Cloudmark even valid anymore? Tons of spam

Up until this past year, Forefront for Exchange anti-spam with Cloudmark was rather reliable. However for the past year, spam has been hitting my environment pretty hard. All engines are up to date, forefront is properly integrated, it does catch a good bit of spam based off Connection, SMTP, and Content filtering. However content filtering and SCL/PCL tagging is just the absolute worst. It only is marking e-mails SCL 0 or SCL 9 no inbetween more and more employees are complaining of blatant spam being marked SCL 0. (only becuase I changed the configuration to stop marking them as SCL -1 so IMF can atleast try to do it's job)

Is it just me or has forefront met it's match, I dont even think Cloudmark is keeping up with this anymore.....Time to start looking for a better solution?

And no...No...rules, hard IP blocks, DNS RBLs...and submitting messages to an identity that's probably not evening monitoring submissions is not going to be a good fix...

SIGH


May 22nd, 2014 10:32pm

Hi,

Thanks for posting.

FPE content filter uses Cloudmark antispam engine to analyze e-mail message and stamp it with a SCL. Sorry to say that FPE doesnt assign SCL ratings between SCL 1 to SCL 4 and messages that fall into this category are assigned SCL ratings of SCL -1 or SCL 0. For more detailed information, please refer to the link below:

Configuring content filtering

Best regards,

Susie

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2014 4:03am

Hi,

Thanks for posting.

FPE content filter uses Cloudmark antispam engine to analyze e-mail message and stamp it with a SCL. Sorry to say that FPE doesnt assign SCL ratings between SCL 1 to SCL 4 and messages that fall into this category are assigned SCL ratings of SCL -1 or SCL 0. For more detailed information, please refer to the link below:

Configuring content filtering

Best regards,

Susie

May 26th, 2014 7:03am

I am seeing the same thing!  Very annoying, and we have a lot of frustrated end users dealing with SPAM and we have to deal with them forwarding them to us.

The 'Answer' below is BS.  Everything is configured correctly, but now lots of messages are coming through with SCL of -1 or 0.

Free Windows Admin Tool Kit Click here and download it now
June 12th, 2014 6:43pm

Experiencing the same issue and getting worse...Messages that are CLEARLY spam are being marked with SCL -1 and therefore being accepted.  Are the CLOUDMARK updates actually being updated?  How do we know?  When you check the engine summary the definition version has the current date on it yeah but how can we verify if that's actually the latest version?  Is CLOUDMARK actually making changes to these definitions? And if so, why are soooo many SPAM messages being accepted as being OK by the CLOUDMARK filters? 

An answer other than what Susan stated would be wonderful... saying that forefront marks everything that's below a 4 or 5 as acceptable is eh... because the SPAM messages coming into our environment are CLEARLY unacceptable.  

Message-ID: <773c579598ef2de8e3523a6426fb4194.19011823.10168171@drive154.todaychildsafety.us>
From: 2015 Home Rate Reduction
    <2015HomeRateReduction@drive154.todaychildsafety.us>
MIME-Version: 1.0
Subject: Save Hundreds on Home Rates. Lock in at 2.84% before 01.26.2015
Out-Speed: 1901182310168171
Out-Write: 773c579598ef2de8e3523a6426fb419410168171
Non-Comic: 19011823773c579598ef2de8e3523a6426fb4194
Content-Type: multipart/alternative; boundary="10168171"
To: <xxxxxxxxxxx@xxxxxxxxx.com>
Un-Smoked: 773c579598ef2de8e3523a6426fb4194
Return-Path: 2015HomeRateReduction@drive154.todaychildsafety.us
X-MS-Exchange-Organization-AuthSource: XXXXXXXXXXXXXX
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: drive154.todaychildsafety.us
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (xxxxxxxxxxxx.xx.NET:
 2015HomeRateReduction@drive154.todaychildsafety.us does not designate
 permitted sender hosts)
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-Antispam-Report: v=2.1 cv=fvnlOjIf c=1 sm=1 tr=0
 a=hw5KUrv1JRuclZ1pCZHUlg==:117 a=hw5KUrv1JRuclZ1pCZHUlg==:17
 a=weX4h_RZAAAA:8 a=YNv0rlydsVwA:10 a=PPftQudlAAAA:8 a=AyrEseFg-l2GyXMj3GUA:9
 a=12o2mCpYiAAA:10 a=MKwpbFfDr1EA:10 a=6cp0dEFNzF4A:10 a=QsZ4Ih8LG34A:10
 a=eKBYgNDTAAAA:8 a=bP3Bg3F84vSmwdF3G14A:9 a=8gYhLdsROUQWO3mN:21
 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=SeQkQGTCDukA:10 a=YhvQydfnd9oA:10
 a=NWVoK91CQyQA:10;OrigIP:38.113.189.221;SCL:-1
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0

January 26th, 2015 9:54pm

Hi James and Mia, apparently no one at MS gives a sh*t about this. Probably because the product is EOL at the end of year anyways.

here's another thread, same problem

https://social.technet.microsoft.com/Forums/windowsserver/en-US/8509211d-6385-4b5c-bce6-b95b6859db4f/forefront-protection-2010-for-exchange-server-marking-most-spam-scl-1-and-letting-it-pass?forum=FSENext&prof=required

have you tried this?

https://support.microsoft.com/en-us/kb/2276432

I'm going to try this and updating to FPE Hotfix Rollup 4 tonight (currently on Rollup 3).

Free Windows Admin Tool Kit Click here and download it now
March 18th, 2015 12:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics