Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » The new Kerio anti-spam system generating many false positives (what is the best practice in this situation?)
  •  
lodewijk

Messages: 87
Karma: 1
Send a private message to this user
Let me start by saying we are very happy with the new Bit defender anti spam system Kerio recently launched, we use it on about 10 Kerio Connect servers now and it's working very well!

except for one server Smile

many good emails get tagged as spam, and im not sure what the best course of action is when this happens...
(for now I lowered the Kerio Anti-spam configuration setting; contribution to spam rating to "Moderate" (down from Normal)


Here are some of the headers of the good emails being moved to the spam folder;

X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.9 required=5.0 tests=KERIO_ANTI_SPAM: 6.667, HTML_FONT_LOW_CONTRAST: 0.227, HTML_MESSAGE: 0.001, T_REMOTE_IMAGE: 0.01, TOTAL_SCORE: 6.905,autolearn=disabled
References: <CO2PR0501MB88830226D49238A1B58A5AA884A0@CO2PR0501MB888.namprd05.prod.outlook.com> <C91923E4-8A26-4DE9-8B43-E86FB191B27F@studiodoen.nl> <CO2PR0501MB888D40F3B78D002B932B606884E0@CO2PR0501MB888.namprd05.prod.outlook.com> <16B34ED5-3B43-44EA-9F48-BECAB3C623B5@studiodoen.nl> <SN2PR0501MB896A30E335FFB30CDDABD9D88400@SN2PR0501MB896.namprd05.prod.outlook.com> <CB94C57F-5282-4D46-8903-DDD3C3F5B67A@studiodoen.nl> <SN2PR0501MB8965983C4B7DC12A58791C288400@SN2PR0501MB896.namprd05.prod.outlook.com> <2AB3865B-441A-4690-8280-25DA73B147E2@studiodoen.nl> <CO2PR0501MB8880025BA313C74C2F6B40D88420@CO2PR0501MB888.namprd05.prod.outlook.com> <83C71E1B-ECF5-41C6-9A80-62B9455FDAAF@studiodoen.nl> <CO2PR0501MB8886DB08DE72A7D1B43D5D188420@CO2PR0501MB888.namprd05.prod.outlook.com> <SN1PR05MB2301CCF038A7CA2EBF30193293420<_at_>SN1PR05MB2301.namprd05.prod.outlook.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_971498E4-3839-4ADD-90E9-897A2CF40CA1"
X-Kerio-Anti-Spam: Build: [Engines: 2.15.7.1024, Stamp: 3], Multi: [Enabled, t: (0.000034,0.041069)], BW: [Enabled, t: (0.000007)], RTDA: [Enabled, t: (0.073482), Hit: Yes, Details: v2.4.0; Id: 2m1gj0t.1ajmnok4n.23m2p; ip(1)], total: 843(700)



X-Spam-Status: Yes, hits=7.1 required=5.0 tests=KERIO_ANTI_SPAM: 6.000, HTML_IMAGE_ONLY_16: 1.188, HTML_MESSAGE: 0.001, TOTAL_SCORE: 7.189,autolearn=disabled
X-Spam-Flag: YES
X-Kerio-Anti-Spam: Build: [Engines: 2.15.7.1024, Stamp: 3], Multi: [Enabled, t: (0.000008,0.003011)], BW: [Enabled, t: (0.000008)], RTDA: [Enabled, t: (0.099949), Hit: Yes, Details: v2.4.0; Id: 2m1gj30.1ajjro70g.bfcjm; 


X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.6 required=5.0 tests=KERIO_ANTI_SPAM: 6.667, HTML_MESSAGE: 0.001, TOTAL_SCORE: 6.668,autolearn=disabled
References: <D759CA8AD397FC41AAD931C08C6AD9DD29186651<_at_>C2F-MX-01.C2F.local>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4A26E41A-6AB2-4A75-887B-F5ABB62AFCD2"
X-Kerio-Anti-Spam: Build: [Engines: 2.15.7.1024, Stamp: 3], Multi: [Enabled, t: (0.000009,0.006148)], BW: [Enabled, t: (0.000007)], RTDA: [Enabled, t: (0.098512), Hit: Yes, Details: v2.4.0; Id: 2m1gj1c.1aj6jo3m9.gc5e2; ip(1)], total: 843(700)
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
It is very hard to give a correct answer if we do not see full email body and headers.

