Content Filter Bouncing disabled - bounce was still sent out
Question asked by mark - 8/30/2019 at 9:35 AM
Unanswered
We have an issue with a spam email sent to an alias on our SM server, the spam was accepted for delivery (as expected) and SM then attempted to forward to the clients btinternet.com mailbox.  SM didn't send the message due to the spam weight, but SM then sent a NDR back to the original spammer.  I thought Content Filter Bouncing was supposed to prevent this?

I've included the logs below if anyone can explain how we can prevent this (real email addresses disguised):

Here is the spam email arriving – this attempt was grey listed.

[2019.08.29] 22:01:09 [206.189.48.221][20942705] rsp: 220 mail3.nsnetwork.net Thu, 29 Aug 2019 21:01:09 +0000 UTC
[2019.08.29] 22:01:09 [206.189.48.221][20942705] connected at 29/08/2019 22:01:09
[2019.08.29] 22:01:09 [206.189.48.221][20942705] cmd: EHLO mx.iodal.smilaceous.xyz
[2019.08.29] 22:01:09 [206.189.48.221][20942705] rsp: 250-mail3.nsnetwork.net Hello [206.189.48.221]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.08.29] 22:01:09 [206.189.48.221][20942705] cmd: STARTTLS
[2019.08.29] 22:01:09 [206.189.48.221][20942705] rsp: 220 Start TLS negotiation
[2019.08.29] 22:01:09 [206.189.48.221][20942705] cmd: EHLO mx.iodal.smilaceous.xyz
[2019.08.29] 22:01:09 [206.189.48.221][20942705] rsp: 250-mail3.nsnetwork.net Hello [206.189.48.221]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2019.08.29] 22:01:09 [206.189.48.221][20942705] cmd: MAIL FROM:<mildacruz.641@iodal.smilaceous.xyz> SIZE=5781 BODY=8BITMIME
[2019.08.29] 22:01:09 [206.189.48.221][20942705] senderEmail(1): mildacruz.641@iodal.smilaceous.xyz parsed using: <mildacruz.641@iodal.smilaceous.xyz>
[2019.08.29] 22:01:10 [206.189.48.221][20942705] rsp: 250 OK <mildacruz.641@iodal.smilaceous.xyz> Sender ok
[2019.08.29] 22:01:10 [206.189.48.221][20942705] cmd: RCPT TO:<mm@XXXXXXXXXXXXXX.co.uk>
[2019.08.29] 22:01:10 [206.189.48.221][20942705] rsp: 451 Greylisted, please try again in 60 seconds
[2019.08.29] 22:01:10 [206.189.48.221][20942705] disconnected at 29/08/2019 22:01:10

Here is the second inbound attempt TO mm@XXXXXXXXXXXXXX.co.uk which was accepted.

[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 220 mail3.nsnetwork.net Thu, 29 Aug 2019 21:02:18 +0000 UTC
[2019.08.29] 22:02:18 [206.189.48.221][5553901] connected at 29/08/2019 22:02:18
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: EHLO mx.iodal.smilaceous.xyz
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 250-mail3.nsnetwork.net Hello [206.189.48.221]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: STARTTLS
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 220 Start TLS negotiation
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: EHLO mx.iodal.smilaceous.xyz
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 250-mail3.nsnetwork.net Hello [206.189.48.221]250-SIZE 26214400250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: MAIL FROM:<mildacruz.641@iodal.smilaceous.xyz> SIZE=5781 BODY=8BITMIME
[2019.08.29] 22:02:18 [206.189.48.221][5553901] senderEmail(1): mildacruz.641@iodal.smilaceous.xyz parsed using: <mildacruz.641@iodal.smilaceous.xyz>
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 250 OK <mildacruz.641@iodal.smilaceous.xyz> Sender ok
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: RCPT TO:<mm@XXXXXXXXXXX.co.uk>
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 250 OK <mm@XXXXXXXXXXX.co.uk> Recipient ok
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: DATA
[2019.08.29] 22:02:18 [206.189.48.221][5553901] Performing PTR host name lookup for 206.189.48.221
[2019.08.29] 22:02:18 [206.189.48.221][5553901] PTR host name for 206.189.48.221 resolved as mx.iodal.smilaceous.xyz
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2019.08.29] 22:02:18 [206.189.48.221][5553901] senderEmail(2): mildacruz.641@iodal.smilaceous.xyz parsed using: "N1ghTm4r3" <mildacruz.641@iodal.smilaceous.xyz>
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 250 OK
[2019.08.29] 22:02:18 [206.189.48.221][5553901] Received message size: 5783 bytes
[2019.08.29] 22:02:18 [206.189.48.221][5553901] Successfully wrote to the HDR file. (d:\SmarterMail\Spool\proc\266369974.hdr)
[2019.08.29] 22:02:18 [206.189.48.221][5553901] Data transfer succeeded, writing mail to 266369974.eml (MessageID: <5d683bfeda8d6@iodal.smilaceous.xyz>)
[2019.08.29] 22:02:18 [206.189.48.221][5553901] cmd: QUIT
[2019.08.29] 22:02:18 [206.189.48.221][5553901] rsp: 221 Service closing transmission channel
[2019.08.29] 22:02:18 [206.189.48.221][5553901] disconnected at 29/08/2019 22:02:18


