cancel
Showing results for 
Search instead for 
Did you mean: 

Disappearing spam

rosma
Newbie
Posts: 2
Registered: 07-12-2008

Disappearing spam

We have recently been moved to IronPort. Since then it appears that while messages directed to the catch-all account and identified as spam have been placed in the catch-all account's Spam folder, the other accounts' Spam folders have remained empty. Since there is no more than the odd false negative in the other accounts' respective Inbox folders, we assume that either:

  • We aren't getting any spam that IronPort can identify as such - unlikely, since we usually get more spam than the few found in the inbox... or...

  • IronPort is simply disposing of correctly (and incorrectly) identified spam


Any ideas why IronPort might not be putting spam in the Spam folder? We have "Move to the Spam Folder" set in the spam configuration.
Thanks
18 REPLIES
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Disappearing spam

This is a quote (my emphasis) from Bob Pullen's post "Ironport & plans for the email platform" on this board:
Quote
Spam scoring is based on Ironport's 'reputation based filter' and will be set to a conservative level. Messages with scores between -10 and -7 will be blocked, -7 to -2 will be throttled, -2 to +7 will be scanned for spams, and greater than +7 will be allowed, and assumed clean. These settings will allow us to continue offering the controls that are available in the Manage My Mail tool. A separate thread has been set up here for discussions surrounding spam scoring.

Unfortunately (?), the switch to Ironport has coincided with a global reduction in spam due to the McColo takedown, so it's difficult to judge just how successful is the blocking by Ironport's reputation filters. From what I can tell, it is pretty spectacular, with hardly any nasty spam getting through and no genuine messages being bounced.
Chris
rosma
Newbie
Posts: 2
Registered: 07-12-2008

Re: Disappearing spam

Hi Chris,
Thanks for the quick reply. It seems to make sense.
We'll just have to monitor whether any expected messages go missing. I tend to feel nervous when spam filters throw away messages rather than separating them for later human filtering.
Thanks
Simon
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Disappearing spam

I'm with you on that, but it has always been the case that huge numbers of totally spammy messages have been refused access to ISPs' servers. The consolation is that they do generate a 'bounce' message, so at least a genuine sender knows something has gone wrong.
Chris
Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Re: Disappearing spam

Quote from: ChrisL
Unfortunately (?), the switch to Ironport has coincided with a global reduction in spam due to the McColo takedown, so it's difficult to judge just how successful is the blocking by Ironport's reputation filters. From what I can tell, it is pretty spectacular, with hardly any nasty spam getting through and no genuine messages being bounced.

So why does this nasty spam still not start to appear in my Spam folder even after I have turned off Edge Filtering then? Huh Sad
Superuser
Superuser
Posts: 8,876
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Disappearing spam

Quote from: Capvermell
So why does this nasty spam still not start to appear in my Spam folder even after I have turned off Edge Filtering then? Huh Sad

With IronPort the Edge Protection setting has no effect on the behaviour of IronPort's sender-reputation based boundary filters. Messages failing that check will be refused leaving it to the sending mail server to deal with. The sender of any genuine messages affected by this should be informed.
Turning off Edge Protection now means that messages that pass the boundary filter but are later found to be blatant spam will be delivered (to the Spam folder if that is the user choice) rather than silently dropped.
David
Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Re: Disappearing spam

Quote from: spraxyt
Turning off Edge Protection now means that messages that pass the boundary filter but are later found to be blatant spam will be delivered (to the Spam folder if that is the user choice) rather than silently dropped.

So turning Edge Protection and seeing if there is any upswing in spam messages put in my Spam folder or reaching my Inbox or not seems the way to go for now.  I would much rather see any email that is not actually rejected at source based on its Reputation arrive in my Spam folder rather than the sender thinking they have managed to send it and my then not receiving it silently.
Of course if I never see any legitimate emails in the Spam folder and/or there is a major upsurge in total spamming activity in a few months time then I may consider re-enabling Edge Protection.
Community Veteran
Posts: 3,364
Thanks: 15
Registered: 06-04-2007

Re: Disappearing spam

So, from this thread can I be confident that the reason I see no messages at all in the SPAM folder called Inbox.Spam is because Ironport is working as expected?
SW.
--
3Mb FTTC
https://portal.plus.net/my.html?action=data_transfer_speed
Community Gaffer
Community Gaffer
Posts: 12,801
Thanks: 634
Fixes: 62
Registered: 04-04-2007

Re: Disappearing spam

That's the likely conclusion. If you PM me the address you're referring to then I can purposely send a spam message to it if you'd like so we can see where that ends up?

