Print Page | Close Window

Email was not forwarded

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7102
Printed Date: 27 December 2024 at 2:03am


Topic: Email was not forwarded
Posted By: vbourbeau
Subject: Email was not forwarded
Date Posted: 07 November 2014 at 1:15pm

Hi, I don't understand in log file I see all the test pass for the email but nothing is forward? And nothing quarantine?

look the log above:

11/07/14 10:51:13:914 -- (118643312) Detected TCP Connection: 24.201.245.36
11/07/14 10:51:13:914 -- (118643312) Connection from: 24.201.245.36 - Originating country : Canada
11/07/14 10:51:14:273 -- (118643312) Received MAIL FROM: ******@******.ca
11/07/14 10:51:14:351 -- (118643312) Received RCPT TO: m*****n@*****.com
11/07/14 10:51:14:398 -- (118643312) Resolving 24.201.245.36 - relais.videotron.ca
11/07/14 10:51:14:632 -- (118643312) found SPF record for videotron.ca: v=spf1 mx a:relais.videotron.ca a:mx01.videotron.com a:mx02.videotron.com ip4:24.201.245.36 ~all
11/07/14 10:51:14:742 -- (118643312) SPF query result: pass
11/07/14 10:51:14:742 -- (118643312) - SPF analysis for videotron.ca done: - pass

Nothing else after that...







Replies:
Posted By: LogSat
Date Posted: 07 November 2014 at 8:12pm
vbourbeau,

There should be at least one other line containing the same id (118643312) indicating a disconnect. Please note that it may appear several minutes after the tries you indicated above. Some servers/bots may just attempt to find the validity of a recipient by issuing the sequence of commands above and then either disconnect or let the smtp session expire. That IP (24.201.245.36) is a legitimate mail server, but there are several reports of it having been compromised and used to spam in the past years.

If you'd like to zip and email us your entire activity logfile for us to look, you can contact us at support at logsat dot com.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: vbourbeau
Date Posted: 18 November 2014 at 10:20am
sorry for the long reply I've not recived notice of post probaby block by spamfilter :)

any way I've many case today look this one:


11/18/14 10:06:36:059 -- (102752064) Detected TCP Connection: 204.19.176.234
11/18/14 10:06:36:059 -- (102752064) Connection from: 204.19.176.234 - Originating country : Canada
11/18/14 10:06:36:403 -- (102752064) Received MAIL FROM: A***B@a**.com
11/18/14 10:06:36:559 -- (102752064) Received RCPT TO: d***@b***.com
11/18/14 10:06:36:653 -- (102752064) Resolving 204.19.176.234 - cpt-smtp03l-p.acceo.com
11/18/14 10:06:37:043 -- (102752064) found SPF record for acceo.com: v=spf1 ip4:204.19.176.0/24 ip4:64.254.227.0/24 ip4:74.114.101.0/28 206.162.179.0/24 ?all
11/18/14 10:06:37:043 -- (102752064) SPF query result: pass
11/18/14 10:06:37:043 -- (102752064) - SPF analysis for acceo.com done: - pass
11/18/14 10:06:37:043 -- (102752064) Mail from: A***B@a**.com
11/18/14 10:06:37:449 -- (102752064) - MAPS search done...
11/18/14 10:06:37:449 -- (102752064) RCPT TO: d***@b***.com
accepted
11/18/14 10:06:37:449 -- (102752064) Bypassed all rules for: d***@b***.com from A***B@a**.com ( Whitelisted EmailTO)
11/18/14 10:07:10:745 -- (102752064) Disconnect
11/18/14 10:07:10:745 -- (102752064) IdSMTPServerException non-critical error: Not Connected



Posted By: LogSat
Date Posted: 18 November 2014 at 12:50pm
SpamFilter reported an exception:
IdSMTPServerException non-critical error: Not Connected

Indicating that the connection was abruptly terminated. As this happened about 30 seconds after the the initial exchange of the MAIL FROM/RCPT TO recipients, it's likely that the disconnect it occurred while the payload of the email was being transmitted. It's thus possible that a firewall/antivirus/antispam (either the sender's or yours) has terminated the connection due to a virus or a malicious payload.

Only with a packet sniffer it would be possible to find out more details as to what is actually happening, but as the two source IPs in your email samples are different, I suspect you may be having this behavior from multiple sources, making the packet captures a bit complicated due to the large amounts of data if you're unable to filter the capture by IPs.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window