New release seems to duplicate messages |
Post Reply 
|
| Author | |
Terry 
Senior Member 
Joined: 06 February 2005 Status: Offline Points: 155 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: New release seems to duplicate messagesPosted: 20 August 2007 at 10:18am |
|
I am on the 3.5.4.705 version of spamfilter to solve the whitelist problem we had earlier....it looks like we may be finding a bug in this version however in that some messages are delivered multiple times to a recipient. This log extract shows an example of a message that appears to fall into the category... 08/20/07 05:51:59:453 -- (1956) Connection from: 65.207.34.42 - Originating country : United States
08/20/07 05:51:59:906 -- (200) Resolving 66.109.30.42 - GLDN.GLDNTIKET.NET 08/20/07 05:52:00:031 -- (1956) Resolving 65.207.34.42 - usp570c.us.hanjin.com 08/20/07 05:52:00:437 -- (200) found SPF record for gldntiket.net: v=spf1 mx a -all 08/20/07 05:52:00:453 -- (200) SPF query result: pass 08/20/07 05:52:00:453 -- (200) - SPF analysis for gldntiket.net done: - pass 08/20/07 05:52:00:453 -- (200) Mail from: b-3fxqbz.hdmyp@gldntiket.net 08/20/07 05:52:00:562 -- (1956) - SPF analysis for us.hanjin.com done: - none 08/20/07 05:52:00:562 -- (1956) Mail from: hunsaker@us.hanjin.com 08/20/07 05:52:00:796 -- (200) - MAPS search done... 08/20/07 05:52:00:796 -- (200) RCPT TO: tawnya.krenz@portofportland.com accepted 08/20/07 05:52:00:968 -- (1956) - MAPS search done... 08/20/07 05:52:00:968 -- (1956) RCPT TO: Louise.Stukey@portofportland.com accepted 08/20/07 05:52:01:078 -- (1956) Mail from: hunsaker@us.hanjin.com 08/20/07 05:52:01:078 -- (1956) RCPT TO: T6BerthAgents@portofportland.com accepted 08/20/07 05:52:01:078 -- (1956) Bypassed all rules for: T6BerthAgents@portofportland.com from hunsaker@us.hanjin.com ( Whitelisted EmailTO) 08/20/07 05:52:01:218 -- (200) Checking SURBL 08/20/07 05:52:01:234 -- (1956) Mail from: hunsaker@us.hanjin.com 08/20/07 05:52:01:234 -- (1956) RCPT TO: Todd.Trost@portofportland.com accepted 08/20/07 05:52:01:234 -- (1956) Bypassed all rules for: Todd.Trost@portofportland.com from hunsaker@us.hanjin.com ( Whitelisted EmailTO) 08/20/07 05:52:01:265 -- (200) Start virus scan 08/20/07 05:52:01:265 -- (200) Starting queueing procedures 08/20/07 05:52:01:265 -- (200) EMail from b-3fxqbz.hdmyp@gldntiket.net to tawnya.krenz@portofportland.com was queued. Size: 4 KB, 4096 bytes 08/20/07 05:52:01:265 -- (200) Starting bayesian procedures 08/20/07 05:52:01:265 -- (2408) Sending email from b-3fxqbz.hdmyp@gldntiket.net to tawnya.krenz@portofportland.com -- 08/20/07 05:52:01:437 -- (2408) EMail from b-3fxqbz.hdmyp@gldntiket.net to tawnya.krenz@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25 08/20/07 05:52:01:437 -- (1956) Mail from: hunsaker@us.hanjin.com 08/20/07 05:52:01:437 -- (1956) RCPT TO: T6Planners@portofportland.com accepted 08/20/07 05:52:01:437 -- (1956) Bypassed all rules for: T6Planners@portofportland.com from hunsaker@us.hanjin.com ( AutoWhiteList Force Delivery) 08/20/07 05:52:01:468 -- (200) Disconnect 08/20/07 05:52:01:859 -- (3660) Connection from: 189.13.110.46 - Originating country : Brazil 08/20/07 05:52:02:015 -- (2312) Connection from: 222.168.180.154 - Originating country : China 08/20/07 05:52:02:421 -- (2460) Start virus scan 08/20/07 05:52:02:437 -- (2460) Starting quarantine procedures 08/20/07 05:52:02:453 -- (2460) Created thread (3708) to add email to quarantine 08/20/07 05:52:02:453 -- (2460) Starting bayesian procedures 08/20/07 05:52:02:500 -- (3708) EMail from paoluzzicignitti.com@wauf.com to mark.daniel@portofportland.com was received and quarantined. Size: 19 KB, 19456 bytes 08/20/07 05:52:02:656 -- (1956) Found Keywords: [love,angel,this] 08/20/07 05:52:02:656 -- (1956) EMail from hunsaker@us.hanjin.com to Louise.Stukey@portofportland.com, T6BerthAgents@portofportland.com, Todd.Trost@portofportland.com, T6Planners@portofportland.com matches content filter rules - rejected. 08/20/07 05:52:02:656 -- (1956) Start virus scan 08/20/07 05:52:02:718 -- (1956) Starting queueing procedures 08/20/07 05:52:02:718 -- (1956) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not 08/20/07 05:52:02:718 -- (1956) EMail from hunsaker@us.hanjin.com to "T6BerthAgents@portofportland.com, T6Planners@portofportland.com" was queued. Size: 87 KB, 89088 bytes 08/20/07 05:52:02:734 -- (1956) Starting quarantine procedures 08/20/07 05:52:02:734 -- (3864) Sending email from hunsaker@us.hanjin.com to T6BerthAgents@portofportland.com, T6Planners@portofportland.com -- 08/20/07 05:52:02:750 -- (1956) Created thread (3136) to add email to quarantine 08/20/07 05:52:02:859 -- (3136) EMail from hunsaker@us.hanjin.com to Louise.Stukey@portofportland.com, T6BerthAgents@portofportland.com, Todd.Trost@portofportland.com, T6Planners@portofportland.com was received and quarantined. Size: 88 KB, 90112 bytes 08/20/07 05:52:02:890 -- (3864) EMail from hunsaker@us.hanjin.com to T6BerthAgents@portofportland.com, T6Planners@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25 The same person gets the message and has it quarantined...plus it appears that the sender may not be getting a delivered message as often get another repeat of the message in a few minutes....very confusing for our staff at this time...
