New release seems to duplicate messages
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6205
Printed Date: 13 March 2025 at 5:39pm
Topic: New release seems to duplicate messages
Posted By: Terry
Subject: New release seems to duplicate messages
Date Posted: 20 August 2007 at 10:18am
|
I am on the 3.5.4.705 version of spamfilter to solve the whitelist problem we had earlier....it looks like we may be finding a bug in this version however in that some messages are delivered multiple times to a recipient. This log extract shows an example of a message that appears to fall into the category...
08/20/07 05:51:59:453 -- (1956) Connection from: 65.207.34.42 - Originating country : United States
08/20/07 05:51:59:906 -- (200) Resolving 66.109.30.42 - GLDN.GLDNTIKET.NET
08/20/07 05:52:00:031 -- (1956) Resolving 65.207.34.42 - usp570c.us.hanjin.com
08/20/07 05:52:00:437 -- (200) found SPF record for gldntiket.net: v=spf1 mx a -all
08/20/07 05:52:00:453 -- (200) SPF query result: pass
08/20/07 05:52:00:453 -- (200) - SPF analysis for gldntiket.net done: - pass
08/20/07 05:52:00:453 -- (200) Mail from: mailto:b-3fxqbz.hdmyp@gldntiket.net - b-3fxqbz.hdmyp@gldntiket.net
08/20/07 05:52:00:562 -- (1956) - SPF analysis for us.hanjin.com done: - none
08/20/07 05:52:00:562 -- (1956) Mail from: mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com
08/20/07 05:52:00:796 -- (200) - MAPS search done...
08/20/07 05:52:00:796 -- (200) RCPT TO: mailto:tawnya.krenz@portofportland.com - tawnya.krenz@portofportland.com accepted
08/20/07 05:52:00:968 -- (1956) - MAPS search done...
08/20/07 05:52:00:968 -- (1956) RCPT TO: mailto:Louise.Stukey@portofportland.com - Louise.Stukey@portofportland.com accepted
08/20/07 05:52:01:078 -- (1956) Mail from: mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com
08/20/07 05:52:01:078 -- (1956) RCPT TO: mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com accepted
08/20/07 05:52:01:078 -- (1956) Bypassed all rules for: mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com ( Whitelisted EmailTO)
08/20/07 05:52:01:218 -- (200) Checking SURBL
08/20/07 05:52:01:234 -- (1956) Mail from: mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com
08/20/07 05:52:01:234 -- (1956) RCPT TO: mailto:Todd.Trost@portofportland.com - Todd.Trost@portofportland.com accepted
08/20/07 05:52:01:234 -- (1956) Bypassed all rules for: mailto:Todd.Trost@portofportland.com - Todd.Trost@portofportland.com from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com ( Whitelisted EmailTO)
08/20/07 05:52:01:265 -- (200) Start virus scan
08/20/07 05:52:01:265 -- (200) Starting queueing procedures
08/20/07 05:52:01:265 -- (200) EMail from mailto:b-3fxqbz.hdmyp@gldntiket.net - b-3fxqbz.hdmyp@gldntiket.net to mailto:tawnya.krenz@portofportland.com - tawnya.krenz@portofportland.com was queued. Size: 4 KB, 4096 bytes
08/20/07 05:52:01:265 -- (200) Starting bayesian procedures
08/20/07 05:52:01:265 -- (2408) Sending email from mailto:b-3fxqbz.hdmyp@gldntiket.net - b-3fxqbz.hdmyp@gldntiket.net to mailto:tawnya.krenz@portofportland.com - tawnya.krenz@portofportland.com --
08/20/07 05:52:01:437 -- (2408) EMail from mailto:b-3fxqbz.hdmyp@gldntiket.net - b-3fxqbz.hdmyp@gldntiket.net to mailto:tawnya.krenz@portofportland.com - tawnya.krenz@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25
08/20/07 05:52:01:437 -- (1956) Mail from: mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com
08/20/07 05:52:01:437 -- (1956) RCPT TO: mailto:T6Planners@portofportland.com - T6Planners@portofportland.com accepted
08/20/07 05:52:01:437 -- (1956) Bypassed all rules for: mailto:T6Planners@portofportland.com - T6Planners@portofportland.com from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com ( AutoWhiteList Force Delivery)
08/20/07 05:52:01:468 -- (200) Disconnect
08/20/07 05:52:01:859 -- (3660) Connection from: 189.13.110.46 - Originating country : Brazil
