Can I stop Cloudmark scanning messages that pass SPF (or lower the detection weighting)?
-
Thursday, February 07, 2013 5:14 PM
Environment: Exchange Server 2007 Standard SP3 (Server 2008 R2) with Forefront for Exchange 2010.
We have a problem that seems to apply to a number of messages, but was recently highlighted when dealing with a specific 3rd party. Messages from them would pass SPF checks and be delivered with an SCL of -1. After a few replies in a given thread, Cloudmark arbitrarily decides that the message is spam and scores in with an SCL of 9, resulting (by default) an immediate deletion. I've had to quarantine SCL 5-9 to avoid us losing messages.
Now, I've submitted samples and whitelisted the sender domain, but I think the behaviour is very odd. What's the point in having a granular scoring system if the only scores it uses are 9 or -1. We get a ton of actual spam, and I'd prefer to be able to destroy the stuff that's an absolute certainty and stamp and forward the remaining stuff to allow to at least reach user junk mail folders.
Can anyone tell me if there's a way to:
- Lower the SCL given to Cloudmark detections (or make it use the other SCLs when it's less certain)
- Bypass Cloudmark scanning for domains that actively pass SPF? (How much spam does anyone get that passes SPF checks?)
- Otherwise address this problem in a generalised way, to save me having to whitelist every domain we want to receive mail from?
For reference, I'm including the headers from a Cloudmark detected spam (Anonymised):
X-Receiver: Name.Surname@ourdomain.com
X-Sender: username@theirdomain.com
X-CreatedBy: MSExchange12
Received: from mail-ie0-f180.google.com (209.85.223.180) by
mail1.ourdomain.com (192.168.113.33) with Microsoft SMTP Server (TLS) id
8.3.279.5; Wed, 30 Jan 2013 14:40:51 +0000
Received: by mail-ie0-f180.google.com with SMTP id bn7so333180ieb.25
for <Name.Surname@ourdomain.com>; Wed, 30 Jan 2013 06:40:50 -0800
(PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=theirdomain.com; s=google;
h=mime-version:x-received:in-reply-to:references:date:message-id
:subject:from:to:content-type;
bh=DH9FQKNPSool35AkJT9XvbEiw/jaQIpk6f2DcpXPpm8=;
b=hRYkGmGqUji2aEj4IRn0cjP85iyoyClWiitDlPgG8uuSVstpAB1jx9rFVSBtBarmbU
pVdybGmrv/XC7pBgG6o5rNI0a7mgu6QNIhL8rKCRsu59mjYLdUMui4b2bKTbJbrkcBQW
TsqmUn4ISq84ZbV0qDMs1/i/xUQoOKtzzeosU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:x-received:in-reply-to:references:date:message-id
:subject:from:to:content-type:x-gm-message-state;
bh=DH9FQKNPSool35AkJT9XvbEiw/jaQIpk6f2DcpXPpm8=;
b=JDvSYiej6mYf4lzrLd3qUVa2dhOm+4vi5vQp685TFavJEzTWw62X6jX9oyXKJn3LP9
iz9sXjHshLNeNHS7dyQ+BgYksA3JNJw+o4lN8n0nwo14kWnXWR4mvekIH3lW4Qtj1cLZ
tqj6TO3FPfR7F8y+NHqbauhco3XjWb2kBerICfQz8dchyrf7yUO8TqCi+FZ4Dx6ekayW
GmM1n9xzBmYoBGLo9dUSGydiJgvNo/5s0ZU/0lBwCO0eq2VL37sHvq7ua9+bXraXeOQj
Rk+p4SwFuEO+nPoTXCfP8TqYgSN62NGLEWh3COgx7vOnf196yTZs3W8/bwAzNunFxdXu
FfFQ==
MIME-Version: 1.0
X-Received: by 10.50.181.138 with SMTP id dw10mr3871379igc.55.1359556849873;
Wed, 30 Jan 2013 06:40:49 -0800 (PST)
Received: by 10.50.83.104 with HTTP; Wed, 30 Jan 2013 06:40:49 -0800 (PST)
In-Reply-To: <CAOG6zs2dOoprKjZNkobtU4K-DYLsPUyuLZrbABumUrmmcDSkqQ@mail.gmail.com>
References: <CAAgWZWHA41edM9EQD7X-1p4YbeZdvwLVc6_=tkZd6nxiaGFidQ@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA9050441EC0C73@exchange.internal.domain>
<CAAgWZWH6o45VzzH91Ymd1HLUYiMBDFXms0JjwZj9mp_X-GYmfA@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA9050441FCB2AD@exchange.internal.domain>
<CAAgWZWGdkzb=BHm_tQ2yswK_TrMyKYaHuWpvD5Pj6u6UiH0rUQ@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA9050441FCB2B0@exchange.internal.domain>
<CAAgWZWGXpe6=cbePKwwLPrrMvM7Qr2cQruY=w=A=31FJcYgD0Q@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA905044257730E@exchange.internal.domain>
