Phone Lines icon GFI Support Home

Articles in this section

See more

Legitimate Emails Rejected as Malware or Phishing Spam

Author: Gaurav Ojha Updated

Overview

Users report problems with legitimate emails being incorrectly blocked/rejected by Bitdefender as phishing emails, malware, or spam. Users may find that attaching certain PDFs to emails is resulting in them being marked as spam. You have reviewed the emails being marked as spam and confirmed that these are legitimate and require guidance on preventing these false positives. 

The Spam log shows a similar output to the following (this refers to a Malware/phishing spam false positive, but the error would appear for other false positives): "Message rejected as malware/phishing spam, From: johndoe@external.com, To: username@kerio_domain.com, Sender IP: ###.###.###.###, Subject: Demo Subject, Message size: 1506"

 

Solution

The Kerio Connect Advanced Anti-spam feature leverages the Bitdefender scanning engine. In some cases (email with an attachment, non-English language, suspicious subject, etc.), the Bitdefender engine categorizes legit emails incorrectly as malware or phishing spam. Such false-positive emails can be reported to the Bitdefender team to whitelist them in their virus-spam databases.

Depending on the reported message in Spam logs, disable the BlockMalware or BlockPhishing parameter in mailserver.cfg to capture .eml file. Below steps require administrator/root access to the Kerio Connect server:

  1. Make sure that BitDefender is enabled and updated.
  2. Stop Kerio Connect.
  3. Navigate to the Kerio installation folder. Default locations for different Operating Systems (OS)are below:
    • Windows: C:\Program Files\Kerio\MailServer
    • macOS: /usr/local/kerio/mailserver
    • Linux: /opt/kerio/mailserver
  4. Open the mailserver.cfg file.
  5. Go to the table:<table name="Kerio Anti-spam">
  6. Set BlockMalware or BlockPhishing variable to 0 (zero). Save the changes.
    malware_phishing.png
  7. Start Kerio Connect.
  8. Request the mail from the sender again. This time the mail will not be blocked.
  9. Retrieve the .eml source file from the Webmail.
    1. Note: If you experience issues retrieving the .eml file directly, you can share the complete email headers containing the Spam Detection stamps instead. Please note that partial headers will prevent and delay our analysis.
  10. Stop Kerio Connect again.
  11. Reverse the changes you made in step 5 to re-set the BlockMalware or BlockPhishing variable back to 1 (one). Save the changes.
  12. Start Kerio Connect. Your email is protected again, and you've retrieved the email file. 
  13. Send the source .eml file(or complete email headers) to Kerio Connect Support for further investigation in your existing or no tickets are already submitted, a new support ticket.

<supportagent>

Once the customer sends the .eml file, perform the following steps:
Step 1:
Paste the email headers on or open the .eml file with a text editor

 

Step 2:

Check the BitDefender (BD) AS stamp

Below are a few examples where the Hit score is "No." A "No" Hit score indicates that BitDefender did not detect the sample as SPAM.

X-Kerio-Anti-Spam: Build: [Engines: 2.16.2.1410, Stamp: 3], 
Multi: [Enabled, t: (0.000009,0.005079)], BW: [Enabled, t: (0.000023,0.000001)], 
RTDA: [Enabled, t: (0.030893), Hit: No, Details: v2.27.0; 
Id: 12.52019a.1fu9ojnfq.8u8c; mclb], total: 0(700)
X-Kerio-Anti-Spam: Build: [Engines: 2.16.2.1410, Stamp: 3], 
Multi: [Enabled, t: (0.000012,0.029654)], BW: [Enabled, t: (0.000025)], 
RTDA: [Enabled, t: (0.043030), Hit: No, Details: v2.27.0; Id: 12.5204ab.1fubtr7hv.60d; mclb],
total: 0(700)

 

Step 3:

Check the Kerio Anti-Spam score. You can search for the KERIO_ANTI_SPAM hits value and compare it to the required value. Below are a few examples where the score is above the required value. If the Score is above the required value, Kerio marks the email as spam.

