Answer
PROBLEM
After installing GFI MailEssentials, SPAM emails are still delivered to the users’ mailboxes.On most installations, GFI MailEssentials is designed to start filtering most spam emails immediately after it has been installed. The efficiency of GFI MailEssentials can however depend on the setup being installed in. You may also need to configure specific Anti-Spam modules.
ENVIRONMENT
- GFI MailEssentials
- All supported environments
SOLUTION
This article provides a checklist of possible reasons and on how to improve the spam blocking rate for GFI MailEssentials. The first thing to check before any other steps are to upgrade to the latest build.-
Modules not enabled from configuration:
- As from the recent builds, when installing a fresh copy of GFI MailEssentials, most modules are already enabled. Please confirm this by going to the GFI MailEssentials configuration > 'Anti-Spam Settings' and go through the configuration for the modules you would like to use to filter spam. For some brief information on each module please check the 'Configuring anti-spam' section in the GFI MailEssentials user manual.
-
Examples:
- Go to GFI MailEssentials configuration > 'Anti-Spam Settings' > 'Properties' of the 'DNS Blacklist' module. On the 'General' tab, please ensure that the check box stating 'Check whether the sending mail server is on one of the following DNS Blacklists': is checked and at least 2 DNS Blacklists are enabled from the list.
- Go to GFI MailEssentials configuration > 'Anti-Spam Settings' > 'Properties' of the 'Directory Harvesting' module. On the 'General' tab, please ensure that the check box 'Enable directory harvesting protection is checked. To ensure that this module is checking your directory correctly, use the Test button and enter one correct and one incorrect address into the dialog box. Ensure that you get the appropriate result for each email address.
- Local Domains not configured correctly:
- Immediately upon installing or after upgrading GFI MailEssentials, no emails are blocked as spam.
- More information: If the local domain is not configured correctly in GFI MailEssentials, no emails for the particular domain will be checked for spam.
- Solution: Ensure that all your email domains are listed in the GFI MailEssentials configuration. This can be found in 'General Settings'.
- Note: This issue may also occur for new domains which are not configured within the GFI MailEssentials configuration.
-
Emails not passing through GFI MailEssentials:
- No spam emails are being blocked. No email information is visible in the GFI MailEssentials Dashboard, accessible from the GFI MailEssentials program group ('Start' > 'Programs' > 'GFI MailEssentials' > 'GFI Dashboard').
- More Information: This issue may occur if emails are not passing through the GFI MailEssentials machine or if GFI MailEssentials is not bound to the correct IIS SMTP Virtual Server
- Solutions:
- Ensure that the MX record of your domain is pointing to the machine on which GFI MailEssentials is installed. If emails are received by a perimeter server, ensure that this is configured to forward the emails to the GFI MailEssentials machine, if this is installed on a separate machine than the mail server.
- Ensure that GFI MailEssentials is bound to the correct IIS SMTP virtual server. This can be checked from the GFI MailEssentials configuration > Right click on ‘General’ > ‘Properties’ > ‘Bindings’. Emails that should be processed by GFI MailEssentials should pass through the IIS SMTP virtual server configured.
- If emails are meant to be processed by the GFI MailEssentials Pop2Exchange, ensure that no other POP3 downloading software is configured to download the emails from the same mailbox. This also includes a user using a normal email client to download emails directly from the POP3 mailbox. If you are downloading emails from a POP3 mailbox, only emails downloaded by the GFI MailEssentials POP2Exchange will be processed by GFI MailEssentials. The only exception to this is when emails are downloaded by the POP3 downloading feature in Microsoft Small Business Server (SBS).
- If emails need to be downloaded from a POP3 mailbox, you need to ensure that you have configured an entry in the GFI MailEssentials POP2Exchange configuration for the particular mailbox
-
Some spam emails are not being blocked. The GFI MailEssentials Dashboard shows all emails except the ones which are not being blocked.
-
More Information: If some inbound emails are not passing through GFI MailEssentials, it is possible that the emails are being sent directly to the email server when GFI MailEssentials is installed on a Gateway. This also occurs when spammers target the mail server configured for the secondary MX record, which may not be running any Anti-Spam software.
Alternatively the emails may be passing through a Virtual SMTP server which is not bound to GFI MailEssentials. - Solution:
- Ensure that the mail server only accepts emails from the GFI MailEssentials machine. Alternatively, you can configure your firewall to allow SMTP connections done to the machine running GFI MailEssentials only.
- If you are running another server with the secondary MX record, you can either configure this server to route emails to the machine running GFI MailEssentials or install GFI MailEssentials on all the machines configured in the MX record for your domain.
- If you have more than one Virtual IIS SMTP server on the GFI MailEssentials machine, you need to ensure that all incoming emails are configured to pass through the Virtual IIS SMTP server GFI MailEssentials is bound with. The Virtual IIS SMTP server GFI MailEssentials is bound to can be checked from the GFI MailEssentials configuration > Right click on 'General' > 'Properties' > 'Bindings'.
