I would like to know more infroamtion about the log files. What do the numbers between the (XXX) mean, I would like to be able it show what rule the email was rejected by

thanks for any input. HAVE A GREAT DAY !

In SpamFilter all incoming and outgoing connections are multi-threaded. This means that each email that is received or that is sent is handled by a separate thread. The number in parenthesis (xxx) indicates what the thread with that ThreadID is currently doing.

All log entries are timestamped for when the event took place, and indicate the ID of the thread doing the work at that moment. When an incoming connection is detected, a new thread is spawned to process the incoming connection requests. Once the email msg is received from the remote server, the file is ASCII-queued to a temp file in the queue directory, along with a separate file containing the recipients for the email. At this point the thread terminates and a new thread is spawned that takes care of delivering the email to your destination mail server.

A complete email reception/fwding process would look similar to the following:

02/28/03 00:53:25:449 -- (2212) Connection from: 192.168.1.101 - Originating country : N/A 02/28/03 00:53:25:630 -- (2212) Resolving 192.168.1.101 - Not found 02/28/03 00:53:25:630 -- (2212) Mail from: roberto3@netwide.net 02/28/03 00:53:25:930 -- (2212) MAPS search done... . 02/28/03 00:53:25:930 -- (2212) RCPT TO: roberto2@netwide2.net accepted 02/28/03 00:53:25:990 -- (2212) EMail from roberto3@netwide.net to roberto2@netwide2.net was queued. 02/28/03 00:53:25:990 -- (2212) Disconnect 02/28/03 00:53:26:000 -- (2280) Sending email from roberto3@netwide.net to roberto2@netwide2.net 02/28/03 00:53:27:693 -- (2280) EMail from roberto3@netwide.net to roberto2@netwide2.net was forwarded to mail.netwide.net

Ini the log you should always find the reason of why an email was rejected or quarantined. Look for the line that says "will be quarantined" or "will be disconnected". The line just above that will indicate the last test that failed (Note that you may have to skip a few lines if other emails were received at the same time, that is where looking at the Thread ID becomes handy). Following are some reject samples from our logs:

03/25/03 00:00:56:110 -- (313) - MAPS search done... 521 The IP 209.111.69.236 is Blacklisted by dnsbl.njabl.org. . 03/25/03 00:00:56:110 -- (313) 209.111.69.236 - Mail from: jgalaoit754@click2saveonline.us To: rcox@netwide.net will be quarantined

or

03/25/03 00:01:04:872 -- (73) Resolving 220.71.31.35 - Not found 03/25/03 00:01:04:872 -- (73) - Reverse DNS not found - 03/25/03 00:01:04:872 -- (73) 220.71.31.35 - Mail from: cvfgb66b65t@aaro.se To: ashbrook@netwide.net will be quarantined

or

03/25/03 00:05:29:423 -- (264) RCPT TO: ohfudge@NETWIDE.NET accepted 03/25/03 00:05:29:573 -- (264) Found Keywords: [mortgage,click here] 03/25/03 00:05:29:573 -- (264) EMail from atlasrewards@FUNMAILOFFERS.COM to ohfudge@NETWIDE.NET matches content filter rules - rejected. 03/25/03 00:05:29:633 -- (264) EMail from atlasrewards@FUNMAILOFFERS.COM to ohfudge@NETWIDE.NET was received and quarantined. Size: 5 KB

Hope this helps!

Roberto Franceschetti LogSat Software

Very well explained, but I have am example I would like you to look at I would like to know the reason the mail was quarantined.

03/26/03 10:09:07:689 -701 Connection from: 12.4.169.99 - Originating country : United States 03/26/03 10:09:07:769 -701 Resolving 12.4.169.99 - Not found 03/26/03 10:09:07:769 -701 Mail from: Yvette_Stephen@worldwide.com 03/26/03 10:09:08:100 -701 - MAPS search done... . 03/26/03 10:09:08:100 -701 Mail from: Yvette_Stephen@worldwide.com To: michael.j.rour@citigroup.com - will be quarantined 03/26/03 10:09:08:260 -701 EMail from Yvette_Stephen@worldwide.com to michael.j.rour@citigroup.com was received and quarantined. 03/26/03 10:09:09:011 -701 Mail from: Yvette_Stephen@worldwide.com 03/26/03 10:09:09:011 -701 Mail from: Yvette_Stephen@worldwide.com To: michael.j.rour@citigroup.com - will be quarantined 03/26/03 10:09:09:121 -701 EMail from Yvette_Stephen@worldwide.com to michael.j.rour@citigroup.com was received and quarantined. 03/26/03 10:09:11:725 -701 Disconnect thanks you for any help.

Wayne,

We received your ini and logfiles. In SpamFilter you have configured your "Local Domains" with just one entry, teamworldwide.com.

This means that SpamFilter will only accept and deliver email addressed to someone@teamworldwide.com. SpamFilter cannot be used to relay mail anywhere else.

In you log we noticeed several times entries that showed your users (someone@teamworldwide.com) trying to send email to outside domains (ex. someone@macktrucks.com). That won't work...

Don't forget that SpamFilter is designed to handle excusively incoming email. It is not supposed to be used by your internal users as their outgoing SMTP server. You users should still use your existing SMTP mail as their outgoing SMTP server to relay email to the outside.

Hope this helps!

Roberto

I have setup the Spam filter to lison on port25 , and change my smpt server to port 26, would i need to change the configuration on the clients email software to point to port 26 ?

Wayne,

Please take a look at the thread titled "Relay settings" in this forum, as it is very similar to your situation.

The answer to your question would be a "yes", but we recommend going a different route as indicated in the other postings.

Roberto F. LogSat Software

Comments

Great Product!!, Thanks You for the support, If the port change works, I will be registering your product.

Now I see why you asked... That leaves us puzzled as well!

If can you please email to us at support@logsat.com a copy of your spamfilter.ini and the logfile in question we'll try to take a better look. The reject reason should indeed have been logged.

Roberto

Wayne,

Is the "citigroup.com" domain (or the * wildcard) included in your Local Domains list -- the domains that you accept for mail relaying on your system? If NOT, then this may explain this log sequence.

We have seen this same sequence of log entries on our server when SpamFilter rejects a message based on anti-relay -- the recipient's domain is not listed in the Local Domains list -- and quarantining is enabled.

As for the duplication of certain lines in the log entry... it appears in our logs from time to time as well, but again, the only time we see this duplication is on anti-relay rejections.

Hope this is helpful in some way.

Jim