Print Page | Close Window

Spamfilter 2.5.1.441 "RCPT TO" freez

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5215
Printed Date: 26 December 2024 at 6:25am


Topic: Spamfilter 2.5.1.441 "RCPT TO" freez
Posted By: Guests
Subject: Spamfilter 2.5.1.441 "RCPT TO" freez
Date Posted: 07 June 2005 at 2:01pm

Just FYI,

It appears spacific condition(s) causes Spam filter 2.5.1.441 to freez and pause in "RCPT TO" state. I have seen this case many times in logfile. Program doesnot crash, however incoing call never closes past ideal time limit or read timeout limit.

Log states % found in FROM, but there is no %.

Recepient exists in Auth_TO list and no other recepient is listed in TO statement of incoming email.

Log says that call will be disconnected, however it is not, and incoming email is actually delivered to recepient.

Local host is untrusted by using the untrust flag in ini file as well.

i don't have specification for incoming email, but will try to find and report later..

reducing the ideal time or read timeout in ini file doesnot change anything and connection remains open past ideal time. Message body is very short so delay in Baysain test is not the cause. no other checks such as keyword or MAPS or SPF are performed.

Condition occurs usually when receiving email from mailing lists. I don't know if this is because there is problems in "Reply TO" statement?

in my configuration Email from "Empty From" is accepted as well.

log says:

06/07/05 11:37:28:874 -- (984) Resolving 127.0.0.1 - localhost
06/07/05 11:37:28:874 -- (984) Mail from:  To: mailto:weekly_news-request@fsmmag.com - weekly_news-request@fsmmag.com - rejected - no relay allowed or % found in FROM address
06/07/05 11:37:28:874 -- (984) 127.0.0.1 - Mail from:  To: mailto:weekly_news-request@fsmmag.com - weekly_news-request@fsmmag.com will be disconnected
06/07/05 11:37:28:874 -- (984) Disconnect

Thanks for attention

Regards,


Replies:
Posted By: LogSat
Date Posted: 07 June 2005 at 7:37pm
Samsung,

Thanks for all the info. Could you please also let us know:
1 - besides existing in the Auth_To list, is the domain fsmmag.com listed in the "Local Domains" whitelist?
2 - Can you describe a bit more in detail what the symptoms are when you say "cause spamfilter ro freeze and pause in the RCPT TO state"?

As a side note, please note that from the log entry you posted the incoming connection is originating from 127.0.0.1, not from the real IP of the sender. This will prevent all of the dns-based filters from functioning correctly, as they must all act on the original source IP.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 14 June 2005 at 5:20pm

Thanks for quick response.

 

fsmmag.com listed in NOT the "Local Domains" white list

 

I am testing spamfilter and I am currently not interested in testing ALL DNS or IP-based tests (reverse-DNS, country, SPF, MAPS-RBL, IP blacklists, MX checks etc.)

I have installed two instances of spamfilter 2.5.2 on same server.

1) First spamfilter is bound to NIC’s IP and used to capture and quarantine sample data. I redirect SMTP traffic from firewall to capture test data. I release items from quarantine and feed it to second spamfilter (which is under test here)

2) Second spamfilter is bounded to 127.0.0.1. That instance is under test.

I am only testing I/O and keyword tests… 127.0.0.1 untrust flag is setup in ini file as well.  Log entries I posted are from s econd filter.

 

I find many instances (almost all are related to emails generated by mailing lists) where I can make spamfilter freeze.

I find Output SMTP conversation specifications of spamfilter are incompatible with its input. Perhaps the way program treats “RCPT TO” and “FROM” address is the hazard.

 

Here is an example of one scenario.

External email is received by first spamfilter.  “RCPT TO” person is in Auth_TO white list. Email is received correctly and then sent to second spamfilter. In conversation to Second spamfilter “RCPT TO” is reported correctly again and “rcpt to” person is listed in AUTH-TO white list as well. Second spamfilter accepts email, halfway then rejects it because it finds “TO” field populated with “Reply to” address of list. I also see in logs that “FROM” is reported empty. Obviously since second spamfilter finds items in “TO” that is not in auth domain white list it invokes that “rejected - no relay allowed or % found in FROM address” error. In mean time connection status column in activity log remain frozen reporting “RCPT TO” status. Connection remains open past defined timers in ini file.

 

If you look at log file items I posted, you see “From” is empty and “TO” is populated by list’s emails address instead of the targeted recipient. IS this correct behavior? I think there is something wrong…

 

 

You can reproduce this problem fairly easily.  Two instances can be on two different servers and result is same.

 

Scenario shows that spamfilter perhaps cannot be daisy changed in v2.5.2?

 

The first reason I was interested in running multiple instances in series is because spamfilter white list is so weak. If I white list one user to disable rev-DNS check I give up keyword file attachment tests and all other tests.  Spamfilter needs to be able to white list users and administrator have ability to check box filters to which a white listed person applies. 

Thanks

Mr Sam

Posted By: Guests
Date Posted: 14 June 2005 at 5:42pm

This also may explain or be related to:

http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5198&PN=1 - http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5198&PN=1

where 100+ hung sessions all sitting at the RCPT TO status.

soon after they upgraded to v2.5.2x just a thought....

Sam

 

Posted By: LogSat
Date Posted: 14 June 2005 at 5:51pm
Samsung,

Your description is pretty accurate, but we're not able to reproduce the problem. Two SpamFilters, one listening on the NIC's IP, the other listening on 127.0.0.1. The first receives the email and forwards it to the one on 127.0.0.1, but on our tests, the from and to on the second SpamFilter are reported correctly, even if the "Reply-To" is different.