08/20/07 05:52:02:015 -- (2312) Connection from: 222.168.180.154 - Originating country : China
08/20/07 05:52:02:421 -- (2460) Start virus scan
08/20/07 05:52:02:437 -- (2460) Starting quarantine procedures
08/20/07 05:52:02:453 -- (2460) Created thread (3708) to add email to quarantine
08/20/07 05:52:02:453 -- (2460) Starting bayesian procedures
08/20/07 05:52:02:500 -- (3708) EMail from mailto:paoluzzicignitti.com@wauf.com - paoluzzicignitti.com@wauf.com to mailto:mark.daniel@portofportland.com - mark.daniel@portofportland.com was received and quarantined. Size: 19 KB, 19456 bytes
08/20/07 05:52:02:656 -- (1956) Found Keywords: [love,angel,this]
08/20/07 05:52:02:656 -- (1956) EMail from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com to mailto:Louise.Stukey@portofportland.com - Louise.Stukey@portofportland.com , mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com , mailto:Todd.Trost@portofportland.com - Todd.Trost@portofportland.com , mailto:T6Planners@portofportland.com - T6Planners@portofportland.com matches content filter rules - rejected.
08/20/07 05:52:02:656 -- (1956) Start virus scan
08/20/07 05:52:02:718 -- (1956) Starting queueing procedures
08/20/07 05:52:02:718 -- (1956) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not
08/20/07 05:52:02:718 -- (1956) EMail from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com to " mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com , mailto:T6Planners@portofportland.com - T6Planners@portofportland.com " was queued. Size: 87 KB, 89088 bytes
08/20/07 05:52:02:734 -- (1956) Starting quarantine procedures
08/20/07 05:52:02:734 -- (3864) Sending email from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com to mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com , mailto:T6Planners@portofportland.com - T6Planners@portofportland.com --
08/20/07 05:52:02:750 -- (1956) Created thread (3136) to add email to quarantine
08/20/07 05:52:02:859 -- (3136) EMail from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com to mailto:Louise.Stukey@portofportland.com - Louise.Stukey@portofportland.com , mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com , mailto:Todd.Trost@portofportland.com - Todd.Trost@portofportland.com , mailto:T6Planners@portofportland.com - T6Planners@portofportland.com was received and quarantined. Size: 88 KB, 90112 bytes
08/20/07 05:52:02:890 -- (3864) EMail from mailto:hunsaker@us.hanjin.com - hunsaker@us.hanjin.com to mailto:T6BerthAgents@portofportland.com - T6BerthAgents@portofportland.com , mailto:T6Planners@portofportland.com - T6Planners@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25
The same person gets the message and has it quarantined...plus it appears that the sender may not be getting a delivered message as often get another repeat of the message in a few minutes....very confusing for our staff at this time...
|
Replies:
Posted By: LogSat
Date Posted: 20 August 2007 at 5:55pm
Terry,
Emails with multiple recipients, where some of the recipients are whitelisted are a great cause of confusion, for both you admins and ourselves here at LogSat, as they are rather complex to handle.
If an email arrived matching the above scenario, SpamFilter was storing in the quarantine the email for all recipients, even the whitelisted ones. This has been brought to our attention a couple of weeks ago, and as it was confusing indeed, starting from version 3.5.4.707 this was fixed:
// New to VersionNumber = '3.5.4.707';
{TODO -cFix : If a spam email is split so that it is delivered for whitelisted recipients but blocked for the rest, it was still being stored in the quarantine database for all receipients, including the whitelisted ones}
As far as the email being delivered multiple times, we do not see that happening in the log you provided. Is it happening during the same SMTP session (meaning the duplicates are delivered all at the same time), or spread over time?
