Quarantine and multiple recipeitrecipient |
Post Reply 
|
| Author | |
lyndonje 
Senior Member 
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Quarantine and multiple recipeitrecipientPosted: 20 July 2006 at 6:59am |
|
Hi all,
Today I've come across an email that I'm not quite sure what would of happened to it. As you can see from the below logs, in one connection an email was sent to four users. The senders domain just so happens to be the same as the recipient domain, but I'm not blocking against that - I am however blocking if the TO and FROM address match entirely. As you can see, the SPF check failed, because the source has not yet been added to the SPF record, in the logs you see the SPF check failed. My SF should therefore quarantined SPF failures as I do NOT have 'Do not quarantine' ticked in the SPF Filter settings. You will also see that the senders address (user@domain) matched entirely ONE of the recipient addresses, causing "Mail From and Mail To are equal". Note: My SF is set NOT to quarantine emails failing this test! Another thing, the logs say that one sender/recipient combo is in the AutoWhiteList Force Delivery, and so the email is queued for delivery. But there is a further email that is also queued for delivery? This confused me because the second email that is queued says the email is from '' to james@recipient, when further up in the log it says the email is from noreply@sender, but also infurs the sender email is from james@ due to the FROM and TO matching? Ah I've just thought, would this be the postmaster message saying the email to the other three recipients failed? If so still leaves me with the two different sender addresses, noreply@sender and james@sender (causing the MAIL TO & FRAM matching). Could one be the MAIL FROM, and the other just the From:? Could anyone just clarify what would have happened? I've checked the quarantine and this email is not there, as the logs would suggest - as nothing was said to have been quarantined anyway. 07/20/06 09:38:21:448 -- (101404) Connection from: 81.201.129.240 - Originating country : United Kingdom 07/20/06 09:38:21:745 -- (101404) Resolving 81.201.129.240 - www.csimedia.net 07/20/06 09:38:22:120 -- (101404) found SPF record for sender.co.uk: v=spf1 mx ptr:btconnect.com include:spf.isp.net exists:%{l}.%{d}.%{i}.spf.isp.net -all 07/20/06 09:38:22:120 -- (101404) found SPF record for spf.isp.net: v=spf1 ip4:217.154.0.0/16 ip4:194.164.0.0/16 ip4:194.62.46.0/24 -all 07/20/06 09:38:22:120 -- (101404) SPF query result: fail 07/20/06 09:38:22:120 -- (101404) - SPF analysis for spf.isp.net done: - fail 07/20/06 09:38:22:120 -- (101404) SPF query result: fail 07/20/06 09:38:22:120 -- (101404) - SPF analysis for sender.co.uk done: - fail 07/20/06 09:38:22:120 -- (101404) failed SPF test (fail) - Disconnecting 81.201.129.240 07/20/06 09:38:22:135 -- (101404) 81.201.129.240 - Mail from: james@sender.co.uk To: sales@recipient.co.uk will be rejected 07/20/06 09:38:22:182 -- (101404) Mail from: james@sender.co.uk 07/20/06 09:38:22:182 -- (101404) 81.201.129.240 - Mail from: james@sender.co.uk To: kerry@recipient.co.uk will be rejected 07/20/06 09:38:22:213 -- (101404) Mail from: james@sender.co.uk 07/20/06 09:38:22:213 -- (101404) 81.201.129.240 - Mail from: james@sender.co.uk To: craig@recipient.co.uk will be rejected 07/20/06 09:38:22:260 -- (101404) - Mail From and Mail To are equal - 07/20/06 09:38:22:260 -- (101404) 81.201.129.240 - Mail from: james@sender.co.uk To: james@recipient.co.uk will be rejected 07/20/06 09:38:22:823 -- (101404) Bypassed all rules for: james@recipient.co.uk from noreply@sender.co.uk ( AutoWhiteList Force Delivery) 07/20/06 09:38:22:963 -- (101404) EMail from noreply@sender.co.uk to james@recipient.co.uk was queued. Size: 1 KB, 1024 bytes 07/20/06 09:38:23:120 -- (101404) Bypassed all rules for: james@recipient.co.uk from 07/20/06 09:38:23:370 -- (101404) EMail from to james@recipient.co.uk was queued. Size: 3 KB, 3072 bytes 07/20/06 09:38:23:448 -- (101404) Disconnect |
|
 |
|
|
WebGuyz
Senior Member
Joined: 09 May 2005 Location: United States Status: Offline Points: 348 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 July 2006 at 9:38am |
|
This happens to us a lot. A spam email comes in with 5 recipients, 1 of the 5 recipients is in Autowhitelist, SFI will let the spam through for all 5 recipients. In your case noreply@sender.co.uk is whitelisted. Functions as designed (if you have the Bayes enabled) according to Roberto. Something about how the it not possible to reject an email when some of the recipients actually do get it. There have been posts about this in the past but I can't remember details. I'm sure Roberto will refresh my memory. |
|
|
http://www.webguyz.net
|
|
|
|
|
lyndonje
Senior Member
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 July 2006 at 9:41am |
|
In which case how come the sender address receives a bounce back from <> ?
