1
External Domain Emails Caught in Quarantine
Problem reported by Adam Lewis - 11/3/2016 at 5:29 AM
Not A Problem
Here's the setup:
 
DomainA is setup with a Domain Location of External (user host address) because they want to use our spam filtering.
 
Whenever DomainA receives an email from example.com it goes into our Spam Quarantine. Here is a link to all the relative settings for our spam filtering - https://www.dropbox.com/sh/btjcp0ohb2isaek/AADfiWofwrF19aV3WpsKN-3-a?dl=0

We have added the IP address example.com's email to our Whitelist and SMTP Authentication Bypass
 
We've added the domain to our Trusted Senders.
 
Still, every example.com email gets marked moved to Quarantine.  

10 Replies

Reply to Thread
0
Adam Lewis Replied
Here is a copy of the delivery log for a message that got flagged.

[2016.11.03] 14:15:17 [62139] Delivery started for user@example.com at 2:15:17 PM
[2016.11.03] 14:15:22 [62139] Launching 'c:\smartermail\check-email.vbs' command line exe.
[2016.11.03] 14:15:22 [62139] Command line exe finished.
[2016.11.03] 14:15:22 [62139] Skipping spam checks: No local recipients
[2016.11.03] 14:15:27 [62139] Sending remote mail for user@example.com
[2016.11.03] 14:15:28 [62139] Spam check results: [_COMMTOUCH: 30,Confirmed], [_MESSAGESNIFFER: 0,code:0], [HOSTKARMA - BLACKLIST: passed], [RFC2 REALTIME LIST: passed], [SEM-URIBL: passed], [SEM-URIRED: passed], [SPAMCOP: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL ??? JWSPAMSPY: passed], [SURBL ??? MALWARE: passed], [SURBL ??? PHISHING: passed], [SURBL ??? SA BLACKLIST: passed], [SURBL ??? SPAMCOP WEB: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed]
[2016.11.03] 14:15:28 [62139] Message flagged for Quarantine
[2016.11.03] 14:15:28 [62139] This message cannot be delivered as it was marked as spam. Weight: 30
[2016.11.03] 14:15:28 [62139] Delivery for user@example.com to user@DomainA has completed (Bounced)
[2016.11.03] 14:15:32 [62139] Delivery finished for user@example.com at 2:15:32 PM    [id:650714462139]

After we go into the Spam Quarantine and click "Actions > Resend" the message goes through and here is the log:
 
[2016.11.03] 14:35:47 [62139] Delivery started for user@example.com at 2:35:47 PM
[2016.11.03] 14:35:53 [62139] Launching 'c:\smartermail\check-email.vbs' command line exe.
[2016.11.03] 14:35:53 [62139] Command line exe finished.
[2016.11.03] 14:35:53 [62139] Skipping spam checks: No local recipients
[2016.11.03] 14:35:58 [62139] Sending remote mail for user@example.com
[2016.11.03] 14:35:59 [62139] Spam check results: [_COMMTOUCH: 30,Confirmed], [_MESSAGESNIFFER: 0,code:0], [HOSTKARMA - BLACKLIST: passed], [RFC2 REALTIME LIST: passed], [SEM-URIBL: passed], [SEM-URIRED: passed], [SPAMCOP: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL ??? JWSPAMSPY: passed], [SURBL ??? MALWARE: passed], [SURBL ??? PHISHING: passed], [SURBL ??? SA BLACKLIST: passed], [SURBL ??? SPAMCOP WEB: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed]
[2016.11.03] 14:35:59 [62139] Initiating connection to 216.68.23.3
[2016.11.03] 14:35:59 [62139] Connecting to 216.68.23.3:25 (Id: 1)
[2016.11.03] 14:35:59 [62139] Connection to 216.68.23.3:25 from our_ip_address:54508 succeeded (Id: 1)
[2016.11.03] 14:35:59 [62139] RSP: 220 our.customer.email.server Microsoft ESMTP MAIL Service ready at Thu, 3 Nov 2016 14:40:03 -0400
[2016.11.03] 14:35:59 [62139] CMD: EHLO our.email.server
[2016.11.03] 14:35:59 [62139] RSP: 250-our.customer.email.server Hello [our_ip_address]
[2016.11.03] 14:35:59 [62139] RSP: 250-SIZE 37748736
[2016.11.03] 14:35:59 [62139] RSP: 250-PIPELINING
[2016.11.03] 14:35:59 [62139] RSP: 250-DSN
[2016.11.03] 14:35:59 [62139] RSP: 250-ENHANCEDSTATUSCODES
[2016.11.03] 14:35:59 [62139] RSP: 250-STARTTLS
[2016.11.03] 14:35:59 [62139] RSP: 250-X-ANONYMOUSTLS
[2016.11.03] 14:35:59 [62139] RSP: 250-AUTH NTLM
[2016.11.03] 14:35:59 [62139] RSP: 250-X-EXPS GSSAPI NTLM
[2016.11.03] 14:35:59 [62139] RSP: 250-8BITMIME
[2016.11.03] 14:35:59 [62139] RSP: 250-BINARYMIME
[2016.11.03] 14:35:59 [62139] RSP: 250-CHUNKING
[2016.11.03] 14:35:59 [62139] RSP: 250 XRDST
[2016.11.03] 14:35:59 [62139] CMD: MAIL FROM:<user@example.com> SIZE=193974
[2016.11.03] 14:35:59 [62139] RSP: 250 2.1.0 Sender OK
[2016.11.03] 14:35:59 [62139] CMD: RCPT TO:<user@DomainA>
[2016.11.03] 14:36:00 [62139] RSP: 250 2.1.5 Recipient OK
[2016.11.03] 14:36:00 [62139] CMD: DATA
[2016.11.03] 14:36:00 [62139] RSP: 354 Start mail input; end with <CRLF>.<CRLF>
[2016.11.03] 14:36:01 [62139] RSP: 250 2.6.0 <1478197180_9203879@bwmail1> [InternalId=94102733455519] Queued mail for delivery
[2016.11.03] 14:36:01 [62139] CMD: QUIT
[2016.11.03] 14:36:01 [62139] RSP: 221 2.0.0 Service closing transmission channel
[2016.11.03] 14:36:01 [62139] Delivery for user@example.com to user@DomainA has completed (Delivered)
[2016.11.03] 14:36:05 [62139] Delivery finished for user@example.com at 2:36:05 PM    [id:650714462139]
 
