Spam Filter ISP Support - Spamfilter don't forward some email

Print Page | Close Window

Spamfilter don't forward some email

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6967
Printed Date: 27 December 2024 at 8:46am

Topic: Spamfilter don't forward some email

Posted By: vbourbeau
Subject: Spamfilter don't forward some email
Date Posted: 06 July 2011 at 10:56am

Spamfilter don't forward some email to my smtp server. As you can see in the log the email is accept but never send to the server. No more entry after. The email in question seems to have image in attachment. But it's not all the email with image just some of it.

07/06/11 10:27:21:129 -- (3376) Received MAIL FROM: < mailto:mfaucher@xxx.com - mfaucher@xxx.com >
07/06/11 10:27:21:160 -- (3376) Received RCPT TO: mailto:dgrenier@ddd.com - dgrenier@ddd.com
07/06/11 10:27:21:535 -- (3376) - SPF analysis for mbiplastic.com done: - none
07/06/11 10:27:21:535 -- (3376) Mail from: mailto:mfaucher@xxx.com - mfaucher@xxx.com
07/06/11 10:27:21:848 -- (3376) - MAPS search done...
07/06/11 10:27:21:848 -- (3376) RCPT TO: mailto:dgrenier@ddd.com - dgrenier@ddd.com accepted
07/06/11 10:27:21:848 -- (3376) Bypassed all rules for: mailto:dgrenier@ddd.com - dgrenier@ddd.com from mailto:mfaucher@xxx.com - mfaucher@xxx.com ( Whitelisted EmailTO)

Replies:

Posted By: vbourbeau
Date Posted: 06 July 2011 at 11:02am

other one

07/06/11 10:19:16:889 -- (35768) Detected TCP Connection: 69.70.131.114
07/06/11 10:19:16:889 -- (35768) Connection from: 69.70.131.114 - Originating country : Canada
07/06/11 10:19:16:920 -- (35768) Received MAIL FROM: < mailto:benoit.charpentier@fff.com - benoit.charpentier@fff.com >
07/06/11 10:19:17:045 -- (35768) Received RCPT TO: mailto:mtheberge@ddd.com - mtheberge@ddd.com

07/06/11 10:19:17:639 -- (35768) found SPF record for polyalto.com: v=spf1 a mx ptr include:videotron.com ~all

07/06/11 10:19:17:889 -- (35768) SPF query result: pass

07/06/11 10:19:17:889 -- (35768) - SPF analysis for polyalto.com done: - pass
07/06/11 10:19:17:889 -- (35768) Mail from: mailto:benoit.charpentier@fff.com - benoit.charpentier@fff.com

07/06/11 10:19:17:889 -- (35768) SPF query result: pass
07/06/11 10:19:17:889 -- (35768) - SPF analysis for polyalto.com done: - pass
07/06/11 10:19:17:889 -- (35768) Mail from: mailto:benoit.charpentier@fff.com - benoit.charpentier@fff.com

07/06/11 10:19:18:218 -- (35768) - MAPS search done...

07/06/11 10:19:18:218 -- (35768) RCPT TO: mailto:mtheberge@ddd.com - mtheberge@ddd.com accepted

Posted By: dotme
Date Posted: 06 July 2011 at 1:41pm

The forwarding happens under a different ID number, so search your logs for the next instance of the receipent email address and you should see what's going on with forwarding.

