cancel
Showing results for 
Search instead for 
Did you mean: 

My first ironport false positive

cjags
Grafter
Posts: 390
Thanks: 3
Registered: 31-08-2007

My first ironport false positive

Ironport decided this was SPAM but it isn't really.
Have updated whitelist to prevent future hiccups.
Return-path: <news@mail.moneysupermarketmail.com>
Envelope-to: xxxl@yyyyyy
Delivery-date: Mon, 19 Jan 2009 10:31:29 +0000
Received: from [212.159.7.34] (helo=mx.ptn-ipin02.plus.net)
    by fhw-sunmxcore05.plus.net with esmtp (PlusNet MXCore v2.00) id 1LOrPl-0002hP-8U
    for xxx@yyyyy; Mon, 19 Jan 2009 10:31:29 +0000
Authentication-Results: mx.ptn-ipin02.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=91.102.184.210;
    receiver=mx.ptn-ipin02.plus.net;
    envelope-from="news@mail.moneysupermarketmail.com";
    x-sender="news@mail.moneysupermarketmail.com";
    x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=91.102.184.210;
    receiver=mx.ptn-ipin02.plus.net;
    envelope-from="news@mail.moneysupermarketmail.com";
    x-sender="news@mail.moneysupermarketmail.com";
    x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=91.102.184.210;
    receiver=mx.ptn-ipin02.plus.net;
    envelope-from="news@mail.moneysupermarketmail.com";
    x-sender="postmaster@mail2.moneysupermarketmail.com";
    x-conformance=sidf_compatible
X-SBRS: 2.3
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Al39AEjlc0lbZrjSe2dsb2JhbAAAgUKBAxIYigZ6eQGBW4IcgSUBAQsLIgQqsAUIi1WENQYIgTA
X-IPAS: Level1
X-IronPort-AV: E=McAfee;i="5300,2777,5499"; a="21726658"
X-IronPort-AV: E=Sophos;i="4.37,288,1231113600";
    d="scan'208,217";a="21726658"
Received: from mail2.moneysupermarketmail.com ([91.102.184.210])
    by mx.ptn-ipin02.plus.net with ESMTP; 19 Jan 2009 10:30:54 +0000
Received: from mail pickup service by mail2.moneysupermarketmail.com with Microsoft SMTPSVC;
    Mon, 19 Jan 2009 10:30:53 +0000
Message-ID: <236385510-220091119103053624@mail.moneysupermarketmail.com>
X-EMR-ID: HNT0D1
X-EMR-BOOTH: MON001
X-EMR-PP: CKSY1I
From: "moneysupermarket.com" <news@mail.moneysupermarketmail.com>
To: "xxx@yyyyy" <xxx@yyyyy>
Date: Mon, 19 Jan 2009 10:30:53 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_236381337551921162103053624"
X-OriginalArrivalTime: 19 Jan 2009 10:30:53.0702 (UTC) FILETIME=[01A74A60:01C97A21]
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Rate Alert: Clear Christmas debts; best credit cards; make money from your old mobile & 2 for 1 at Bella Italia
       
4 REPLIES
Community Gaffer
Community Gaffer
Posts: 12,809
Thanks: 636
Fixes: 62
Registered: 04-04-2007

Re: My first ironport false positive

The senderbase score is neutral for this IP (91.102.184.210) so my guess would be that it's the content IronPort doesn't like. It hasn't been sent to a catch-all address has it? If it has then the whitelisting won't work.
I was discussing the reporting of false positives/negatives with a few people the other day and we came to the conclusion that we're going to look at forwarding email sent to our spam training addresses to the IronPort spam training addresses referenced here. If you're interested in downloading a copy of the Outlook plugin that's mentioned on that page then you shouldn't have too many difficulties finding a copy with a bit of Googling.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

cjags
Grafter
Posts: 390
Thanks: 3
Registered: 31-08-2007

Re: My first ironport false positive

The email was not sent to a catch all address so whitelisting should be OK for future emails.
I did wonder if reporting the email as NOT SPAM would reach the Ironport trainer.
All my spam ends up in a junk email account which I access via plusnet webmail.
Guess I can just 'forward as attachment' from there to the ironport trainer?
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: My first ironport false positive

And Outlook Express has a menu option to 'Forward as Attachment' -- just select the message and right-click for the menu. Easy.
Bob, are you saying these forwarding addresses are available to us now?  (Academic question since I've never had a falsie from Ironport!)
Chris
Community Gaffer
Community Gaffer
Posts: 12,809
Thanks: 636
Fixes: 62
Registered: 04-04-2007

Re: My first ironport false positive

Quote from: ChrisL
Bob, are you saying these forwarding addresses are available to us now?  (Academic question since I've never had a falsie from Ironport!)

Sort of Wink
If you forward to the IronPort address directly then yes. If you forward to our training addresses then partially. It's reliant on this work and only half of it has been done.
If your forwarded message hits one of the inmx servers then it is sent onto IronPort automatically.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