Overview
Users report problems with legitimate emails being incorrectly blocked/rejected by Bitdefender as phishing emails, malware, or spam. Users may find that attaching certain PDFs to emails is resulting in them being marked as spam. You have reviewed the emails being marked as spam and confirmed that these are legitimate and require guidance on preventing these false positives.
The Spam log shows a similar output to the following (this refers to a Malware/phishing spam false positive, but the error would appear for other false positives): "Message rejected as malware/phishing spam, From: johndoe@external.com, To: username@kerio_domain.com, Sender IP: ###.###.###.###, Subject: Demo Subject, Message size: 1506"
Please remember that custom spam rules will not have effect on these, as the malware/phishing detection takes precedence.
Solution
The Kerio Connect Advanced Anti-spam feature leverages the Bitdefender scanning engine. In some cases (email with an attachment, non-English language, suspicious subject, etc.), the Bitdefender engine categorizes legit emails incorrectly as malware or phishing spam. Such false-positive emails can be reported to the Bitdefender team by the Kerio Connect Support team to whitelist them in their virus-spam databases.
Option 1 (less invasive)
Through the use of the quarantine email address, malware/phishing-detected email messages can be captured in order to be provided to the support team:
- Configure a quarantine email address in Kerio Connect (point 4.2 from Setting Spam Score Limits in Kerio Connect)
- Request the mail from the sender again. This time around, it will wind up in the quarantine email address
- Access the quarantine email account and search for the email in question; the original email will be attached
- Click on the breadcrumb > Download to obtain the eml sample for the support team (below screenshot showcases the webmail path, but it can be done similarly from Outlook, if the quarantine address is synced in Outlook)
- Send the source .eml file (or complete email headers) to Kerio Connect Support for further investigation in your existing or no tickets are already submitted, a new support ticket.
Option 2
Depending on the reported message in Spam logs, disable the BlockMalware
or BlockPhishing
parameter in mailserver.cfg to capture .eml file. Below steps require administrator/root access to the Kerio Connect server:
- Make sure that BitDefender is enabled and updated.
- Stop Kerio Connect.
- Navigate to the Kerio installation folder. Default locations for different Operating Systems (OS)are below:
- Windows:
C:\Program Files\Kerio\MailServer
- macOS:
/usr/local/kerio/mailserver
- Linux:
/opt/kerio/mailserver
- Windows:
- Open the mailserver.cfg file.
- Go to the table:
<table name="Kerio Anti-spam">
- Set BlockMalware or BlockPhishing variable to 0 (zero). Save the changes.
- Start Kerio Connect.
- Request the mail from the sender again. This time the mail will not be blocked.
- Retrieve the .eml source file from the Webmail.
- Note: If you experience issues retrieving the .eml file directly, you can share the complete email headers containing the Spam Detection stamps instead. Please note that partial headers will prevent and delay our analysis.
- Stop Kerio Connect again.
- Reverse the changes you made in step 5 to re-set the BlockMalware or BlockPhishing variable back to 1 (one). Save the changes.
- Start Kerio Connect. Your email is protected again, and you've retrieved the email file.
- Send the source .eml file(or complete email headers) to Kerio Connect Support for further investigation in your existing or no tickets are already submitted, a new support ticket.
<supportagent>Agent runbook</supportagent>
Once Kerio Connect Support confirms the email was whitelisted by the Bitdefender team, the email will no longer be detected as Malware or Phishing spam.
Related Articles
Spam/Not Spam Buttons Are Missing in Webmail
Legit Emails Are Blocked by Spam Repellent
What to do when Bitdefender does not detect malware