There is no mailbox for mm@XXXXXXXXXXXXXXX.co.uk – but there is an alias which redirects to XXXXXXXX@btinternet.com – so Smartermail will accept the message - that’s the successful delivery we see above.  

Smartermail should then try to deliver to the btinternet mailbox which we see being attempted here:

[2019.08.29] 22:02:32 [69974] Delivery started for mildacruz.641@iodal.smilaceous.xyz at 22:02:32
[2019.08.29] 22:02:44 [69974] Added to SpamCheckQueue (0 queued; 1/30 processing)
[2019.08.29] 22:02:44 [69974] Starting Spam Checks.
[2019.08.29] 22:02:44 [69974] Spam check results: [BARRACUDA: passed], [SORBS: passed], [SPAMCOP: passed], [ZEN: passed], [_REVERSEDNSLOOKUP: Passed], [_DK: None], [_DKIM: Pass]
[2019.08.29] 22:02:44 [69974] Spam Checks completed.
[2019.08.29] 22:02:44 [69974] Removed from SpamCheckQueue (0 queued or processing)
[2019.08.29] 22:02:47 [69974] Added to RemoteDeliveryQueue (0 queued; 1/150 processing)
[2019.08.29] 22:02:47 [69974] Sending remote mail for mildacruz.641@iodal.smilaceous.xyz
[2019.08.29] 22:02:47 [69974] Spam check results: [BARRACUDA: passed], [SORBS: passed], [SPAMCOP: passed], [ZEN: passed], [_REVERSEDNSLOOKUP: Passed], [_DK: None], [_DKIM: Pass]
[2019.08.29] 22:02:47 [69974] Message flagged for Quarantine
[2019.08.29] 22:02:47 [69974] This message cannot be delivered as it was marked as spam. Weight: 35
[2019.08.29] 22:02:47 [69974] Bounce email written to 266369978.eml
[2019.08.29] 22:02:47 [69974] Delivery for mildacruz.641@iodal.smilaceous.xyz to XXXXXXXXX@btinternet.com has completed (Bounced)
[2019.08.29] 22:02:47 [69974] Removed from RemoteDeliveryQueue (1 queued or processing)
[2019.08.29] 22:02:50 [69974] Removing Spool message: Killed: False, Failed: False, Finished: True
[2019.08.29] 22:02:50 [69974] Delivery finished for mildacruz.641@iodal.smilaceous.xyz at 22:02:50                [id:x266369974]
[2019.08.29] 22:02:32 [69974] Delivery started for mildacruz.641@iodal.smilaceous.xyz at 22:02:32
[2019.08.29] 22:02:44 [69974] Added to SpamCheckQueue (0 queued; 1/30 processing)
[2019.08.29] 22:02:44 [69974] Starting Spam Checks.
[2019.08.29] 22:02:44 [69974] Spam check results: [BARRACUDA: passed], [SORBS: passed], [SPAMCOP: passed], [ZEN: passed], [_REVERSEDNSLOOKUP: Passed], [_DK: None], [_DKIM: Pass]
[2019.08.29] 22:02:44 [69974] Spam Checks completed.
[2019.08.29] 22:02:44 [69974] Removed from SpamCheckQueue (0 queued or processing)
[2019.08.29] 22:02:47 [69974] Added to RemoteDeliveryQueue (0 queued; 1/150 processing)
[2019.08.29] 22:02:47 [69974] Sending remote mail for mildacruz.641@iodal.smilaceous.xyz
[2019.08.29] 22:02:47 [69974] Spam check results: [BARRACUDA: passed], [SORBS: passed], [SPAMCOP: passed], [ZEN: passed], [_REVERSEDNSLOOKUP: Passed], [_DK: None], [_DKIM: Pass]
[2019.08.29] 22:02:47 [69974] Message flagged for Quarantine
[2019.08.29] 22:02:47 [69974] This message cannot be delivered as it was marked as spam. Weight: 35
[2019.08.29] 22:02:47 [69974] Bounce email written to 266369978.eml
[2019.08.29] 22:02:47 [69974] Delivery for mildacruz.641@iodal.smilaceous.xyz to XXXXXXXXXXX@btinternet.com has completed (Bounced)
[2019.08.29] 22:02:47 [69974] Removed from RemoteDeliveryQueue (1 queued or processing)
[2019.08.29] 22:02:50 [69974] Removing Spool message: Killed: False, Failed: False, Finished: True