-
More Information: If some inbound emails are not passing through GFI MailEssentials, it is possible that the emails are being sent directly to the email server when GFI MailEssentials is installed on a Gateway. This also occurs when spammers target the mail server configured for the secondary MX record, which may not be running any Anti-Spam software.
-
GFI MailEssentials fails to process emails:
- Some or all spam emails are not being blocked. The GFI MailEssentials Dashboard shows processing errors for some or all emails. The GFI MailEssentials Dashboard is accessible from the GFI MailEssentials program group ('Start' > 'Programs' > 'GFI MailEssentials' > 'GFI Dashboard'). The Dashboard shows the following error: 'Item Processed Unsuccessful'.
- More Information: GFI MailEssentials may fail to process some or all of the emails. This may occur for various reasons. If processing of a spam email fails, the email will not be blocked.
- Solution: Should you encounter the error mentioned above, please contact support
-
Services are not started:
- No spam emails are being blocked by GFI MailEssentials. This issue may occur suddenly.
- More information: This issue may occur if the GFI MailEssentials Attendant service is not running
- Solution: From the services panel, ensure that the GFI MailEssentials Attendant service is enabled and started
-
Licensing issues:
- More Information: This issue may occur if the number of users using GFI MailEssentials exceeds the number of purchased licenses. You can check the number of users counted by GFI MailEssentials from the GFI MailEssentials Configuration > 'General' > 'Licensing'.
- Solution:
- If the number of users using GFI MailEssentials has increased after purchasing the GFI MailEssentials license key, you may need to purchase additional users.
- If GFI MailEssentials is still counting users who no longer exist, remove them from Active Directory as valid SMTP accounts.
- Note: GFI MailEssentials will send notifications to the Administrator when the user limit is reached. The Administrator’s email address can be configured from the GFI MailEssentials configuration > 'General Properties' > 'General' tab.
-
Whitelist not configured correctly:
-
More Information: Emails may be whitelisted in GFI MailEssentials by one of the following methods:
- Sender or recipient whitelist
- IP Whitelist
- Keyword Whitelist
- If an email is whitelisted by one of the methods mentioned above, the email will normally not be scanned by GFI MailEssentials for anti-spam. This issue may occur if a user replies back to spam emails. In such cases, the spammer’s email address may end up in the auto-whitelist. This issue may also occur if users move spam emails to the 'Add to Whitelist' Public Folder.
- Solution:
- Ensure that the sender or recipient of the email do not match any of the entries in the whitelist or the auto-whitelist. You can check the whitelist and auto-whitelist entries from the GFI MailEssentials Configuration > expand 'Anti-spam' > 'Whitelist' > 'Properties' > 'Whitelist' tab.
- You may have a lot of entries in the Auto Whitelist which you may need to check. You can easily do this from the Auto Whitelist database directly. This can be found in the '...\Program Files\GFI\MailEssentials\autowhitelist.mdb'. Ensure you backup the database before making any manual changes to the database.
- Confirm that the IP addresses from where the emails are originating are not listed in the IP whitelist
- The contents of the IP Whitelist can be viewed from the GFI MailEssentials Configuration > expand 'Anti-Spam' > 'Whitelist' > 'Properties' > 'IP Whitelist' tab
- The IP addresses from where the emails are originating can be viewed in the headers of the email
- Check that the contents of the subject and body of the email do not match any of the entries in the 'Keyword Whitelist'. The contents of the Keyword Whitelists can be viewed from the GFI MailEssentials Configuration -> expand 'Anti-Spam' > 'Whitelist' > 'Properties' > 'Keyword Whitelist (Subject)' and 'Keyword Whitelist (body)' tabs.
-
More Information: Emails may be whitelisted in GFI MailEssentials by one of the following methods:
-
Actions not configured correctly:
- Some emails are not being blocked. The GFI MailEssentials log files show that the emails are detected as spam by GFI MailEssentials, but the email is still delivered to the users' mailbox.
- More Information: This issue may occur if GFI MailEssentials is configured to move the emails, blocked as spam, to the Junk email folder. This issue may also occur if GFI MailEssentials is configured to 'Move to sub-folder of the user’s mailbox', and the 'Inbox' is selected.
- Solution: Ensure that the option to move emails to the Junk mail folder is enabled from Outlook Web Access. More information can be found in the user manual.
- If you chose to 'Move to sub-folder of the user’s mailbox', ensure that you configure GFI MailEssentials to move the emails to a folder which indicates that the folder contains spam emails.
- Note: The GFI MailEssentials log files for each of the GFI MailEssentials spam filters can be found in the location specified in the GFI MailEssentials configuration > 'Anti-Spam' > Select the spam filter -> 'Properties' > 'Other' tab > 'Log occurrence to this file:'.
-
Bayesian filter not configured correctly:
- You'll note it by some obvious spam emails are not being blocked.
