A Symantec Brightmail or Symantec Mail Security product is installed and the spam effectiveness seems to have dropped. More spam is reaching end users in the network.
There are several reasons for spam to be getting through. Use these troubleshooting steps and the spam reporting information to help determine where the spam effectiveness issue is.
Basic troubleshooting steps to make sure that Symantec Brightmail or Symantec Mail Security is running properly: · Confirm that the rulesets are current at the time the missed spam messages came through. Check to see that the rulesets are updating across the board. · Assure that the spam messages are not by-passing the Symantec servers. Check the IP addresses on the "Received from:" headers and the sender on the "From" header - ensure the IP or domain were not whitelisted (on the Allowed Senders List / Safe Senders List / Good Senders list) · Verify that you are running the latest version of the product to avail of the latest technologies · Verify that you are using all features in the product to block spam. For Symantec Brightmail Gateway this includes Global Bad Senders list, Connection Classfication, Stop DHA feature, Bounce Attack Prevention, SPF, Probe Participation etc. For more complete information on this topic check this article: 'Symantec Brightmail Gateway (SBG) - Best Practices: Spam Control' · Verify that none of the Symantec Brightmail services (Server, Client, or Conduit) were down when these messages came through. Verify that the various components and modules are functioning with no errors reported in the logs. Some troubleshooting steps may require you to temporarily change the log levels to INFO or DEBUG in order to see sufficient data in the logs. Be sure to reset the log levels to lower levels once you have completed troubleshooting to avoid incurring unnecessary overhead from verbose logging. · Verify that you are running the Full or Enterprise ruleset and not the Express ruleset
Useful information to provide to Technical Support: · Note the time period that the suspected spike in missed spam occurred · Note the type of spam being received and have 2-5 sample email attachments with full internet headers available for reference. · How are you tracking the increase in spam? Are these end user inbox complaints, management complaints or statistical in nature? · What is the average percentage of spam or total threat messages from the Brightmail Control Centre and has it decreased since the missed spam began? · Have you made any other changes to your environment that might have contributed to effectiveness issues? This includes server, OS, or datacenter changes. It also includes changes made to Symantec or other products in the mail stream that might negatively impact effectiveness.