|
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 August 2007 at 5:55pm |
|
Terry,
Emails with multiple recipients, where some of the recipients are whitelisted are a great cause of confusion, for both you admins and ourselves here at LogSat, as they are rather complex to handle. If an email arrived matching the above scenario, SpamFilter was storing in the quarantine the email for all recipients, even the whitelisted ones. This has been brought to our attention a couple of weeks ago, and as it was confusing indeed, starting from version 3.5.4.707 this was fixed: // New to VersionNumber = '3.5.4.707'; {TODO -cFix : If a spam email is split so that it is delivered for whitelisted recipients but blocked for the rest, it was still being stored in the quarantine database for all receipients, including the whitelisted ones} As far as the email being delivered multiple times, we do not see that happening in the log you provided. Is it happening during the same SMTP session (meaning the duplicates are delivered all at the same time), or spread over time? |
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 August 2007 at 8:47pm |
|
Based on what I see in the quarantine and logs I am thinking that the sender may be getting back a return code that makes them retry to send the message. They are coming in 5 minutes or so apart. I will download the newer release tonight and try to fix the issue you addressed there... |
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 August 2007 at 4:37pm |
|
I have applied version 707 and we still have a problem...when the user received this message...he got 169 copies of it in his inbox....
I know this is a message that is split for some that whitelist and I think that is what is driving this problem...
08/24/07 12:41:52:932 -- (7160) Resolving 199.236.181.164 - mail.anchorenv.commail1.anchorenv.comducati.anchorenv.comblade03.anchorenv.com
08/24/07 12:41:53:073 -- (7640) Start virus scan 08/24/07 12:41:53:166 -- (7640) Starting quarantine procedures 08/24/07 12:41:53:166 -- (7640) Created thread (7784) to add email to quarantine 08/24/07 12:41:53:166 -- (7640) Starting bayesian procedures 08/24/07 12:41:53:198 -- (7784) EMail from uotwila@herspace.com to griffd@portptld.com was received and quarantined. Size: 4 KB, 4096 bytes 08/24/07 12:41:53:291 -- (7160) - SPF analysis for anchorenv.com done: - none 08/24/07 12:41:53:291 -- (7160) Mail from: jpisano@anchorenv.com 08/24/07 12:41:53:385 -- (7160) - MAPS search done... 08/24/07 12:41:53:385 -- (7160) RCPT TO: andrea.seger@portofportland.com accepted 08/24/07 12:41:53:385 -- (7160) Bypassed all rules for: andrea.seger@portofportland.com from jpisano@anchorenv.com ( AutoWhiteList Force Delivery) 08/24/07 12:41:53:557 -- (476) Connection from: 190.51.169.232 - Originating country : Argentina 08/24/07 12:41:53:698 -- (7640) Blacklist cache - Added 83.152.217.35 to limbo 08/24/07 12:41:53:698 -- (7640) Disconnect 08/24/07 12:41:53:713 -- (7160) Mail from: jpisano@anchorenv.com 08/24/07 12:41:53:713 -- (7160) RCPT TO: david.ashton@portofportland.com accepted 08/24/07 12:41:53:713 -- (7160) Bypassed all rules for: david.ashton@portofportland.com from jpisano@anchorenv.com ( AutoWhiteList Force Delivery) 08/24/07 12:41:53:807 -- (476) No Data Received 08/24/07 12:41:53:807 -- (476) Disconnect 08/24/07 12:41:54:151 -- (7160) Mail from: jpisano@anchorenv.com 08/24/07 12:41:54:151 -- (7160) RCPT TO: jim.mckenna@portofportland.com accepted 08/24/07 12:41:54:151 -- (7160) Bypassed all rules for: jim.mckenna@portofportland.com from jpisano@anchorenv.com ( AutoWhiteList Force Delivery) 08/24/07 12:41:54:385 -- (7160) Mail from: jpisano@anchorenv.com 08/24/07 12:41:54:385 -- (7160) RCPT TO: krista.koehl@portofportland.com accepted 08/24/07 12:41:54:385 -- (7160) Bypassed all rules for: krista.koehl@portofportland.com from jpisano@anchorenv.com ( AutoWhiteList Force Delivery) 08/24/07 12:41:54:666 -- (4252) Start virus scan 08/24/07 12:41:54:666 -- (4252) Starting bayesian procedures 08/24/07 12:41:54:776 -- (7160) Mail from: jpisano@anchorenv.com 08/24/07 12:41:54:776 -- (7160) RCPT TO: sheila.david@portofportland.com accepted 08/24/07 12:41:54:776 -- (7160) Bypassed all rules for: sheila.david@portofportland.com from jpisano@anchorenv.com ( AutoWhiteList Force Delivery) 08/24/07 12:41:55:885 -- (7160) Found Keywords: [Subject:anal] 08/24/07 12:41:55:885 -- (7160) EMail from jpisano@anchorenv.com to andrea.seger@portofportland.com, david.ashton@portofportland.com, jim.mckenna@portofportland.com, krista.koehl@portofportland.com, sheila.david@portofportland.com matches content filter rules - rejected. 