- More Information: The Bayesian filter is very efficient at blocking spam emails. However it needs to be trained to block the particular type of spam emails. For this to work, you will need to have public folders enabled, and will need to train your users on how to move spam and legitimate email to the correct public folders.
-
The server is configured as an open relay:
- Click on 'Start' > 'Administrative Tools' > 'Internet Information Services (IIS) 6.0 Manager'
- Right click on 'SMTP Virtual Server #1' and choose 'Properties'
- Open the 'Access' tab and click on the 'Relay...' button
- Ensure that the setting 'Only the list below' is selected and that only trusted IPs are listed in the computers list below
- Save the settings
- Restart the 'Simple Mail Transfer Protocol (SMTP)' service
- Note: The steps above reflect the dialogs and buttons of a Windows Server 2008, but the phrasing is very similar on the other operating systems mentioned above.
-
OLE32.dll not registered properly
- Open a command line ('Start' > 'Run' > 'CMD' > Enter)
- Goto 'C:\Windows\System32\'
- Ole32.dll is a library which contains core OLE functions. ole32.dll is a system process that is needed for your Windows system to work properly. Type the following command and confirm with Enter: regsvr32 ole32.dll
- Open the MailEssentials dashboard and see if emails is being processed
-
SpamRazer definitions have become corrupted
- Disable the GFI MailEssentials Scan service and stop it
- Stop all other GFI MailEssentials services
- Backup the SpamRazer data folder located at '...\SpamScore\Core'
- Delete the rule (sc*.bin; sc1.bin, sc2aj5ac49e0.bin.tmp, etc) files from the SpamRazer data folder. These include all files except spamcatcher.conf, productid, rkd.
- Enable the Scan service again and start all GFI MailEssentials services
- Update the SpamRazer module
-
Reporting Queues are backed up and allowing spam to by pass
- Open Microsoft Message Queuing Service
- Private Queues
- Right Click and purge all Reporting queues that are backed up
- Open MailEssentials configuration > Reporting > Settings and create a new reporting database
- Verify that the queues are not building up.
CDO files are out of registration
GFI MailEssentials uses the Exchange CDO files to interact with the user’s folders and route items destined for specific folders such as the Inbox\Spam. The most common error shows a lack of ability to perform a file check such as in this example below:
This can easily be corrected by re-registering the CDO files. To re-register the CDO DLL's, please run the following commands from a command prompt on the Exchange Server.
NOTE: If you having installed to another drive such as D:\ you will need to modify the paths in the lines below.
regsvr32 /u "c:\program files\common files\microsoft shared\cdo\cdoex.dll"
regsvr32 /u "c:\program files\exchsrvr\bin\cdo.dll"
regsvr32 /u "c:\windows\system32\cdosys.dll"
regsvr32 "c:\windows\system32\cdosys.dll"
regsvr32 "c:\program files\exchsrvr\bin\cdo.dll"
regsvr32 "c:\program files\common files\microsoft shared\cdo\cdoex.dll"
Once all 3 registrations succeed the Exchange Information Store will need to be restarted
The Autodiscover service must be able to connect and test successful
GFI MailEssentials takes advantage of the Autodiscover service in Exchange 2007/2010 to perform a lookup of user folders and move messages between the various roles of the Exchange Server configuration. This works similar to how GFI MailEssentials uses CDO files to perform handling in Exchange 2003. If an email is destined for the Inbox\Spam folder an Autodiscover lookup will take place, the user will be impersonated, and then mail routed in to the folders. If Autodiscover connection fail, GFI MailEssentials will not be able to quarantine spam.
- Open the Exchange Management Shell and type Test-OutlookWebServices | FL
- Ensure that all results state Information or Success. Errors related to Unified Messaging can be ignored.
- If the customer has AutoDiscover issues, send them the approved signature for resolution from the ERL system. AutoDiscover correction is outside the scope of our support. If the customer is unable to resolve the issues given the information provides they must seek assistance from Microsoft.
Exchange must have a valid & properly configured SSL Certificate
When the Exchange SSL certificate expires GFI MailEssentials is unable to perform Autodiscover lookup using trusted connections. An expired or improperly configured SSL cert causes around 80% of reported customer Autodiscover issues and is also one of the quickest things to fix. If the certificate is expired customers can obtain SSL certificates from an outside certification authority (CA) such as VeriSign or Digicert. Microsoft also allows customer to issue their own server certificates by using Microsoft Certificate Services. More information is found on Microsoft TechNet here:
http://technet.microsoft.com/en-us/library/aa996680(EXCHG.65).aspx
http://technet.microsoft.com/en-us/library/aa996680(EXCHG.65).aspx
If the certificate is improperly configured, such as a self-signed certificate for a domain that has a different internal and external face, the customer must make modifications to the SSL cert to account for this. One common example is a .local internal domain and a .com external domain. Microsoft has posted a guide to resolving this on their support KB here:
http://support.microsoft.com/kb/940726
Configuration or installation issues. GFI MailEssentials not filtering emails.