites for free.  

    http://www.openspf.org/

    https://dmarc.org/

    https://www.sparkpost.com/blog/understanding-spf-and-dkim/

    https://www.epinionated.net/stop-email-spam-spf-dkim/

     

     

  • In reply to Dane Seelen:

    Thank you for the further input.

     

    Regarding the questions:

    Does this user have a unique signature being auto filled in by outlook?  Something with LinkedIn or Facebook or some other link in it?

    • No, there is no autofill done by Outlook, the user has the same signature as the other colleagues just with a few minor differences (Name, Mail, Telephone...)

    Is there any foreign language in it? (This is considered)

    • The siganture is kept in German but that is also the same for all the other colleagues

     

    On mail manager I am wondering if it actually is enough to just look at the Outlook Mail in the Sent folder and analyze that further, send to the guys from UnlockTheInbox, etc. or whether it´s not better to take the mail that arrived in UTM and is quarantined there. I guess that some changes can happen also in-between Outlook and UTM, isn´t it?

    So at the moment I guess I have to wait for a new mail to be quarantined for this user and then make a further analysis on it.

  • In reply to Julius Mensing:

    Just resend from their sent folder, the utm should catch it again, then take the one from the sent folder and compare them!

  • In reply to Dane Seelen:

    I just did a resend of the mail that got quarantined on the 17th of January and this time it went through without any issues.

    Next time the user has the issue I will have to do the comparison then.

  • In reply to Julius Mensing:

    Hallo Julius - welcome to the UTM Community!

    As others said above, UTM uses a third-party product.  CommTouch was acquired by McAfee and the tool in the UTM is still ctasd (CommTouch anti spam daemon) which calculates a signature for each email accepted by the SMTP Proxy and then queries the McAfee cloud service to determine if the signature is close/identical to others that are confirmed spam, bulk/spam or not spam.  Their algorithms keep changing based on feedback provided by customers.

    Instead of simply deleting the emails from the Quarantine, the admin should have selected 'Release and report as false positive'.  In that way, you can "train" their tool to handle your mail correctly.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob and Others,

     

    over three months have passed now with "training" Sophos to release the mails from this particular user and tell it that it is not spam.

    However his mails still constantly get marked as spam and it´s quite frustrating for him and us Admins since we always need to go to the Mail Manager and release the mail.

    Is there any way to find out why especially his mails are always marked as spam?

    For example today we already had three mails that were marked falsely as spam.

    Whereas all the mails of his colleagues in the same department with similar content and attachments don´t get marked as spam.

     

    Thank you for your further thoughts!!!

  • In reply to Julius Mensing:

    Hi Julus,

    You could create an Exception for Antispam for just that individual's email address.  I'd want to be certain that the domain had an SPF record in its authoritative name server though.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

    thank you for the further thoughts.

     

    When checking on various websites for a SPF record for our domain I can´t find any record.

     

    E.g. https://mxtoolbox.com:

     

     

    What would be the implications if I had the exception without an SPF record?

     

    I have now set up an SMTP exception with the employees address (as Sender Address Patterns) skipping "Antispam checking"and will see how it works.

  • In reply to Julius Mensing:

    I wasn't sure if this was inbound or outbound.  Since it's outbound, your solution looks good to me.

    You could create an SPF record for your organization in your authoritative name server.

    Cheers - Bob