Getting more spam since switch from SpamCure to Cloudmark
- Don't know if just coincidence, but ever since I switched from SpamCure to CloudMark spam engine in Antigen, my personal mailbox is getting much much more spam (not being caught by Antigen on the server, being delivered to Junk folder in Outlook 2007). I haven't heard many complaints from users, and Cloudmark is catching alot of spam, and I'm also using sbl.xbl.spamhaus.org for my RBL. But just wondering if anyone else experienced that, or if there is anything I should look into to make sure Cloudmark is working as best as possible? I do forward all spam not caught to forefront-spam@submit.cloudmark.com.
Thanks.
All Replies
- Hi,
do you see in the incidents or quaranine any emails filtered by the cloudmark engine?
I could imagine that your server doesn't have access to the cloudmark servers.
See http://support.microsoft.com/kb/972173/en-us
Greetings
Christian
Christian Groebner MVP Forefront - Yes, cloudmark is filtering about 8 to 10 spam emails a minute. Spamcure was doing maybe a little more, but that difference could be many things.
I believe my server has access to cloudmark servers. Those ports are open. Is there a good way to verify? Can I check file date and time on certain files or something?
- Also, most if not all email in my Outlook 2007 Junk E-mail folder say "This message was marked as spam using a junk filter other than the Outlook Junk E-mail filter." So is it possible cloudmark is seeing it as spam, but delivering anyway? Is there some setting in Antigen I need to change to stop it from getting to my mailbox at all (even the Junk folder)? Those spams are not in the filtered list in Antigen, and there are others in the filter list that are not getting delivered to my mailbox.
- I have "Enable SCL Rating" checked in General Options in Antigen Administrator. Could that be causing some spam detected to get delivered to my mailbox anyway?
- Hi,
what action do you have for the cloudmark engine. If you set it to Identify: tag objects the emails will be delivered with the modiefied subject. When you set it to purge: eleminate message the message will be delete. optional you can put the email into quarantine.
Greetings
Christian
Christian Groebner MVP Forefront - Set to "Purge: eliminate message." Also, "Quarantine" is checked. And that seems to be working correctly. Cloudmark is filtering about 45 spam emails a day for this one mailbox. But about 10 spam emails are ending up in the Outlook 2007 Junk folder with the "This message was marked as spam using a junk filter other than the Outlook Junk E-mail filter" message. Those emails are not listed in the filtered list. Never had that many when using SpamCure, and never noticed that message on any email before using Cloudmark. I am also using IMF built into Exchange 2003 SP2.
Hi,
is Antigen installed on the exchange or do you have a SMTP-gateway? I could imagine that Cloudmark isn't really detecting these emails as spam and IMF does. That's why they are moved into junk-mail.
Greetings
Christian
Christian Groebner MVP Forefront- Antigen is installed on Exchange. So when an email in my Junk mail folder says "This message was marked as spam using a junk filter other than the Outlook Junk E-mail filter," that means IMF detected it as spam, Cloudmark did not think it was spam, Cloudmark let it through to my mailbox, and IMF moved it to my Junk E-mail folder? So why isn't cloudmark seeing them as spam? They are pretty obvious spam emails, ones SpamCure would detect as spam.
This started about 4 weeks ago, and I forward all these spams to forefront-spam@submit.cloudmark.com but am continuing to see the same type spams show up in Junk folder. I want them caught by Cloudmark and purged/quarantined.
- Hi,
as long as these emails aren't detected by cloudmark as spam you can solve this by creating a filterlist that contains special words out of these emails. Configure keywordfiltering with this list to purge emails containing the keywords in the list.
I think that's the only way to do it until cloudmark will detect these emails as spam.
Greetings
Christian
Christian Groebner MVP Forefront - Hmmm not exactly the answer I was hoping for. Anyway to go back to SpamCure? I wonder how others are faring with Cloudmark.
- Ryan,
I would like to also suggest that we dig deeper into the concern and determine if updates are succesfully being accomplished or if there is another inherit concern. Can I suggest that you open a CSS Security Support Case to move your concerns forward?
http://support.microsoft.com/ph/11194
Select on the right hand side: Get Help Now
Thank you,
Thomas Roughley
Escalation Manager - CSS Security
Microsoft Corporation
Email: throughl@microsoft.com
Office Phone: 1 (631) 630-8523
Mobile Phone: 1 (631) 816-8523
troughl@microsoft.com - Trying to open support case now, though it's telling me my Software Assurance Access ID is not active, even though under Status on my Benefits Admin page it says.... Active. But I guess that's a different issue I need to work out.