Note the highlighted line above which I think indicates that Smartermail is configured so that it won’t forward anything above a specific spam weight to the alias address (XXXXXXXXXX@btinternet.com)

As a result, Smartermail sends a message back to the original sender mildacruz.641@iodal.smilaceous.xyz advising that their message could not be delivered – here are the logs for that.


22:02:50 [69978] Delivery started for  at 22:02:50
22:02:50 [69978] Spool message was missing Return-Path; Also missing FROM header. If this is a system message this is normal behavior.
22:03:02 [69978] Added to SpamCheckQueue (0 queued; 1/30 processing)
22:03:02 [69978] Starting Spam Checks.
22:03:02 [69978] Skipping spam checks: Internally Generated Message
22:03:02 [69978] Spam Checks completed.
22:03:02 [69978] Removed from SpamCheckQueue (0 queued or processing)
22:03:05 [69978] Added to RemoteDeliveryQueue (0 queued; 1/150 processing)
22:03:05 [69978] Sending remote mail for 
22:03:05 [69978] Skipping spam checks: Bounce
22:03:05 [69978] Sending remote mail to: mildacruz.641@iodal.smilaceous.xyz
22:03:05 [69978] Initiating connection to 206.189.48.221
22:03:05 [69978] Connecting to 206.189.48.221:25 (Id: 1)
22:03:05 [69978] Connection to 206.189.48.221:25 from 82.113.143.20:52213 succeeded (Id: 1)
22:03:05 [69978] RSP: 220-mx.iodal.smilaceous.xyz ESMTP Postfix
22:03:05 [69978] RSP: 
22:03:11 [69978] RSP: 220 mx.iodal.smilaceous.xyz ESMTP Postfix
22:03:11 [69978] CMD: EHLO mail3.nsnetwork.net
22:03:11 [69978] RSP: 250-mx.iodal.smilaceous.xyz
22:03:11 [69978] RSP: 250-PIPELINING
22:03:11 [69978] RSP: 250-SIZE 15728640
22:03:11 [69978] RSP: 250-ETRN
22:03:11 [69978] RSP: 250-STARTTLS
22:03:11 [69978] RSP: 250-ENHANCEDSTATUSCODES
22:03:11 [69978] RSP: 250-8BITMIME
22:03:11 [69978] RSP: 250-DSN
22:03:11 [69978] RSP: 250 SMTPUTF8
22:03:11 [69978] CMD: STARTTLS
22:03:11 [69978] RSP: 220 2.0.0 Ready to start TLS
22:03:12 [69978] CMD: EHLO mail3.nsnetwork.net
22:03:12 [69978] RSP: 250-mx.iodal.smilaceous.xyz
22:03:12 [69978] RSP: 250-PIPELINING
22:03:12 [69978] RSP: 250-SIZE 15728640
22:03:12 [69978] RSP: 250-ETRN
22:03:12 [69978] RSP: 250-ENHANCEDSTATUSCODES
22:03:12 [69978] RSP: 250-8BITMIME
22:03:12 [69978] RSP: 250-DSN
22:03:12 [69978] RSP: 250 SMTPUTF8
22:03:12 [69978] CMD: MAIL FROM:<> SIZE=2214
22:03:12 [69978] RSP: 250 2.1.0 Ok
22:03:12 [69978] CMD: RCPT TO:<mildacruz.641@iodal.smilaceous.xyz>
22:03:12 [69978] RSP: 250 2.1.5 Ok
22:03:12 [69978] CMD: DATA
22:03:12 [69978] RSP: 354 End data with <CR><LF>.<CR><LF>
22:03:12 [69978] RSP: 250 2.0.0 Ok: queued as 46KFSZ34Skz23q4
22:03:12 [69978] CMD: QUIT
22:03:12 [69978] RSP: 221 2.0.0 Bye
22:03:12 [69978] Delivery for  to mildacruz.641@iodal.smilaceous.xyz has completed (Delivered)
22:03:12 [69978] Removed from RemoteDeliveryQueue (0 queued or processing)
22:03:14 [69978] Removing Spool message: Killed: False, Failed: False, Finished: True
22:03:14 [69978] Delivery finished for  at 22:03:14  [id:266369978]

