Spam message has passed through F-Secure Messaging Security Gateway (MSG) to a recipient

This discussion has a more recent version.

Issue:

Recipients receive spam messages, why did F-Secure Messaging Security Gateway (MSG) not block these spam messages?

Resolution:

If recipients receive spam messages, it could be because of the following potential root causes:

1. Low spam score (False Negative)
Check spam scores from message headers. Look for "X-Proofpoint" headers and check the scores.

Example:
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-03-08_12:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=39 malwarescore=0
 phishscore=0 bulkscore=12 spamscore=0 mlxscore=0 mlxlogscore=518
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1711220000 definitions=main-1803080233

If you encounter messages that should've been classified as spam you can report them through a support ticket. You can either save the message and send the eml or msg file to the ticket, or if the message has been caught in, for example, an audit quarantine in msg, you can report it from the relevant quarantine folder.

After reporting the False Positive or False Negative spam from F-Secure Messaging Security Gateway (MSG) management portal, at the very top of the main MSG screen, you'll see a message with the reference ID that you need to provide to the support ticket.

2. Safe listed
This needs to be investigated closer through the MSG Web UI.

  1. Get the Session ID, or SID, for the message by looking it up in Smart Search (System->Smart Search->Search, expand message details by clicking +-sign left of timestamp)
  2. Search the filter log using the particular message SID, to find out more about filtering done on the message. (Logs and Reports->Log Viewer, if you don't find any results, make sure the Log File Type is set to Filter.
Note: You might also need to switch between servers using the Server-dropdown menu, or check the box labelled Include Old Log Files)


In the example below, spam score is modified (set to zero) because the sender address is in the organizational or personal safe list of the recipient.

Filter log:

[2018-03-06 18:43:55.695094 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=access cmd=run rule=spamsafe duration=0.000
[2018-03-06 18:43:55.695113 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=session cmd=judge module=access rule=spamsafe
[2018-03-06 18:43:55.695348 +0100] rprt s=2gfjcgns0q m=1 x=2gfjcgns0q-1 mod=session cmd=dispose module=access rule=spamsafe action=execute value="svar('SpamScore', 0)"

To check organizational safe lists, Navigate to Email Protection->Spam Detection->Settings->Organizational Safe List in the MSG Web UI.

To check the personal safe list of the recipient, Navigate to System->User Management->Users, locate the recipient and click on them to open details. You find the personal safe list under the Filtering-tab in the popup window.

Article no: 000003889

Sign In or Register to comment.