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Superuser
Superuser
Posts: 8,876
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Disappearing spam

The much reduced volume of spam is unnerving but in my case I'm not aware of any genuine messages being lost. Last week I received just one spam message, 6 the week before compared with  around 10 a day with Postini. I've had no false positives, though this was a regular occurrence with Postini. I've turned "edge protection" off so that messages that pass the boundary filter but are later found to be blatant spam will be delivered (to the Spam folder in my case) rather than silently dropped.
David
David
Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Re: Disappearing spam

I had three Spam messages arrive in my Plusnet Spam online folder in just one day yesterday, even though I re-enabled Edge Protection two or three weeks ago.  So it seems the spammers are getting back down to work after xmas and looking hard for ways to circumvent Ironport's filtering. Wink
Community Veteran
Posts: 3,364
Thanks: 15
Registered: 06-04-2007

Re: Disappearing spam

Bob,
Did you send messages to both of the mailboxes I suggested?
If so, I am seeing nothing in inbox.spam on either of those accounts.
SW.
--
3Mb FTTC
https://portal.plus.net/my.html?action=data_transfer_speed
cjags
Grafter
Posts: 390
Thanks: 3
Registered: 31-08-2007

Re: Disappearing spam

I have edge protection off, spam filter on with all spam directed to a junk folder.  With Ironport, there are about 5 or 6 spam emails in the junk folder per day.  With the postini quarantine system it was well over 100 spam emails a day (500+ per day before the takedown).  So it looks like a thumbs up for ironport.
Superuser
Superuser
Posts: 8,876
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Disappearing spam

That's useful feedback and good news, thanks.
Do the spam messages that get through the boundary filter by any chance include the header "X-SBRS: None" (just above the "X-IronPort-Anti-Spam-Filtered: true" and "X-IronPort-Anti-Spam-Result:" lines)? I think that means the originating IP has yet to be assigned a rating in IronPort's SenderBase Reputation Score database.
David
David
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: Disappearing spam

Getting a lot of gambling one, ones I have checked have the none except this one
Quote
eceived-SPF: SoftFail identity=helo; client-ip=116.227.187.54;
  receiver=mx.ptn-ipin04.plus.net;
  envelope-from="axberwpaosix@jojomail.com";
  x-sender="postmaster@jojomail.com";
  x-conformance=sidf_compatible
X-SBRS: -2.0
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Amz/AGIIXUl047s2UGdsb2JhbAAWkHuCXQEBLmmeVjWWSg
X-IPAS: Level1
X-IronPort-AV: E=McAfee;i="5300,2777,5481"; a="10843597"
X-IronPort-AV: E=Sophos;i="4.36,316,1228089600";
   d="scan'208,217";a="10843597"
Received: from unknown (HELO jojomail.com) ([116.227.187.54])
  by mx.ptn-ipin04.plus.net with SMTP; 02 Jan 2009 02:17:09 +0000
Message-ID: <1685957A.753F7815@jojomail.com>
Date: Fri, 02 Jan 2009 09:50:35 +0700
From: "Stars Casino" <axberwpaosix@jojomail.com>

or this charmer  - I am not on F9 either
Quote
  x-conformance=sidf_compatible
X-SBRS: 1.6
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnD9APdQYkmj79GDdGdsb2JhbAAWAYQ/gleBawEDAYISBohLAZ9XgnY
X-IPAS: Level1
X-IronPort-AV: E=McAfee;i="5300,2777,5486"; a="16919561"
X-IronPort-AV: E=Sophos;i="4.36,334,1228089600";
  d="scan'208,217";a="16919561"
Received: from unknown (HELO XAPEMVBQLZ) ([163.239.209.131])
  by mx.pcl-ipin01.plus.net with ESMTP; 06 Jan 2009 02:31:52 +0000
Message-ID: <000d01c96fa6$dc386ef0$6400a8c0@agilityua5>
From: "Jodie Mckenzie" <agilityua5@aquamadera.com>
To: <mrpn@netsolution.f9.co.uk>
Date: Tue, 6 Jan 2009 11:31:20 +0900
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C96FA6.DC386EF0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: [-SPAM-] You want to have your stick big and nice, long and thick?
This is a multi-part message in MIME format.