This results in our mail server being reported to Spam Haus for back scatter.

Can anyone help please?

4 Replies

Reply to Thread
0
Kyle Kerst Replied
Employee Post
Can you please check Settings>Antispam and ensure bounce messages are configured to send only if SPF checks pass? Then, double-check that you have a valid DNS server address (preferably one external one internal) set up under Settings>General and test this again? If these issues persist you may also want to check the version you're currently running against what we have available on the downloads site. Let me know how that works out for you. Have a great day!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
mark Replied
Thanks for the quick reply Kyle!

We have the following settings:

Autoresponders:    Require message pass SPF
Content Filter Bouncing: Disabled


Can you tell me where to find a detailed explanation of the above setting?  I have searched the documentation and it just says "Set this to be as restrictive as your clients will allow" - I really need to understand the difference between "Disabled" which is the setting we are using, and "Require message pass SPF".  I would have expected that "Disabled" would prevent all content filter bounce messages from being sent?

To answer your other questions, we have two independent DNS servers configured.

We are currently running SM 16.3.6830  - if there is a known fix for this issue in a later version then we'll schedule an upgrade, but with over 1500 mailboxes on the server we try to keep downtime to a minimum.

SM17 is not currently an option as we have no means of retrieving mailbox passwords (very useful for checking that clients have strong passwords!).

Thanks again,

Mark...


0
Kyle Kerst Replied
Employee Post
Hello Mark, you're very welcome, happy to help! Sorry for the delay, we were closed for the holiday and I'm just circling back now. The documentation on these settings is unfortunately brief, and I'll be asking our documentation team to review this area going forward. 

As to the best settings, Content Filter Bouncing/Autoresponders being configured to send only if SPF checks pass is your best bet! This ensures your user accounts will not autorespond or bounce messages from known spammer accounts/domains, which can lead to your server ending up on Backscatter spam lists. Once you've adjusted that setting you will also want to double-check that you have valid DNS servers configured under Settings>General as a bad server address here can lead to SPF lookup failures, which can in turn lead to legitimate autoresponders/bounces not going out. 

Let me know how that works for you!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
mark Replied
Hey Kyle,

I looked again at this problem.  Just below the Content Filter Bouncing setting is another setting labelled "bounce messages when blocked by outgoing SMTP blocking".  I found an old copy of a Smartertools antispam guide (I can't find a current version) which gives the following description of this setting:  

Bounce messages when blocked by Outgoing SMTP Blocking - Enable this to give a user a notification when a mail message has not been sent due to its spam probability.

Looking at my logs above this would appear to describe exactly the scenario that resulted in a bounce message being sent for an email that could not be forwarded due to it's spam weight.  I've switched off this setting but if you are able to clarify any (or all) of these anti spam settings that would really help me (and other mail administrators I'm sure) to make sure that we have the most robust configuration.

Thanks again for your help,

Mark...

Reply to Thread