Your answer doesn't quite make sense: IF your domain is on a global "bad list", not filtering outbound mail wouldn't help much anyway, since the receiving node/domain, would likely block/refuse/dump your email if the SMG had let it pass.
I don't know what you did or didn't do, or what support told you, but, If you perform the steps that I outlined and have all your evidence lined up, support should be able to help you AND fi you are not satisfied, you (unless they changed it) you always have the right to escalate. If you get your case into the level 2 support and/or engineering, I guarantee that things will be thoroughly investigated. I won't guarantee that you will get the answer you will like because, let's face it, a lot of people are just looking for vendors to "just make it work the way I think it should", rather than having things run "correctly".
Regarding global reputation, please keep a few things in mind:
1. Broadcom uses multiple sources, not just SMG as input to the reputation lists.
(If you are on somebody else's list, you are likely on ours and visa-versa)
2. IP reputation is frequently reported in ranges, and is often added to DNSBL that way. So YOU could be perfectly "innocent" and get yourself removed, only to be "re-added". Net: patience is often required, as you may have to get "removed" multiple times.
3. Mistakes/bug happen, and if you don't report it, then there is no opportunity to remedy them. Several weeks back I worked on an issue and it turned out that there was a bug in IP removal IF the IP was within one of the "ranges" I mentioned earlier.
That bug has since been resolved, but the point is that if/when these things are discovered to be valid, we do our utmost to rectify them.
4. If you are running a mass mailing campaign, be extra careful and test your application AND content thoroughly before going into production. Even then, even if your content is "squeaky clean", there are always going to be people who will report it as spam to reputation vendors. You can avoid 90% of that kind of thing if you include and "un-subscribe" AND you have SPF/DKIM/DMARC records AND you have a valid reverse DNS, etc,
Shouldn't have to go through all that on THIS forum, you people KNOW these things, but a lot of people don't do them, or are sloppy (usually not out of laziness, but due to budget and time constraints).
Regarding the subject of filtering outbound mail: obviously the choice is yours, but here are some things to consider:
- If you DON'T, then you risk someone leveraging your services for their own purposes.
- If you DO then you end up spending a lot of resources, without a lot of evidence to back it to your managers (unless they are OK with something like "we spent X amount to ensure that our mail reputation is spotless)
My thought is to:
1. Absolutely filter your "normal" outbound mail. Keeping your reputation clean, as well as providing evidence that you may have been hacked is worth it.
2. Do NOT filter outbound mail that is generated as part of some mailing campaign: In those cases, the content (should?) be clean and consistent and it is completely under YOUR control. If you can get the people behind the project to realize that it is cleaner, safer, and cheaper to actually QA their project up front, you will save yourself a lot of grief and expence once it goes live.
(Perhaps this may have been the message support was trying to communicate?).
Anyway, just my personal opinion.
Have a great holiday season and let's start off the new year right! :)
Original Message:
Sent: Dec 21, 2021 05:56 AM
From: Francesco Bianchessi Barbieri
Subject: Outbound SPAM False Positive
@Deactivated User "If you still don't get the result you are happy with, open a support case" you say. Well, we contacted the support several weeks ago, almost one month of calls and trials... In the end the provided solution was: "please disable outbound check for spam, since there is no sense in sending spam from your internal collegues". What a shame...
Oh, the problem was exactly the same of this thread, outbound emails being quarantined due to global reputations and so on.
Regards,
Francesco
Original Message:
Sent: Aug 18, 2021 02:46 PM
From: Thomas Anderson
Subject: Outbound SPAM False Positive
The best way would be to first check in MAL for the record associated with that message.
This will show you the complete list of rules and policies that fired on the email, as well as the list of policies that were skipped/bypassed.
This will help you determine if it is getting caught by some local policy that has an action of "treat as spam".
(releasing a message from the spam quarantine will have no effect on any local policies or customer specific rules).
IF it is getting caught by a local policy, then you can adjust that policy.
IF it is getting caught by a Customer Specific Rule, then you can use the provided interface to kill the CSR.
IF it is getting caught by a global policy, and you release the message from Spam Quarantine, then an FP submission will be generated and sent. These submissions go into a pool and are evaluated, but there is not 100% guarantee that the global rule will be killed/deleted, since the lifecycle of global rules is dependent on global, not customer specific, feedback.
(If it did, then you could get the scenario where a spammer purchased a cheap license and procedded to submit FPs against rules that were catching his/her spam messages)
Also note that even if a global rule is killed/removed there is a possibility that it will be re-activated, based on global statistics.
Final thing to take into account is latency: individual rulesets "generally" update every 5-7 minutes (some rulesets take longer). Assuming a rule WAS killed, it will take some time for the new ruleset to be propagated out to your installation.
Recap:
Check the Message Audit Log to get the bare truth.
Start "locally": local policies, local black/white lists, Customer Specific Rules, etc. and work "outward".
If it turns out to be a global rule, submit as an FP.
If you still don't get the result you are happy with, open a support case.
If it is business impacting, you might want to consider implementing a local policy to mitigate the impact while you are working with customer support.
Hope this was useful.
Original Message:
Sent: 08-18-2021 12:43 PM
From: sulman mushaq
Subject: Outbound SPAM False Positive
SMG is detecting a normal outbound email (without any attachments or links) as a SPAM and quarantining it. Within the SPAM Quarantine if we click on This is not SPAM button, we see the status being changed to This is not SPAM and under the submission status in Dashboard we see that the message is submiited and a rule being created. However if the email is sent again its again detected as SPAM and being quarantined.
What is the best way to fix this outbound false positive detection by SMG?
SMG Version is 10.7.4. Thanks
------------------------------
Symantec Enthusiast
------------------------------