08/24/07 12:41:55:916 -- (7160) Start virus scan 08/24/07 12:41:55:948 -- (7160) Starting queueing procedures 08/24/07 12:41:55:948 -- (7160) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not 08/24/07 12:41:55:948 -- (7160) EMail from jpisano@anchorenv.com to "andrea.seger@portofportland.com, david.ashton@portofportland.com, jim.mckenna@portofportland.com, sheila.david@portofportland.com" was queued. Size: 14 KB, 14336 bytes 08/24/07 12:41:55:948 -- (7160) Starting quarantine procedures 08/24/07 12:41:55:948 -- (6268) Sending email from jpisano@anchorenv.com to andrea.seger@portofportland.com, david.ashton@portofportland.com, jim.mckenna@portofportland.com, sheila.david@portofportland.com -- 08/24/07 12:41:55:963 -- (7160) Created thread (3240) to add email to quarantine 08/24/07 12:41:55:963 -- (7160) Starting bayesian procedures 08/24/07 12:41:56:041 -- (3240) EMail from jpisano@anchorenv.com to krista.koehl@portofportland.com was received and quarantined. Size: 17 KB, 17408 bytes 08/24/07 12:41:56:088 -- (6268) EMail from jpisano@anchorenv.com to andrea.seger@portofportland.com, david.ashton@portofportland.com, jim.mckenna@portofportland.com, sheila.david@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25 |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 August 2007 at 7:07pm |
|
Terry,
From this post it is not clear which ones are the emails that were sent in duplicates. To make matter more confusing, in build 707 there is a minor bug in the logging, which causes some entries to be logged as being whitelisted, while in reality the emails are being correctly stopped. The best way to proceed is for you to zip and place on our ftp site the entire logfile for the day, so we can see what happened. Please also indicate which one was the email that was being duplicated. |
|
|
|
|
jerbo128
Senior Member
Joined: 06 March 2006 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 August 2007 at 7:42pm |
|
Roberto,
I am also getting reports of this problem. We are working on locating it in the logs.
Running SFE 707.
Users deliver an email from the quarantine, and then get a second copy a few minutes later.
Jerbo128
|
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 August 2007 at 10:45am |
|
you are going to have to email me the userid and password for the ftp site....
|
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 August 2007 at 9:28am |
|
having problems with the upload ...I hope to get it to you today but the ftp site keeps dropping me...
|
|
|
|
|
sevo
Newbie 
Joined: 21 October 2006 Status: Offline Points: 7 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 August 2007 at 5:15pm |
|
hi, i also experience similar behaviour (the same message being delivered multiple times). However - when looking at the log-files i see that the remote mail servers "reconnect" every other hour.
Has anything changed in the way logsat commicates to the remote server about multi-recipient messages?
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 August 2007 at 10:01pm |
|
Sevo,
We have still not received Terry's files, so were not able to yet determine what the problem is, or if the duplicates were sent immediately or hourly. In regards to your question, there are no changes we are aware of in the way emails are being forwarded. If you can zip and email us a few hours worth of SpamFilter's logfile, along with the to/from email addresses involved, we'll be happy to take a look. |
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 September 2007 at 4:41pm |
|
I started a new post since I think we are seeing a better example of the behavior...if you want to close this one I am okay with that
|
|
|
|
|
Terry
Senior Member
Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 September 2007 at 1:11pm |
|
finally got a good upload to the ftp site...the file starting with 20070903 is the complete and good one
|
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.082 seconds.