Could you please zip and email us the relevant section of the logs for *both* SpamFilters that show the entries for the email causing the problem on both servers, along with the full email's headers, so we can try to reproduce this?



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 16 June 2005 at 8:18pm

 

Thanks you for looking at this problem:

NOTE: mailto:abcd@xyz.com - abcd@xyz.com   is in AUTH_TO of both spamfilters.

NOTE: incoversation between spamfilter1 -> spamfilter2 frezes in

RCPT-TO status. Killing connection doesnot remove status line.

Here are the logs from 2 spamfilters

Thanks

 

 


XXXXXXXXXXXX LOGS FROM spamfilter bounded to NIC IP XXXXXXXXXXXXXXXXXXXXXXXXXX

06/16/05 18:05:23:802 -- (1160) Connection from: 66.77.218.42  -  Originating country : United States
06/16/05 18:05:24:818 -- (1160) found SPF record for bounces.bluehornet.com: v=spf1 ip4:66.77.218.0/26 ip4:66.77.60.192/26 -  all
06/16/05 18:05:24:818 -- (1160) SPF query result: pass
06/16/05 18:05:24:818 -- (1160) - SPF analysis for bounces.bluehornet.com done: - pass
06/16/05 18:05:24:521 -- (1160) Resolving 66.77.218.42 - launch4.bluehornet.com
06/16/05 18:05:24:818 -- (1160) Mail from: mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com
06/16/05 18:05:25:693 -- (1160) - MAPS search done...
06/16/05 18:05:25:693 -- (1160) RCPT TO: mailto:abcd@xyz.com - abcd@xyz.com accepted
06/16/05 18:05:28:927 -- (1160) EMail from mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com to mailto:abcd@xyz.com - abcd@xyz.com passes Bayesian filter - 0% spam  (1749ms)
06/16/05 18:05:28:942 -- (1160) EMail from mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com to mailto:abcd@xyz.com - abcd@xyz.com was queued. Size: 42 KB, 43008 bytes
06/16/05 18:05:28:942 -- (628) Sending email from mailto:asma@hob.com - asma@hob.com to mailto:abcd@xyz.com - abcd@xyz.com
06/16/05 18:05:28:989 -- (1540) Time to add Msg to Bayes corpus:0
06/16/05 18:05:29:083 -- (1160) Disconnect
06/16/05 18:05:30:067 -- (628) Socket Error # 10061 Connection refused. - message queued - mailto:asma@hob.com - asma@hob.com
06/16/05 18:06:36:330 -- Starting to process queue directory...
06/16/05 18:06:36:393 -- (1716) Sending email from mailto:asma@hob.com - asma@hob.com to mailto:abcd@xyz.com - abcd@xyz.com
06/16/05 18:07:36:531 -- (1716) EMail from: mailto:asma@hob.com - asma@hob.com to: mailto:abcd@xyz.com - abcd@xyz.com   was returned to sender - server error - Read Timeout
06/16/05 18:07:36:687 -- (1716) Error-email from mailto:asma@hob.com - asma@hob.com to mailto:abcd@xyz.com - abcd@xyz.com   was forwarded to 127.0.0.1
06/16/05 18:07:36:687 -- (1716) server error - Read Timeout

 

XXXXXXXXXXXX LOGS from spamfilter bound to 127.0.0.1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

06/16/05 18:06:36:408 -- (1548) Connection from: 127.0.0.1  -  Originating country : N/A
06/16/05 18:06:36:518 -- (1548) Resolving 127.0.0.1 - localhost
06/16/05 18:06:36:518 -- (1548) Mail from: mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com
06/16/05 18:06:36:518 -- (1548) - MAPS search done...
06/16/05 18:06:36:518 -- (1548) RCPT TO: mailto:abcd@xyz.com - abcd@xyz.com accepted
06/16/05 18:07:36:531 -- (1492) Connection from: 127.0.0.1  -  Originating country : N/A
06/16/05 18:07:36:687 -- (1492) Resolving 127.0.0.1 - localhost
06/16/05 18:07:36:687 -- (1492) Mail from:  To: mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com - rejected - no relay allowed or % found in FROM address
06/16/05 18:07:36:687 -- (1492) 127.0.0.1 - Mail from:  To: mailto:bounce-use=H=100727725=blitz2@bounces.bluehornet.com - bounce-use=H=100727725=blitz2@bounces.bluehornet.com will be disconnected
06/16/05 18:07:36:687 -- (1492) Disconnect
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Posted By: LogSat
Date Posted: 21 June 2005 at 6:54pm
Samsung,

The scenario is a bit more complex than you described. It *may* have to do in how you configured your firewall or SpamFilter.

From your logs, when sending the email from thread 628, the 1st SpamFilter experienced a "Connection Refused" error when forwarding the email to the destination SMTP server at 18:05:30:067 (from your logs on the 2nd SpamFilter, we can't tell if the error occurred because the 2nd SpamFilter rejected it, or the email was forwarded to a different SMTP server).

Later, in thread 1716 on the 1st SpamFilter, an NDR (non-delivery) error email is being sent to "abcd@xyz.com" because when SpamFilter attempted to deliver it to your forwarding SMTP server, an error occurred ("Read Timeout"). The NDR email is an email sent to the sender, using an empty MAIL FROM per RFC, which is then forwarded to your destinatino SMTP server for delivery. This NDR is probably the email you see on the 2nd SpamFilter's logs, with an empty "Mail From", not the original one with a valid "mail from". The NDR is apparently then rejected by the 2nd SpamFilter, probably because of one of the settings.

Without having the configurations for both SpamFilters, it's hard to pinpoint the problem. If you can email them to us we'll try to look into it even further.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Print Page | Close Window