0
Von-Austin See Replied
Employee Post
Adam,
 
Based on the logs, its getting flagged from Cyren. This may be a false positive that's matching a certain holding pattern, I would suggest sending an e-mail to sales@smartertools.com and attach the e-mail in question. We can request that this is de-listed, usually these requests take 15-20 minutes to process on Cyrens end so we should see a fairly good turnaround on this. 
 
We will spam check outbound messages to the external domain to prevent blacklisting on major providers such as Gmail\Google apps for example. If the domain was hosted with google apps and was knowingly sending spam out to the Goole Apps domain and the google apps members were marking these as spam, the SmarterMail servers IP reputation will take a hit with their services. 
 
I hope this helps clarify.
 
 
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Adam Lewis Replied
Von-Austin,
 
I did what you said, and Rose responded with the following:

"The Result of the reported FP (RefID: 0001.0A020201.581BC149.001C): Not blocked. The message was not classified as spam/bulk. It is possible that the message was classified as "suspected" by Commtouch or blocked by another engine; it is also possible that there was a reporting error.
 
I realize this isn't the answer you were expecting.  But I hope that it points you in the right direction for investigating.  Please let me know if you have any additional questions.  I would be happy to assist."

Any more ideas?
0
Von-Austin See Replied
Employee Post
Adam,
 
It could be that the holding pattern has already been released. If you perform a test with the same message, does it get blocked ?
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Adam Lewis Replied
This customer is already pretty pissed off, so I don't want to use the same email to test or they will get another copy of it and yell about that I'm sure.
 
I just had 3 more emails within the last hour from example.com get moved to quarantine.
0
Von-Austin See Replied
Employee Post
Adam,
 
At this point, I'd suggest opening a support ticket with us so we can investigate your logs and see what may be tripping these up. 
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Adam Lewis Replied
I will do so, but how can this be flagged as not a problem? It clearly is a problem...
0
Paul Blank Replied
OK so there's this:
 
******************************************************************************************************************************
2016.11.03] 14:15:27 [62139] Sending remote mail for user@example.com
 
[2016.11.03] 14:15:28 [62139] Spam check results: [_COMMTOUCH: 30,Confirmed], [_MESSAGESNIFFER: 0,code:0], [HOSTKARMA - BLACKLIST: passed], [RFC2 REALTIME LIST: passed], [SEM-URIBL: passed], [SEM-URIRED: passed], [SPAMCOP: passed], [SURBL ??? ABUSE BUSTER: passed], [SURBL ??? JWSPAMSPY: passed], [SURBL ??? MALWARE: passed], [SURBL ??? PHISHING: passed], [SURBL ??? SA BLACKLIST: passed], [SURBL ??? SPAMCOP WEB: passed], [UCEPROTECT LEVEL 1: passed], [UCEPROTECT LEVEL 2: passed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed]
 
[2016.11.03] 14:15:28 [62139] Message flagged for Quarantine
 
*************************************************************************************************************************
 
It clearly passes all the checks listed, yet it is still flagged for quarantine. The question remains: was it flagged for quarantine BEFORE all those checks, and if so, why is this not able to be noted in the log? If it was only flagged AFTER those checks, then something is amiss in the logging/reporting process as well.
 
I now see that the last reply is several days old. I am curious to know what the resolution was, if any, to this issue. Thanks!
 
 
0
Matt Petty Replied
Employee Post
According to that, Cyren (Commtouch) confirmed it as spam and gave it a score of 30.
[_COMMTOUCH: 30,Confirmed]
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Paul Blank Replied
Oops!  Now I see that. I stand corrected!
 
My apologies.  Would still like to know how this was resolved, however,
 
Cheers.
 
 

Reply to Thread