My guess (base on information in this port) is that some IP address of SMTP relaying servers is on internal Bitdefender blacklist.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
lodewijk

Messages: 87
Karma: 1
Send a private message to this user
here is a full header (i did x out a few details of the client)

and I guess being an "internal" black list there is no delisting option at Bitdefender right?

What would be the best way to "white-list" these is kerio? add the sending IP's to the IP white-list list?
Or make a custom rule and add the sending domain to not mark as spam?

X-Spam-Level: ******
X-Original-Subject: Re: Feedbackbestand PowerDeals
In-Reply-To: <D759CA8AD397FC41AAD931C08C6AD9DD29186651<_at_>C2F-MX-01.C2F.local>
Return-Path: <cees<_at_>xxx.xx>
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Message-Id: <D459F8BA-14CD-4FEE-9C58-D64528D4CF41<_at_>xxx.xx>
X-Mailer: Apple Mail (2.3112)
X-Footer: c3R1ZGlvZG9lbi5ubA==
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=6.6 required=5.0 tests=KERIO_ANTI_SPAM: 6.667, HTML_MESSAGE: 0.001, TOTAL_SCORE: 6.668,autolearn=disabled
References: <D759CA8AD397FC41AAD931C08C6AD9DD29186651<_at_>C2F-MX-01.C2F.local>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4A26E41A-6AB2-4A75-887B-F5ABB62AFCD2"
X-Kerio-Anti-Spam: Build: [Engines: 2.15.7.1024, Stamp: 3], Multi: [Enabled, t: (0.000009,0.006148)], BW: [Enabled, t: (0.000007)], RTDA: [Enabled, t: (0.098512), Hit: Yes, Details: v2.4.0; Id: 2m1gj1c.1aj6jo3m9.gc5e2; ip(1)], total: 843(700)
Received: from [192.168.3.78] ([87.213.53.42]) (authenticated user cees<_at_>xxx.xx) by mail.xxx.xx (Kerio Connect 9.0.4) with ESMTPSA (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256 bits)); Fri, 27 May 2016 13:25:00 +0200
**SPAM**  Re: Feedbackbestand PowerDeals
  •  
lodewijk

Messages: 87
Karma: 1
Send a private message to this user
  •  
EdRoxter

Messages: 67
Karma: 2
Send a private message to this user
I'm running BitDefender Anti-Spam for Unices on a setup together with Postfix, and I'm having the same issue.

The RTDA test is the BitDefender Cloud Scanner (something along the lines of "Real Time Data Analysis"), and whenever I turn it on, nearly all legitimate mails get flagged as spam by this filter. As soon as I turn it off, no false positives anymore, but quite a bunch of false negatives.

Range of false positives with cloud scanning enabled was from Cron e-mails from different servers to legitimate business mails and test mails sent from another server - even when I sent a test mail via GMX, one of Germany's biggest e-mail providers, it would get flagged as spam by BitDefender (but, as mentioned, only with cloud scanning enabled).

This is not good. On the other hand, without the cloud scanning, BitDefender is more or less equally as useful as SpamAssassin in terms of false negatives.

If I get any answer from BitDefender, I'll post it here!
  •  
EdRoxter

Messages: 67
Karma: 2
Send a private message to this user
I contacted them about several e-mails under

http://www.bitdefender.com/support/contact-us.html?last_page =BusinessCategory

(Product: Kerio Antispam for Mail Servers)

I attached some of the mails including headers for examination. Their response was quick and helpful, and they adjusted their Cloud Rating systems according to the "Ham" mail I submitted.

I also lowered the filter's aggressivity, which may be equal to the "Contribution to spam rating: moderate" setting in Kerio Connect. And they appear have to made some general adjustments to their spam rating service recently.

So overall, everything works way better for me than it did a few weeks ago - no false positives anymore, and hundreds and thousands of correct positives. Can you confirm that for now?
  •  
lodewijk

Messages: 87
Karma: 1
Send a private message to this user
At most of our installs it's working well....cept for one client...
but after a few custom rules and setting the Bit defender to "Moderate" all seems well...
Previous Topic: External Spam
Next Topic: Reminders appearing on other users' devices
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Dec 02 20:51:05 CET 2016

Total time taken to generate the page: 0.04984 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.