X-Spam-Status: Yes, hits=6.6 required=2.8
tests=KERIO_ANTI_SPAM: 6.667, HTML_MESSAGE: 0.001, TOTAL_SCORE: 6.668,autolearn=disabled
X-Spam-Status: Yes, hits=6.6 required=5.0
tests=KERIO_ANTI_SPAM: 6.667, HTML_MESSAGE: 0.001,

In the below example, you can see that the hits value is also above required value. However, the test is different and contains an IP address listed at SPAMHAUS (contributed a score of 5) and SORBS (also contributed a score of 5) which triggered detection. These emails are marked as spam by internet blacklist checks.
X-Spam-Status: Yes, hits=10.0 required=5.5
tests=DNSBL_ZEN.SPAMHAUS.ORG: 5.00, DNSBL_DNSBL.SORBS.NET: 5.00, KERIO_ANTI_SPAM: -0.000,
HTML_MESSAGE: 0.001, TOTAL_SCORE: 10.001,autolearn=disabled
See another example below. As we can see in the email header, SPAMHAUS and SORBS added 10 scores to the email causing it to be blocked. (BitDefender's AS stamp has a total score of 0 while X-Spam-Status with SPAMHAUS and SORBS scores has a total hit value of 10.) The senders' IPs are in these SPAMHAUS and SORBS blacklists:
X-Kerio-Anti-Spam: Build: [Engines: 2.16.2.1410, Stamp: 3], 
Multi: [Enabled, t: (0.000009,0.005079)], BW: [Enabled, t: (0.000023,0.000001)], 
RTDA: [Enabled, t: (0.030893), Hit: No, Details: v2.27.0; Id: 12.52019a.1fu9ojnfq.8u8c; mclb], 
total: 0(700)
X-Spam-Status: Yes, hits=10.0 required=5.5
    tests=DNSBL_ZEN.SPAMHAUS.ORG: 5.00, DNSBL_DNSBL.SORBS.NET: 5.00, KERIO_ANTI_SPAM: -0.000,
    HTML_MESSAGE: 0.001, TOTAL_SCORE: 10.001,autolearn=disabled

 

You can check the Setting Spam Score Limits in Kerio Connect article and set the block score as per the customer's requirement. Please review Mailserver Blacklisted by External Email Provider, and Email Spam Protection using Blacklists and Whitelists articles to see how external blacklists works. You may configure those blacklists to assign a lower score than 5 so emails are not blocked after detection.

mceclip0.png

 

Step 3.5: If the sample headers don't contain the Kerio Anti-Spam score and BitDefender (BD) AS stamp, test the sample by forwarding it to your own Kerio Connect test/internal account (as it may still be a valid sample!):Animation2.gif

 

Step 4: If the scores are found in bulk, proceed with the following:

  1. Contact BitDefender Support Center via side conversation
  2. Attach the email headers or .eml files and all relevant information
    2.png
  3. Bitdefender Support may request the following information that you will need to provide:
    • Sample emails: Wrap the emails inside a password-protected archive and attach them to your reply to Bitdefender's support.
      Note:
      1. Always use the proper FN/FP tags (for reporting false negatives and false positives) in the email's Subject: [FN] or [FP] - the square brackets are mandatory.
      2. Always put the samples you want BitDefender to analyze in a password-protected archive named samples.zip, use the password infected and attach the archive to your email.
    • Detection Stamp: Provide the detection stamp that the Bitdefender SDK adds to the header when scanning the emails. This is useful when Bitdefender cannot reproduce the detection.
      3.png
  4. Once the BitDefender team confirms that they have fixed the issue, inform the customer that the problem has been resolved.

</supportagent>

Once Kerio Connect Support confirms the email was whitelisted by the Bitdefender team, the email will no longer be detected as Malware or Phishing spam.

 

Related Articles

Spam/Not Spam Buttons Are Missing in Webmail

Legit Emails Are Blocked by Spam Repellent

What to do when Bitdefender does not detect malware

Related articles