<CAAgWZWGJSP3C+s96TVu=Fjmed5bLgSC5ztz80SmHrU78HJjCQw@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA90504426472ED@exchange.internal.domain>
<1CE1BECC0915A6448EAE5D7080EDA905044264733B@exchange.internal.domain>
<CAAgWZWH+nu0shNZ257mQ8_fBGwnnPacJoAxyxUYkfaV-5tPsSQ@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA90504426473E4@exchange.internal.domain>
<CAAgWZWGNYSNkNDVx+Xg6aGJNKBgK2YfE_ZRTrpVSeU6KGmcbzg@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA90504426C7560@exchange.internal.domain>
<CAAgWZWF=k-nz9BHC=MZ8a2KgekD=ZVwTgVRsuN=MnX_pD7K8pA@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA905051FE7E212@exchange>
<CAOG6zs0LL=mbiu-iAcvzF1YjjZ61SNAxrRVT9M21HLz=pBNxrA@mail.gmail.com>
<1CE1BECC0915A6448EAE5D7080EDA90505202E6BFE@exchange>
<1CE1BECC0915A6448EAE5D7080EDA90505202E6C35@exchange>
<CAOG6zs2dOoprKjZNkobtU4K-DYLsPUyuLZrbABumUrmmcDSkqQ@mail.gmail.com>
Date: Wed, 30 Jan 2013 14:40:49 +0000
Subject: Re: xxx
From: xxx <username@theirdomain.com>
To: xxx <user2@theirdomain.com>, xxx
<Name.Surname@ourdomain.com>, xxx
<xxx@ourdomain.com>, <xxx@ourdomain.com>, xxx <xxx@theirdomain.com>
Content-Type: multipart/related; boundary="14dae934037116b2c304d4827f07"
X-Gm-Message-State: ALoCoQlvv/79pz9DjGx9bGp0sgTRpE4N0UxQscagf5bujp5wGoL/77+jgZj2Kt4zuj75fQhI80J9
Return-Path: username@theirdomain.com
X-MS-Exchange-Organization-OriginalArrivalTime: 30 Jan 2013 14:40:51.2208
(UTC)
X-MS-Exchange-Organization-AuthSource: exchange.internal.domain
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: theirdomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (exchange.internal.domain: domain of xxx@theirdomain.com designates
209.85.223.180 as permitted sender) receiver=exchange.internal.domain;
client-ip=209.85.223.180; helo=mail-ie0-f180.google.com;
X-MS-Exchange-Organization-SCL: 9
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=A8FCQJtbfM320kNZIx0lNW3zpIlgGt1Av0FnOtsoaxY= c=0 sm=1 p=zU-4cM12AAAA:8
a=uqZ8QTIxKaUA:10 a=dOnoqYrCn27l/2q2rXz4xw==:117;OrigIP:209.85.223.180;SCL:9
X-MS-Exchange-Forefront-Filters:And then of another message from the same sender, that didn't hit Cloudmark:
Received: from mail-ia0-f172.google.com (209.85.210.172) by
mail1.ourdomain.com (192.168.x.x) with Microsoft SMTP Server (TLS) id
8.3.279.5; Thu, 31 Jan 2013 14:47:49 +0000
Received: by mail-ia0-f172.google.com with SMTP id u8so3992575iag.3 for
<xxx@ourdomain.com>; Thu, 31 Jan 2013 06:47:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=theirdomain.com; s=google;
h=mime-version:x-received:in-reply-to:references:date:message-id
:subject:from:to:content-type;
bh=+aNgdLl+DMAxRIfEQHwvUx93+hvWPsvuW8fWrAlNjX0=;
b=bKVKUlnisx9JsQ1yXwn0kg0pxk+RYGoipk3PPRsbs/49uEGhpe7EdD6ORxFpcHxwfJ
hfy/g5pH6gjOpWaWh7OkWYaVfkG3zp7bthFFGUNq4kqcnhY595z8RCXP44PCKuUOE0J+
VIJIYHyOoGDMszlyPzbcZ/DOBRbGP6L1G5FT0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20120113;
h=mime-version:x-received:in-reply-to:references:date:message-id
:subject:from:to:content-type:x-gm-message-state;
bh=+aNgdLl+DMAxRIfEQHwvUx93+hvWPsvuW8fWrAlNjX0=;
b=l/9RyizWXLd39SoM3LN/s7+wVRpi7oGLjpzcOMaxkyIO7p7la1hEJXxefV/fYEh4RY
+tM6x98uDyhAfrV1n0CWLPxcDWb/08sFl/l3BVSRqkTOM6k59dSyDd+pHwt6+6KGOUvx
VE7LV17qBoT/zhN0jldg/X3wUZL5AxEuFzyEUlLa8nuxrFKu7Bieiuz5XJrMUF3kmHiB
GWwcQkElIj20KqZ3zLmSNrhZnSLiWf88xNYNWU7WuAOYx0NpkltGCyY0VlG0ERUx1Lcb
q57k8BoLlLuOmHmmZMy8Gcqq4EV+xGTSuvCsKwEd/hRbHtBg/dXDNM0VnVqhBCauOt3x
C1gQ==
MIME-Version: 1.0
X-Received: by 10.50.181.138 with SMTP id dw10mr1342060igc.55.1359643668013;
Thu, 31 Jan 2013 06:47:48 -0800 (PST)
Received: by 10.50.83.104 with HTTP; Thu, 31 Jan 2013 06:47:47 -0800 (PST)
In-Reply-To: <1CE1BECC0915A6448EAE5D7080EDA90505203FFE4C@exchange>
References: <1CE1BECC0915A6448EAE5D7080EDA90505203FFE4C@exchange>
Date: Thu, 31 Jan 2013 14:47:47 +0000
Message-ID: <CAAgWZWHDTsxiZJ010ynwray+n2AZSR2T2xgax-zwfkeedc8JWw@mail.gmail.com>
Subject: Re: Test email
From: username <username@theirdomain.com>
