Maill Security 6.0 Premium Antispam is blocking valid emails to one particular user

Posted on 2011-04-27
Last Modified: 2016-10-15
Running a small network on Windows Server 2003 hosting email via Exchange 2003, and using Symantec Mail Security 6.0 with Premium Antispam and with all the latest updates.

No problems with email communications since this was set up in 2007.  But just since Monday one user is not receiving some specific external emails, and the people trying to email this person were getting bouncebacks with this data:
550 5.7.1 Requested action not taken: message refused
I have determined from the Mail Security Event Logs that at least some (hopefully all) affected emails are getting blocked by Maill Security's antispam filter.  But I can't figure out why that would be.  Some of the senders are people we've been in constant touch with for some time and some of their emails are going through to the affected user, and all emails seem to be going through to all other users.  There is nothing onerous in the blocked emails - no attachments, no suspect message titles or text.  A couple of the emails are from government domains.  Although it wouldn't even make sense I checked to make sure our domain is not blacklisted, and it is not.  Also, one of the emails was sent from a gmail account.  I have sent a multitude of test emails from another gmail account to see if I can replicate the issue without success.

Am looking for any help in further troubleshooting this issue.  Appreciate any and all input!
Question by:tcbrd
    LVL 7

    Expert Comment

    Can you check the ptr records for your exchange server is configured properly on public DNS .
    Please check in>More>Reverse DNS lookup

    Author Comment

    Reverse DNS lookup on successfully returned our external IP address.  I went through the other tests and they all checked out except for which returned 'no records found'  That doesn't seem right and I will doublecheck those records on the DNS server shortly.

    If it does turn out that incorrect DNS settings are causing this issue - why would it result in event logs in Mail Security appearing to treat those incoming messages as spam?


    Author Comment

    Update - I used a different tool - - and the mx records do show up there.  I found a somewhat old forum thread where it was noted that mxtoolbox doesn't always return the correct results for an mx lookup.  Anyways, I think that my DNS records do check out - unless there's something further I should be testing.

    Would greatly appreciate any help in how to approach this further.  I would restate how odd it is to have only certain emails rejected and always when emailing the same user.

    Author Comment

    As an update, I have changed the settings on Mail Security so that instead of rejecting spam, it reroutes it to an AD mailbox set up for this purpose.  I then put a message forwarding rule for the affected user's account.  Now that user gets all of her email, of course she gets spam too.  Fortunately there's not too much of it and it's a temporary solution.  

    Still lookingfor any ideas or an explanation on how vaild emails going to one particular user in a domain are intermittently getting tagged as spam with a rating of 90+ which Symantec claims is only mistaken 1 out of a million times.  Thanks for any help.  Also if I need to be wording this in any way that is more helpful I would be grateful for any direciont.

    Accepted Solution

    Even though I didn't get a response I did start a case with Symantec and got the issue resolved.  In interest of netiquette here's how it went: Initially we thought updating to 6.5 would solve the issue but it did not.  What did work was:

    1. navigate to this folder path:   C:\Program Files\Symantec\SMSMSE\6.5\Server  
    2. Delete all the subfolders whose names start with 'bm_ruleset'
    3. Wait 5-10 minutes for the rules to update and you start to see those subfolders reappear.

    Basically, the spam rules are updating all the time.  In my case one of the rules got 'stuck' and had to be manually cleared out.  Once that was done the issue disappeared.

    Perhaps I will award my self points.

    Author Closing Comment

    I'm accepting my own comment since nobody else provided a solution and I did fix the issue and logged the notes for future reference.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now