|
|
|
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 July 2006 at 4:42pm |
|
lyndonje,
Everything is actually working as designed. The incoming email has multiple recipients, and it would have been rejected as both the SPF and "Mail from=Mail to" filters cause it to fail. However while processing the recipients, SpamFilter saw that james@recipient.co.uk has force-delivered an email from noreply@sender.co.uk. This means that any emails from noreply@sender.co.uk to james@recipient.co.uk will end up in the "AutoWhiteList Force Delivery" and will be whitelisted. SpamFilter will thus deliver the email, with the side-effect of all users receiving it. This fact (all users receiving an email if one is whitelisted) has been discussed a lot about in the past (and present...). It boils down to SpamFilter not being able to "split" an email and deliver it to some users yet not deliver it for others. The *only* way this could occur is for SpamFilter to stop the email for everyone, and then send non-delivery notification emails to inform the sender that some users didn't receive it. However, this would cause other huge problems, as most often such emails will be spam, so SpamFilter will send NDR to senders of spam emails. These senders are most times unfortunate victims who had their email address spoofed. SpamFilter would thus send NDRs to innocent victims, and this would eventually result in your own IP address being blacklisted, as you'd be sending practically undesired emails to innocent people... |
|
|
|
|
lyndonje
Senior Member
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 July 2006 at 4:06am |
|
Hi Roberto,
I understand this, and am aware that SF can not split emails, but the logs still confused me. The logs don't actually say the email is being delivered to all recipients. I suppose you just have to assume this knowning SF can not split them? This is fine, but why does SF generate a bounce back knowning it can not split the email and is going to deliver it anyway? Could you also clarrify this for me: "If so still leaves me with the two different sender addresses, noreply@sender and james@sender (causing the MAIL TO & FRAM matching). Could one be the MAIL FROM, and the other just the From:?" Am I correct in thinking one address it the MAIL FROM and the other the From:? Regards, Lyndon. |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 July 2006 at 4:28pm |
|
Well... looking at this over I admit I'm confused as well...
Logs are sequential, and are supposed to log what is happening at the moment. It is normal that first they say the email will be blocked, but then a whitelist is triggered, and thus the email will be delivered. What I do not understand myself right now is how you ended up with two deliveries in the same thread: 07/20/06 09:38:22:963 -- (101404) EMail from noreply@sender.co.uk to james@recipient.co.uk was queued. Size: 1 KB, 1024 bytes 07/20/06 09:38:23:120 -- (101404) Bypassed all rules for: james@recipient.co.uk from 07/20/06 09:38:23:370 -- (101404) EMail from to james@recipient.co.uk was queued. Size: 3 KB, 3072 bytes That can happen, but there's usually more "stuff" being logged in between the queued events, which I don't see. Before I try to explain the NDR, is this the complete, accurate log for thread 101404? |
|
|
|
|
lyndonje
Senior Member
Joined: 31 January 2006 Location: United Kingdom Status: Offline Points: 192 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 August 2006 at 8:32am |
|
Hi Roberto,
Sorry for the delay! I've been off work. I've just checked the log again and there are no (101404) threads missing from the above. Regards, Lyndon. |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 August 2006 at 11:51am |
|
Just a quick question....