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Terry
Date Posted: 20 August 2007 at 8:47pm
|
Based on what I see in the quarantine and logs I am thinking that the sender may be getting back a return code that makes them retry to send the message. They are coming in 5 minutes or so apart. I will download the newer release tonight and try to fix the issue you addressed there...
|
Posted By: Terry
Date Posted: 27 August 2007 at 4:37pm
|
I have applied version 707 and we still have a problem...when the user received this message...he got 169 copies of it in his inbox....
I know this is a message that is split for some that whitelist and I think that is what is driving this problem...
08/24/07 12:41:52:932 -- (7160) Resolving 199.236.181.164 - mail.anchorenv.commail1.anchorenv.comducati.anchorenv.comblade03.anchorenv.com
08/24/07 12:41:53:073 -- (7640) Start virus scan
08/24/07 12:41:53:166 -- (7640) Starting quarantine procedures
08/24/07 12:41:53:166 -- (7640) Created thread (7784) to add email to quarantine
08/24/07 12:41:53:166 -- (7640) Starting bayesian procedures
08/24/07 12:41:53:198 -- (7784) EMail from mailto:uotwila@herspace.com - uotwila@herspace.com to mailto:griffd@portptld.com - griffd@portptld.com was received and quarantined. Size: 4 KB, 4096 bytes
08/24/07 12:41:53:291 -- (7160) - SPF analysis for anchorenv.com done: - none
08/24/07 12:41:53:291 -- (7160) Mail from: mailto:jpisano@anchorenv.com - jpisano@anchorenv.com
08/24/07 12:41:53:385 -- (7160) - MAPS search done...
08/24/07 12:41:53:385 -- (7160) RCPT TO: mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com accepted
08/24/07 12:41:53:385 -- (7160) Bypassed all rules for: mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com ( AutoWhiteList Force Delivery)
08/24/07 12:41:53:557 -- (476) Connection from: 190.51.169.232 - Originating country : Argentina
08/24/07 12:41:53:698 -- (7640) Blacklist cache - Added 83.152.217.35 to limbo
08/24/07 12:41:53:698 -- (7640) Disconnect
08/24/07 12:41:53:713 -- (7160) Mail from: mailto:jpisano@anchorenv.com - jpisano@anchorenv.com
08/24/07 12:41:53:713 -- (7160) RCPT TO: mailto:david.ashton@portofportland.com - david.ashton@portofportland.com accepted
08/24/07 12:41:53:713 -- (7160) Bypassed all rules for: mailto:david.ashton@portofportland.com - david.ashton@portofportland.com from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com ( AutoWhiteList Force Delivery)
08/24/07 12:41:53:807 -- (476) No Data Received
08/24/07 12:41:53:807 -- (476) Disconnect
08/24/07 12:41:54:151 -- (7160) Mail from: mailto:jpisano@anchorenv.com - jpisano@anchorenv.com
08/24/07 12:41:54:151 -- (7160) RCPT TO: mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com accepted
08/24/07 12:41:54:151 -- (7160) Bypassed all rules for: mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com ( AutoWhiteList Force Delivery)
08/24/07 12:41:54:385 -- (7160) Mail from: mailto:jpisano@anchorenv.com - jpisano@anchorenv.com
08/24/07 12:41:54:385 -- (7160) RCPT TO: mailto:krista.koehl@portofportland.com - krista.koehl@portofportland.com accepted
08/24/07 12:41:54:385 -- (7160) Bypassed all rules for: mailto:krista.koehl@portofportland.com - krista.koehl@portofportland.com from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com ( AutoWhiteList Force Delivery)
08/24/07 12:41:54:666 -- (4252) Start virus scan
08/24/07 12:41:54:666 -- (4252) Starting bayesian procedures
08/24/07 12:41:54:776 -- (7160) Mail from: mailto:jpisano@anchorenv.com - jpisano@anchorenv.com
08/24/07 12:41:54:776 -- (7160) RCPT TO: mailto:sheila.david@portofportland.com - sheila.david@portofportland.com accepted
08/24/07 12:41:54:776 -- (7160) Bypassed all rules for: mailto:sheila.david@portofportland.com - sheila.david@portofportland.com from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com ( AutoWhiteList Force Delivery)
08/24/07 12:41:55:885 -- (7160) Found Keywords: [Subject:anal]
08/24/07 12:41:55:885 -- (7160) EMail from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com to mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com , mailto:david.ashton@portofportland.com - david.ashton@portofportland.com , mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com , mailto:krista.koehl@portofportland.com - krista.koehl@portofportland.com , mailto:sheila.david@portofportland.com - sheila.david@portofportland.com matches content filter rules - rejected.
