Versions / Builds Affected
20.3Status
ResolvedProblem Summary
There are Antiphishing false positives and customer is not willing to use the Whitelist as a workaround.TT / JIRAID
GFIME-2704How to Identify
Customer informs there are false positives for Antiphishing, such as Amazon:
2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl","Checking URL [https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg]"
2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl","[https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg] [209874] hpts: 3 pats: 53"
2017-05-31,11:31:56,154,1,"#0000267c","#00008ef4","info ","ase_purbl",">> spammy: [https://s3.amazonaws.com/flashissue/gHd2XoyiQbKBqljm7bzg]"Workaround / Fix Details
The following patch and procedure should resolved this issue:
1. Download the following files:
http://psg.gfi.com/ME/Temp/PURBL.DLL
http://cdnupdate.gfi.com/ap/current_revision.zip
2. Right-click the zip file and choose Properties. From the General tab, click Unblock and then Apply.
3. Uncompress current_revision.zip to retrieve the file inside (current_revision)
4. Stop Microsoft Exchange Transport and GFI MailEssentials AS Scan Engine services.
5. Back-up \GFI\MailEssentials\Antispam\purbl.dll to purbl.dll.old and replace it with the attached DLL.
6. Back-up \GFI\MailEssentials\Antispam\Data\blocklist.db to blocklist.db.old and move current_revision from step 2 to this location.
7. Rename the file moved to blocklist.db (at the end, you should have blocklist.db.old (old blocklist.db) and blocklist.db (old current_revision) in \GFI\MailEssentials\Antispam\Data.
8. Start GFI MailEssentials AS Scan Engine and Microsoft Exchange Transport.
Note: is usually C:\ProgramFiles (x86)\Required Actions
The procedure above downloads a fresh set of updates for the Antiphishing database.
Alternatively please provide the Level 3 engineers with the False Positive email sample and logs to submit to the vendor (Netcraft).