Why can't SF split the email and deliver it to a single recipient, whilst also rejecting it for other recipients.
I run my own filters here which I have written in vb.net that do exactly this and I haven't had any issues. This has been running for the last 18 months with no complaints. Also, I do not send NDR's to rejected mails....most of them bounce anyway as the sender's address is either spoofed or non-existant.
|
|
|
|
|
Alan
Groupie 
Joined: 06 May 2005 Location: United States Status: Offline Points: 43 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 August 2006 at 2:17pm |
|
Steven, can you share your code that you are using to do this?
Maybe send via private message? |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 August 2006 at 10:21pm |
|
StevenJohns,
Scenario. The SMTP session is past the "RCPT TO" commands, where the recipients can be rejected by SpamFilter, and the sender has issued the DATA command and the transmittal of the email has begun. SpamFilter will now scan the email contents, and apply the various content-based filters: keywords, SURBL, attachment type, spam-image, antivirus, Bayesian. At this point SpamFilter can do only one of two things. Either it will accept the email by sending a "250" ok code, or it will reject it with a 5xx error code. There are no in betweens... the email is either accepted or it's rejected. If SpamFilter sends a 250 code, the sender's mail server will assume the email is sent and all recipients have received it. If SpamFilter sends a 5xx code, the sender's mail server will know the email was rejected and all recipients did not receive it. This is how SMTP works... and there's no way around it. What SpamFilter *could* do is send a 250 code, telling the sender the emails were received. SpamFilter can then deliver it to some recipients, and not to others. While this could be done, SpamFilter MUST per RFC (and for common sense) notify the sender that some recipients did not receive the email. The ONLY way to do this, since the sender has already received the 250 code, is for SpamFilter to send NDR (non-delivery email notifications) to the sender. This however is a very bad idea, as most of the times the sender is fake, so SpamFilter would be sending huge amounts of NDR emails to innocent victims, practially spamming them. This would result in SpamFilter's IP address to be blaclisted very soon. |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 August 2006 at 4:48am |
|
yep, hence we don't send NDR's....exactly my point. another scenario... A user works in the technical dept of company X. He, and several others receive promotional emails from a supplier on a regular basis. This supplier is then dropped, for whatever reason. The emails still arrive. The user gets promoted and so the emails are irrelevant to him anyhow. The user creates a rule in outlook to move all emails from this supplier to the junk folder and/or simply delete them straight away (after all, these emails are now by definition "unsolicited commercial email" UCE...SPAM...). Some of the recipients haven't bothered to create such a rule, and so they get these emails in their inbox....and manually delete them. The sending server gets a 250 for each recipient, but in reality, the email only arrives in some inboxes, not all of them (because of the outlook rules). It may be noted that the 250 response that you send back to the sending email server is related to the connection, not the content. Currently as per RFC, there is not method devised to tell the sending server that the email was delivered, but the user deleted it (either manually or with a rule), therefore there is no conformance issue in accepting the email for all recipients, then selectively removing certain recipients from the recipient list if that is what they want. |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 10 August 2006 at 11:34pm |
|
The RFC rules here apply to the two SMTP servers talking to each other. Once an email is accepted by a server, it's over as far as the RFC in questions are concerned.
If the user has specific client-side rules, you go into a completely different scenario, outside the scope of SMTP servers and server-side spam filtering. The SMTP server will have no clue as of what the email client is doing. If the email client deletes an email without showing it to the user, the SMTP server (in general) will have no idea of what happened. |
|
|
|
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 11 August 2006 at 4:25am |
|
True, however I would guess that in 99% of your installations, SF is running on the same box as the POP3 server and simply hands the enail to a simple smtp server which doesn't do much apart from dropping the email into the mailbox. So, the question of which process splits the email becomes fairly irrelevant. Is it SF, the intermediate SMTP server, the MTA....all of which may well run on the same box. |
|
|
|
Topic Options
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.252 seconds.