Anyway to tell if Cloudmark is getting updated? Can I look at file dates in the Engines folder on my server or anything?
- Hi,
can you please give feedback about the result of this case, I'm very interested in this :-)
The in comparision to other engines the cloudmark engine doesn't download any kind of signatures, the emails are validadet agains fingerprints online, that's why I was asking if the server could access the cloudmark servers via http and https. With the scheduled update of Forefront only the engine gets updates. These file you will find in the data directory of your installation under the according directory of the engine.
Greetings
Christian
Christian Groebner MVP Forefront - Well as of right now the status is they are trying to determine why I can't submit a case via the web even though I have unlimited web support for Forefront for another year still.
Until something happens, I continue to get bombarded with emails about Viagra, buying watches online, and getting the degree I deserve! These are all emails Cloudmark is letting through!!! I know that because I can see it catching other emails.
- Hi,
I've just had contact with an SE and he answered me the following:
--------------------
They can look in this folder and see if has updated within the past few minutes:
%install path%\engines\x86\cloudmark\bin\data\micro_updates
If not, then they can test the connection using the steps below, the connection may be blocked by their firewall/proxy.
(http://technet.microsoft.com/en-us/library/bb914015.aspx)
Configuring Cloudmark updates
In the Antigen Administrator, click SETTINGS, and then click Scanner Updates. Use the Scanner Update Settings pane to schedule updates for the Cloudmark engine. It is also recommended that you click the Update Now button before scanning, and that you disable SpamCure engine updates. Additionally, after disabling SpamCure engine updates, you should delete the following entry from Scheduled Tasks (accessible from Control Panel): Antigen-SpamCure OnLoad
Cloudmark distributes signature updates directly to the Antigen server. This differs from the other scan engines, which receive updates directly from Microsoft. Cloudmark signature updates are not configurable in the Antigen Administrator.
Error! Filename not specified.Note:
An engine update refers to updating to a new version of a scan engine (which replaces the old version), whereas a signature update refers to new signatures being added to an existing scan engine.
The Cloudmark engine utilizes HTTPS (port 443) to verify the user license while signatures are updated via HTTP (port 80). This requires that the Antigen server has the ability to connect to the Internet and that both port 80 and port 443 are open on any firewall through which the Antigen server connects. Administrators can verify the connection to the Cloudmark servers by running the following commands on the Antigen server:
- telnet cdn-microupdates.cloudmark.com 80
- telnet lvc.cloudmark.com 443
If you are not connecting to the required ports, you must configure your firewall to allow these connections.
Error! Filename not specified.Note:
Cloudmark uses the FSEContentScanner.exe process to receive signature updates. This uses approximately 80 MB initially, after which it uses an average of between 80 MB to 150 MB per 24-hour period, so that only a small amount of bandwidth is used every minute.
Error! Filename not specified.Caution:
The Cloudmark anti-spam signature updates may fail when passing through a proxy server if NTLM Authentication is enabled. As a workaround, configure the proxy server to allow the Antigen server through anonymously.
---------------
Thanks Faron for your help :-)
Greetings
Christian
Christian Groebner MVP Forefront - Yes I had already been through all that. And yes, files in that folder are getting updated, some within the past few minutes.
I'm getting about 10 spams a day, all in Junk E-mail folder of Outlook 2007. They all say they were marked as spam using a junk filter other than Outlook Junk E-mail filter. Which tells me it's IMF detecting those as spam. I have IMF set to anything rated 4 or higher to go to Junk folder, anything 9 or higher delete. So those ones IMF is ranking 4-8, cloudmark then scans, determines to be not spam, and they end up in my Junk E-mail folder. These are pretty obvious spam emails. Cloudmark is correctly detecting about 50 spams a day to this mailbox.
And the status of my support case is they are trying to determine why I can't submit a support case via the web using my SA ID.
- Got about 40 spams delivered to my mailbox over the weekend. Cloudmark caught about 200. So Cloudmark is catching about 80% of spam sent to my org. Pretty poor performance.
