Phone Lines icon GFI Support Home

Articles in this section

See more

Legitimate Emails Rejected as Malware or Phishing Spam

Author: Gaurav Ojha Updated

Overview

Users report problems with legitimate emails being incorrectly blocked/rejected by Bitdefender as phishing emails, malware, or spam. Users may find that attaching certain PDFs to emails is resulting in them being marked as spam. You have reviewed the emails being marked as spam and confirmed that these are legitimate and require guidance on preventing these false positives. 

The Spam log shows a similar output to the following (this refers to a Malware/phishing spam false positive, but the error would appear for other false positives): "Message rejected as malware/phishing spam, From: johndoe@external.com, To: username@kerio_domain.com, Sender IP: ###.###.###.###, Subject: Demo Subject, Message size: 1506"

 

Solution

The Kerio Connect Advanced Anti-spam feature leverages the Bitdefender scanning engine. In some cases (email with an attachment, non-English language, suspicious subject, etc.), the Bitdefender engine categorizes legit emails incorrectly as malware or phishing spam. Such false-positive emails can be reported to the Bitdefender team to whitelist them in their virus-spam databases.

Depending on the reported message in Spam logs, disable the BlockMalware or BlockPhishing parameter in mailserver.cfg to capture .eml file. Below steps require administrator/root access to the Kerio Connect server:

  1. Make sure that BitDefender is enabled and updated.
  2. Stop Kerio Connect.
  3. Navigate to the Kerio installation folder. Default locations for different Operating Systems (OS)are below:
    • Windows: C:\Program Files\Kerio\MailServer
    • macOS: /usr/local/kerio/mailserver
    • Linux: /opt/kerio/mailserver
  4. Open the mailserver.cfg file.
  5. Go to the table:<table name="Kerio Anti-spam">
  6. Set BlockMalware or BlockPhishing variable to 0 (zero). Save the changes.
    malware_phishing.png
  7. Start Kerio Connect.
  8. Request the mail from the sender again. This time the mail will not be blocked.
  9. Retrieve the .eml source file from the Webmail.
    1. Note: If you experience issues retrieving the .eml file directly, you can share the complete email headers containing the Spam Detection stamps instead. Please note that partial headers will prevent and delay our analysis.
  10. Stop Kerio Connect again.
  11. Reverse the changes you made in step 5 to re-set the BlockMalware or BlockPhishing variable back to 1 (one). Save the changes.
  12. Start Kerio Connect. Your email is protected again, and you've retrieved the email file. 
  13. Send the source .eml file(or complete email headers) to Kerio Connect Support for further investigation in your existing or no tickets are already submitted, a new support ticket.

<supportagent>Agent runbook</supportagent>

Once Kerio Connect Support confirms the email was whitelisted by the Bitdefender team, the email will no longer be detected as Malware or Phishing spam.

 

 

Related Articles

Spam/Not Spam Buttons Are Missing in Webmail

Legit Emails Are Blocked by Spam Repellent

What to do when Bitdefender does not detect malware

 

 

Was this article helpful?
2 out of 6 found this helpful

Related articles