08/24/07 12:41:55:916 -- (7160) Start virus scan
08/24/07 12:41:55:948 -- (7160) Starting queueing procedures
08/24/07 12:41:55:948 -- (7160) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not
08/24/07 12:41:55:948 -- (7160) EMail from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com to " mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com , mailto:david.ashton@portofportland.com - david.ashton@portofportland.com , mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com , mailto:sheila.david@portofportland.com - sheila.david@portofportland.com " was queued. Size: 14 KB, 14336 bytes
08/24/07 12:41:55:948 -- (7160) Starting quarantine procedures
08/24/07 12:41:55:948 -- (6268) Sending email from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com to mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com , mailto:david.ashton@portofportland.com - david.ashton@portofportland.com , mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com , mailto:sheila.david@portofportland.com - sheila.david@portofportland.com --
08/24/07 12:41:55:963 -- (7160) Created thread (3240) to add email to quarantine
08/24/07 12:41:55:963 -- (7160) Starting bayesian procedures
08/24/07 12:41:56:041 -- (3240) EMail from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com to mailto:krista.koehl@portofportland.com - krista.koehl@portofportland.com was received and quarantined. Size: 17 KB, 17408 bytes
08/24/07 12:41:56:088 -- (6268) EMail from mailto:jpisano@anchorenv.com - jpisano@anchorenv.com to mailto:andrea.seger@portofportland.com - andrea.seger@portofportland.com , mailto:david.ashton@portofportland.com - david.ashton@portofportland.com , mailto:jim.mckenna@portofportland.com - jim.mckenna@portofportland.com , mailto:sheila.david@portofportland.com - sheila.david@portofportland.com -- was forwarded to portexfe.pop.portptld.com:25
|
Posted By: LogSat
Date Posted: 27 August 2007 at 7:07pm
Terry,
From this post it is not clear which ones are the emails that were sent in duplicates. To make matter more confusing, in build 707 there is a minor bug in the logging, which causes some entries to be logged as being whitelisted, while in reality the emails are being correctly stopped. The best way to proceed is for you to zip and place on our ftp site the entire logfile for the day, so we can see what happened. Please also indicate which one was the email that was being duplicated.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: jerbo128
Date Posted: 27 August 2007 at 7:42pm
|
Roberto,
I am also getting reports of this problem. We are working on locating it in the logs.
Running SFE 707.
Users deliver an email from the quarantine, and then get a second copy a few minutes later.
Jerbo128
|
Posted By: Terry
Date Posted: 28 August 2007 at 10:45am
|
you are going to have to email me the userid and password for the ftp site....
|
Posted By: Terry
Date Posted: 29 August 2007 at 9:28am
|
having problems with the upload ...I hope to get it to you today but the ftp site keeps dropping me...
|
Posted By: sevo
Date Posted: 29 August 2007 at 5:15pm
|
hi, i also experience similar behaviour (the same message being delivered multiple times). However - when looking at the log-files i see that the remote mail servers "reconnect" every other hour.
Has anything changed in the way logsat commicates to the remote server about multi-recipient messages?
|
Posted By: LogSat
Date Posted: 29 August 2007 at 10:01pm
Sevo,
We have still not received Terry's files, so were not able to yet determine what the problem is, or if the duplicates were sent immediately or hourly.
In regards to your question, there are no changes we are aware of in the way
emails are being forwarded. If you can zip and email us a few hours worth of SpamFilter's logfile, along with the to/from email addresses involved, we'll be happy to take a look.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Terry
Date Posted: 04 September 2007 at 4:41pm
|
I started a new post since I think we are seeing a better example of the behavior...if you want to close this one I am okay with that
|
Posted By: Terry
Date Posted: 05 September 2007 at 1:11pm
|
finally got a good upload to the ftp site...the file starting with 20070903 is the complete and good one
|
|