Multiple Spam/Virus emails are getting through with attachments

Overview

You are seeing that spoofed emails or emails with attachments containing malware zip files are not being blocked by MailEssentials even though the filtering rules are configured and are reaching the users' mailboxes.

Solution

In order to prevent malware attachments from reaching please ensure the following:

1. Perform the maintenance procedure for these types of issues listed in Virus and Spam Emails not Getting Detected by MailEssentials.
2. Make sure that the Anti-Virus Definitions are up to date:
   • Open the GFI MailEssentials Configuration UI.
   • Navigate to  Dashboard > Updates.
   • Click on the Update all engines button.
     • If any of the engine updates show status errors, please follow the steps in the "Manual Update Process for the Virus Scanning Engines" article to manually update the corrupted definition.
     • There have been cases observed where the engine definition is old, but there are no status errors. I this situation, please follow the steps in the "Antivirus definitions are old but last update succeeded" article to resolve the issue.
3. Make sure that the Trojan and Executable Scanner is enabled. 
4. Make sure that the Decompression Engine is working; specifically, the "Check password protected archives" option should be enabled.

5. To reduce the likelihood of malicious emails getting through, please make sure that the IP DNS blocklist is enabled.

   In MailEssentials go to the IP DNS blocklist. Ensure that bl.spamcop.net and dul.dnsbl.sorbs.net are enabled. In addition, you should add the following extra list to make sure the list is configured for optimal coverage:

   • Type zen.spamhaus.org in the Domain box and click Add IP DNS Blocklist.
   • Type b.barracudacentral.org in the Domain box and click Add IP DNS Blocklist.
   • Type dnsrbl.org in the Domain box and click Add IP DNS Blocklist.
   • Type db.wpbl.info in the Domain box and click Add IP DNS Blocklist.
   • Type dnsbl.sorbs.net in the Domain box and click Add IP DNS Blocklist.
   • Ensure the new lists are enabled and click Apply.
   Important

   Open a browser and go to barracudacentral.org. Click the Request access link on the left. Fill out the form providing your external IP address in order to access the Barracuda Central blocklist.

6. Make sure that Header Checking is enabled as well; specifically, the "Check if the email headers contain different SMTP FROM: and MIME FROM: fields" option should be enabled.

Testing

After applying the steps above, malicious emails should not get through the filtering.

If the issue still persists, please generate the troubleshooting logs as follows:

• Make sure that you have tracing enabled.
• Wait for at least 30 minutes to gather enough information and for the issue to be reproduced.
• Run the troubleshooter:
  1. Start > Programs > GFI MailEssentials > Troubleshooter
  2. Follow the Log Generation Wizard for collecting the required and pertinent information.
  3. Select New Case when completing the log generation to attach the logs to a new case that will be automatically created, or open a support ticket manually and attach the logs to that ticket, so that the Support team can investigate the problem.