To: xxx <xxx@ourdomain.com>
Content-Type: multipart/alternative; boundary="14dae9340371da621404d496b5ae"
X-Gm-Message-State: ALoCoQlXNOUtrZupkJ2EF2rB0Ten4RjHjgkH7YUbDiwnWtqeplyFbqA8dvaEDgSfviVGxNLgWvNb
Return-Path: username@theirdomain.com
X-MS-Exchange-Organization-PRD: theirdomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (exchange.internal.domain: domain of username@theirdomain.com designates
209.85.210.172 as permitted sender) receiver=exchange.internal.domain;
client-ip=209.85.210.172; helo=mail-ia0-f172.google.com;
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-Antispam-Report: v=1.1
cv=A8FCQJtbfM320kNZIx0lNW3zpIlgGt1Av0FnOtsoaxY= c=1 sm=1 a=uqZ8QTIxKaUA:10
a=VzS_oTH0AAAA:8 a=AAS33iIXpJr4hvhPEYcA:9 a=pILNOxqGKmIA:10
a=7WByD-WJInsA:10 a=zoFHQW0wrx_a7dmp:21 a=6Ly2ADodRVYmKpDf:21
a=A-Ay9Xv3AAAA:8 a=ZnMBcekgAnvehBjgQJUA:9 a=tXsnliwV7b4A:10
a=5lbBPRrtekzUz0de:21
a=kdGfU+lv7xr5jxdcg3m1Bw==:117;OrigIP:209.85.210.172;SCL:-1
- Edited by SmallClanger Thursday, February 07, 2013 5:16 PM Clearer division.
All Replies
-
Thursday, February 07, 2013 8:49 PM
Hi,
- Lower the SCL given to Cloudmark detections (or make it use the other SCLs when it's less certain)
- Bypass Cloudmark scanning for domains that actively pass SPF? (How much spam does anyone get that passes SPF checks?)
- Otherwise address this problem in a generalised way, to save me having to whitelist every domain we want to receive mail from?
This is not possible because the SCL is given by Cloudmark. FPE isn't involved in calculating the SCL value it only receives the resuls from Cloudmark. Bypassing Cloudmark for domains that pass SPF check is also not possible because you can't configure this in FPE.
There is no other way other than to submit samples to Cloudmark so they can adjust their filters. You can only put the sender domain into a whitelist until Cloudmark has fixed the issue.
Greetings
Christian
Christian Groebner MVP Forefront
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Thursday, February 14, 2013 3:24 AM
-
Thursday, February 14, 2013 10:03 AM
Hi Christian,
Thanks for the response. What you've said is precisely my issue. Cloudmark only every seems to give an SCL of 9 to everything it decides might be spam. I could understand something in a mail thread tipping a message over the 4/5 threshold, but for an SPF-checked message to suddenly leap from -1 to 9 seems senseless.
Is this expected behaviour for Cloudmark, or does this suggest I have a configuration problem? (There doesn't appear to be any level of control of Cloudmark's behaviour through Forefront, so I'm not sure what I could have configured incorrectly)
Thanks,
Terry.
-
Thursday, February 14, 2013 11:01 AM
Hi,
you can't configure Cloudmark in FPE because it's an online service. You can only configure which SCL values are rejected or quarantined.
The only way is to submit samples and/or to generate whitelists.
Greetings
Christian
Christian Groebner MVP Forefront
-
Friday, February 15, 2013 10:32 AM
Thanks, Christian.
If I could trouble you with one final question: Since Cloudmark applies the SCL header itself before the message reaches the rest of FPE, would you say it was normal for it to only ever to set an SCL of 9 on messages it decides are spam, or should I be seeing a spread of scores in my quarantined messages?
Thanks,
Terry.
-
Friday, February 15, 2013 2:33 PM
Hi,
Cloudmark uses the SCL values from 5 to 9 to mark, all other values are marked as 0 or -1.
http://technet.microsoft.com/en-us/library/dd639396.aspx
It depends on how you set the scl values for possible spam that should be quarantined. E.g. the setting is 5-8 then you should see values from 5 to 8 in your quarantine because the scl value of 9 is rejected.
I've never really had a look at the scl values in my quarantine :-)
Greetings
Christian
Christian Groebner MVP Forefront
.png)
