Overview
The Anti-Phishing filter is getting more and more false positives and is blocking legitimate emails on a regular basis, even if the sender is added to the whitelist, which has a higher priority than the Anti-Phishing filter. If tracing is enabled, the \GFI\MailEssentials\Antispam\DebugLogs ase_purbl.gfi_log.txt is reporting the following errors:
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl",">> spammy: [<linkedin url>]"
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl","PurblCheck::ScanEntity() <<"
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl","Spam detection result: [AP Keywords: not detected] [AP Blocklist: detected]"
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl","Setting actions data ..."
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl","Informing ASE [2]..."
2020-09-23,11:08:00,625,1,"#00007e54","#00006b18","info ","ase_purbl","Setting block report to: 'Message is a scam email phishing'"
Solution
The filter queries a third-party database from NetCraft, which contains the LinkedIn URL; this is why the messages are getting blocked. This third-party database cannot be modified.
This was a known issue with the Anti-Phishing filter reported to our Engineering team. The fix for this defect has been deployed for MailEssentials 21.6 in Patch 6. In that regard, please apply all the available patches to your MailEssentials installation. If you are running an older version of MailEssentials, please note that you will need to update to MailEssentials 21.6 before applying Patch 6.
If the patch did not solve the issue, or you cannot update to MailEssentials 21.6, the best way to allow these messages would be to whitelist the sender either by IP or domain if you have a common criterion for the affected emails. The "Determining why the Anti-Phishing Filter blocked or allowed a message" support article may present additional details.
If the Anti-Phishing filter is reporting too many false-positives, you may attempt to disable the Anti-Phishing filter and enable the IP DNS Blocklist as well as the URI DNS Blocklist:
IP DNS Blocklist:
In the MailEssentials Configuration UI, navigate to Anti-Spam > Anti-Spam Filters > IP DNS Blocklist. Ensure that bl.spamcop.net and dul.dnsbl.sorbs.net are enabled. In addition, you should add the following extra list to make sure the list is configured for optimal coverage:
- Type
zen.spamhaus.orgin the Domain box and click Add IP DNS Blocklist. - Type
b.barracudacentral.orgin the Domain box and click Add IP DNS Blocklist. - Type
dnsrbl.orgin the Domain box and click Add IP DNS Blocklist. - Type
dnsbl.sorbs.netin the Domain box and click Add IP DNS Blocklist. - Ensure the new lists are enabled and click Apply.
Open a browser and go to barracudacentral.org. Click the Request access link on the left. Fill out the form providing your external IP address in order to access the Barracuda Central blocklist.
URI DNS Blocklist:
Follow the steps in the How to configure the URI DNS Blocklist article, and add up to two more lists to the URI DNS Blocklist.
This filter may increase email processing time. If you are experiencing long processing times, please disable all other URI DNS Blocklists when enabling multi.surbl.org.
Testing
After applying the steps above, legitimate emails should not be blocked anymore.
If the issue still persists, please generate the troubleshooting logs as follows:
- Make sure that you have tracing enabled.
- Wait for at least 30 minutes to gather enough information and for the issue to be reproduced.
- Run the troubleshooter:
- Start > Programs > GFI MailEssentials > Troubleshooter
- Follow the Log Generation Wizard for collecting the required and pertinent information.
- Select New Case when completing the log generation to attach the logs to a new case that will be automatically created, or open a support ticket manually and attach the logs to that ticket, so that the Support team can investigate the problem.