Spam got through

In most cases, the user receiving the message was not registered in the email security service. Follow these steps to determine what happened:

If too much spam is getting through to users’ inboxes, follow these steps to determine why:
  1. Has the user been added to the email security service?

    If not, and if Non-Account Bouncing is turned off for the user’s domain and no Catchall user is enabled for the domain, mail is delivered to the user without filtering. Search for the address on the User’s tab. If a user isn’t found, add the address to the service:

    • If the address is associated with another user that’s already been added, add the new address as a user alias. See Add User Aliases.

    • If the service could recognize the address via domain aliasing, create a domain alias for the user’s domain.

    To ensure that all valid users are added to the service, consider enabling SMTP Autocreate for the user’s domain, which adds users automatically. See Protect Domains Completely.

  2. Is the user’s spam filtering turned on?

    Go to Spam Filtering on the user’s Overview page and verify that the Filter Status is On. If it isn’t, turn it on. If the user has User Access permissions to turn their own filters on and off at the Message Center, and the filters have been turned off, instruct the user not to do this, and consider removing that particular permission. See Enable the Message Center.

  3. Is virus blocking turned on, and with a proper disposition?

    Go to Virus Blocking on the org’s Organization Management page and verify that Virus Blocking is On. Turn On.

    Also make sure the Virus Disposition is not set to Message Header Tagging, because if it is, all messages containing viruses will be delivered to your server.

  4. Are the user’s category filters set high enough to catch spam?

    Go to Spam Filtering on the user’s Overview page and verify that the Bulk Email and other category filters are set high enough. If they aren’t, adjust them accordingly. If they look OK, go to the next step.

  5. Was the message sent to a distribution list rather than an individual user?

    If a message is sent to a distribution or mailing list that hasn’t been added to the email protection service as a user alias (see Protect Distribution Lists), it will pass through to users without spam filtering. Review the message’s header to determine the TO address. Then search for that address on the Users tab. If the list isn’t found, add it as a user.

  6. Was the message sent directly to, and accepted by your mail server, bypassing the security service?

    • Sometimes users’ email is delivered to them from more than one mail server. Messages from another server that isn’t mapped to an email config in the service don’t go through the data center and therefore aren’t filtered. Many email clients put these messages in the same inbox as filtered messages, so users might believe they received spam from a your protected server. Review the message headers to make sure they include an email server registered with the service. If they don’t, inform the user.

    • Some spammers don’t follow DNS standards for selecting MX records. They send email to the highest numbered server, or randomly pick one from port scans. To determine if the message actually passed through the data center, review the message headers for the strings listed below (the # sign will be replaced by various numbers). If any of these strings exist in the header, the message did pass through the data center.

      exprod#mx#.postini.com
      chipmx#.postini.com
      chip#mx#.postini.com

    • If these strings don’t exist in the message header, the message was delivered directly to your email server, bypassing data center filters. To remedy this, set up your email server or firewall to only accept email from the data center’s IP ranges. See Secure Your Firewall.


  7. Did a user within your organization send the message?

    Unless you reconfigure your email server to send all email outside the server, rather than delivering to local users locally, messages exchanged among users on the same server aren’t processed by the data center, and therefore aren’t filtered for spam. Review the message headers to see if the email was sent from someone on the recipient’s same server.

  8. Was the sender's address in an Approved Senders list?

    If the sender or sender’s domain is on an Approved Senders list—either the user’s personal list, or a list defined for the user’s org—messages from those senders will be delivered, regardless of spam-like content. This is also the case if the spammer has spoofed the sender address so it matches an Approved sender. Review the user- and org-level lists and delete any large and well-known domains that are often spoofed by spammers.

    Remember that users don’t have visibility of their org’s Approved Senders list, so they might be confused as to why spam from a sender on this list would not be filtered.

  9. Has the user added their own address or domain as an Approved mailing list, at the Message Center?

    If so, all spam addressed to the user, regardless of any spam settings, will be delivered to their inbox. In the Administration Console, go to the user’s User Settings page and select Lists. If you have administrative privileges, remove the user’s address or domain from the Approved Recipients list. Then let the user know why adding their address or domain here is not a good idea.

  10. Does the email content have enough spam characteristics to trigger filtering?

    In general, if all prior steps have turned out to be false, the spam did not have sufficient spam characteristics to be filtered.

    If a large amount of spam is still slipping through the filters, evaluate the spam score in the message header using the Header Analyzer. If the score is above 2.0000 and it has been through the security service, and you are a direct Postini Customer, please contact Customer Care. If your purchased your services through a reseller, please contact your vendor.

    Note: You will be asked to enclose the message as an attachment to an email and send to Customer Care. By sending the spam as an attachment, analysis can be performed on copy of the original email with headers intact; otherwise, the message will be unusable. The security service engineers evaluate these messages to make improvements to the filtering engine. The messages are used for statistical analysis.

    For remaining spam questions, we recommend searching or browsing the help center or the Administration Guide.
Was this article helpful?