Posted By: vbourbeau
Date Posted: 06 July 2011 at 1:47pm

I post the id 2792 and few other line... I don't find anything after that

07/06/11 11:02:54:104 -- (2792) Detected TCP Connection: 69.70.131.114
07/06/11 11:02:54:104 -- (2792) Connection from: 69.70.131.114 - Originating country : Canada
07/06/11 11:02:54:135 -- (2792) Received MAIL FROM: <benoit.charpentier@polyalto.com>
07/06/11 11:02:54:182 -- (2792) Received RCPT TO: mtheberge@bainultra.com
07/06/11 11:02:55:745 -- (2792) found SPF record for polyalto.com: v=spf1 a mx ptr include:videotron.com ~all
07/06/11 11:02:55:823 -- (2792) SPF query result: pass
07/06/11 11:02:55:823 -- (2792) - SPF analysis for polyalto.com done: - pass
07/06/11 11:02:55:823 -- (2792) Mail from: benoit.charpentier@polyalto.com
07/06/11 11:02:56:104 -- (2792) - MAPS search done...
07/06/11 11:02:56:104 -- (2792) RCPT TO: mtheberge@bainultra.com accepted
07/06/11 11:03:18:196 -- (2276) Detected TCP Connection: 89.122.118.72
07/06/11 11:03:18:212 -- (2276) Connection from: 89.122.118.72 - Originating country : Romania
07/06/11 11:03:18:540 -- (2276) Received MAIL FROM: <palmer@bainsultra.com>
07/06/11 11:03:18:712 -- (2276) Received RCPT TO: palmer@bainsultra.com
07/06/11 11:03:18:712 -- (2276) - IP address is from a blacklisted country...
07/06/11 11:03:18:712 -- (2276) 89.122.118.72 - Mail from: palmer@bainsultra.com To: palmer@bainsultra.com will be rejected
07/06/11 11:03:19:290 -- (2276) Starting quarantine procedures
07/06/11 11:03:19:337 -- (2276) Created thread (832) to add email to quarantine
07/06/11 11:03:19:337 -- (832) Adding to Quarantine file:Qrtn30C5675B-8C9E-4914-A21A-75A0F3A425C0.tmp
07/06/11 11:03:19:368 -- (832) EMail from palmer@bainsultra.com to palmer@bainsultra.com was received and quarantined. Size: 2 KB, 2048 bytes
07/06/11 11:03:19:509 -- (2276) Blacklist cache - Added 89.122.118.72 to limbo
07/06/11 11:03:19:681 -- (2276) SFDB - Added 89.122.118.72 - Response: Error=0
07/06/11 11:03:19:681 -- (2276) Disconnect
07/06/11 11:03:34:852 -- (1496) Starting to process queue directory...
07/06/11 11:03:34:867 -- (760) Running TTerminateIdleThreads - SFTC=4 - SFFC=4
07/06/11 11:03:34:867 -- (760) Running TTerminateIdleThreads SSL - SFTC=0 - SFFC=4
07/06/11 11:03:34:899 -- (4008) Saved GreyListAllowed.txt
07/06/11 11:03:34:899 -- (3700) Blacklist cache - starting cleanup
07/06/11 11:03:34:899 -- (2244) Starting to process quarantine directory...
07/06/11 11:03:35:008 -- (3700) IPcache Limbo - removed 6 entries during cleanup
07/06/11 11:03:54:960 -- (424) No Data Received
07/06/11 11:03:54:960 -- (424) Disconnect
07/06/11 11:03:57:475 -- (3516) Detected TCP Connection: 85.101.21.154
07/06/11 11:03:57:475 -- (3516) Connection from: 85.101.21.154 - Originating country : Turkey
07/06/11 11:04:00:194 -- (2264) Detected TCP Connection: 220.232.206.9
07/06/11 11:04:00:194 -- (2264) Connection from: 220.232.206.9 - Originating country : Hong Kong

Posted By: LogSat
Date Posted: 06 July 2011 at 5:40pm

vbourbeau,

The three log snippets are all for 3 different times and different connections. The first recipient in the first snippet - dgrenier@ddd.com - does not appear in the other two. We can't follow what happens unless you have the full log entries relative to an email attempt.

FYI a typical email sequence will begin with a line similar to the following (all sharing the same thread id - 2792 in this case):

07/06/11 11:02:54:104 -- (2792) Detected TCP Connection: 69.70.131.114

and will finish with:

07/06/11 11:04:51:204 -- (2792) Disconnect

After that, if the email is accepted, there will be more entries showing the email being delivered:

07/06/11 11:04:50:044 -- (796) Sending email from ...userA... to ..userB... --

07/06/11 11:04:51:14 -- (796) EMail from ..userA... to ..userB... -- was forwarded to mail2.netwide.net:587

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: vbourbeau
Date Posted: 07 July 2011 at 8:17am

If you give me your email I can send you the log file.

Posted By: vbourbeau
Date Posted: 07 July 2011 at 11:01am

I found the problem... It was a IDS firewall policy who is close the connection. I don't know why because I found nothing in the firewall log. But disactivate this policy let the email enter.

Print Page | Close Window