Why are my rules not firing? (7391)
Problem reported by Robert Simpson - 4/1/2020 at 7:42 AM
Being Fixed
Given a header that looks like below, two issues.  Number one, Cyren is unknown?  Number two, my custom rule that checks the "Received" header(s) for contains "mailgun.net" should've fired on this e-mail.  

I'm getting a ton more spam than I used to get with the latest build.  All my incoming e-mails have "Cyren: [Unknown]" in them, and I'm definitely licensed.

Return-Path: <bounce+1e9bd1.8eebc0-xxx@email.healthywage.com>
Received: from m36-135.mailgun.net (m36-135.mailgun.net [69.72.36.135]) by mail.bcsft.com with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Tue, 31 Mar 2020 23:31:13 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=email.healthywage.com;
q=dns/txt; s=mx; t=1585722629; h=Content-Type: Mime-Version: Subject:
From: To: Reply-To: List-Unsubscribe: X-Feedback-Id: Message-Id:
Sender: Date; bh=TPkb15bapQv3HqL51sZqDJlOMZSvhG5ZcZTU/EdlO+U=; b=CIrQ34OBA0uOuRpBn2rwiBTKmNl6u9b+gCjzDUSu6AOlTRBrCdn5tWnpj3dbI90Okh9FNlj5
bTTDxJPfU0dGWKLaOt2vGDvLtAc1HTrEb0VqH5SAiRG2VnrcU++H4FCHVNddJKNDGDewlhjP
MKPl4sJYlBK2meYyFEi+wQfhwow=
X-Mailgun-Sending-Ip: 69.72.36.135
X-Mailgun-Sid: WyIwNDkxYyIsICJzcGFtZmlsdGVyQGJsYWNrY2FzdGxlc29mdC5jb20iLCAiOGVlYmMwIl0=
Received: by luna.mailgun.net with HTTP; Wed, 01 Apr 2020 06:30:14 +0000
Date: Wed, 01 Apr 2020 06:30:14 +0000
Sender: info@email.healthywage.com
Message-Id: <20200401063014.1.2EEDC9FF5F417E91@email.healthywage.com>
X-Mailgun-Variables: {"metadata": "{\"campaignId\":918129,\"messageId\":\"e2fbee559afa475086a8abe6cfbfb762\",\"templateId\":1289578,\"projectId\":6312}"}
Return-Path: bounces@email.healthywage.com
X-Feedback-Id: 1289578:918129:22854:iterable
X-Campaign-Id: 918129
Feedback-Id: 1289578:918129:22854:iterable
X-Message-Id: e2fbee559afa475086a8abe6cfbfb762
List-Unsubscribe: <http://links.healthywage.com/e/encryptedUnsubscribe?_r=ef780e65343d41e79218ff4001b79f74&_s=e2fbee559afa475086a8abe6cfbfb762&_t=x0ZUNJPd7aCZ74sxAG5st86VJdhMfyfwbxwBFG4CJ_pyLzPrLihZFyGALFxod7CnKP4YYZe2ox87jFuAueXLqnnAKqruPF6F9VBh4sLSrP48lg3ksiiPCO1FO7v7Wc3B4Y8EBuLOs3yBdtHseKgqVYLou6v8czkO4k7gdT_mHDWK-tflANGmgQGhkeTY9AUI>;,
<mailto:unsubscribe+918129+1289578@iterable.com>
Reply-To: info@healthywage.com
To: xxx
From: HealthyWage Team <info@email.healthywage.com>
Subject: $40 will be added to your prize!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="106e784f99f74cbb95768875828b73c2"
X-SmarterMail-Spam: Cyren [Unknown]: 0, ISpamAssassin [raw:1]: 0, SPF [Pass]: 0, DK [None]: 0, DKIM [Pass]: 0
X-SmarterMail-SpamDetail: 0.7 DIET_1 Lose Weight Spam
X-SmarterMail-SpamDetail: 0.5 FRT_TODAY2 ReplaceTags: Today (2)
X-CTCH-RefId: str=0001.0A090201.5E843520.0009,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 0

17 Replies

Reply to Thread
0
echoDreamz Replied
We are seeing Cyren unknown as well, for all messages. Something does seem wrong.
0
Sébastien Riccio Replied
Just a little note about the Cyren "Unknown". Usually this does mean that cyren servers returned they have no matching pattern for this particular e-mail so it's not considered as a spam.

"Suspect" means what it means, it could be a SPAM but not sure yet.
"ValidBulk" is bulk mails from known legit mail sources
"Bulk" is bulk mails from unknown source but not considered as real SPAM
"Confirmed", "High", and "Virus" should be considered as SPAM.

Probably in your case, it has not been classified yet by cyren.

About the header check, you use Received. There is multiple received headers maybe it could be source of your issue ?

Try maybe with X-Mailgun-Sid ? How is your rule configured ? using Regex ?

Kind regards


Sébastien Riccio
System & Network Admin

0
echoDreamz Replied
20 thousand emails though? All unknown, not a single bulk, suspected or confirmed email? No way. I know what "unknown" means, there is no way out of 20k emails that not a single one of them has been even suspected of spam.
1
Matt Petty Replied
Employee Post
For anyone who is running the latest beta you can search delivery logs for "[Cyren Client]" and verify that your "Enabled Services: XXXX", matches your license for Cyren. For us it's All, depending on how you've got your licenses it will either be All, Antispam, Antivirus

I was sent a snippet yesterday and it appears enabled services was only showing "Antivirus", even though they were have both trial licenses. We're looking into this now and seeing if there might be a problem. Anyone else able to verify that it's correct on there system or if it's not showing correct I can get more info.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert Simpson Replied
[2020.04.02] 00:33:28.444 [Cyren Client] Cyren Daemon Started.
[2020.04.02] 00:33:28.444 [Cyren Client] TestConnectionToCyren
[2020.04.02] 00:33:28.444 [Cyren Client] Start Scanning Message. Enabled Services: AntiVirus, MailFrom: bounces+179605-4073-xxxxx=me.com@email.news.easyhealthoptions.com, SenderIP: 17.58.38.39, MessagePath: c:\SmarterMail\Spool\SubSpool9\647124641715.eml
[2020.04.02] 00:33:29.475 [Cyren Client] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:8088
[2020.04.02]    at MailService.Spam.SmCyrenClient.<TestConnectionToCyren>d__26.MoveNext()
[2020.04.02] 00:33:29.475 [CyrenClient] Test connection to Cyren Daemon failed.
[2020.04.02] 00:33:29.475 [Cyren Client] Cyren Error: An error occurred while sending the request.
[2020.04.02] 00:33:29.475 [41715] Unable to run Cyren check: An error occurred while sending the request. | error
0
Matt Petty Replied
Employee Post
Robert can you do these steps.
Task Manager Kill ctasd.exe
Open Command Prompt
RUN ->  cd "C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren"
THEN RUN -> bin\ctasd.exe -i -c etc\ctasd.conf

This should boot up the Cyren daemon into a window. I'm just curious what the output of that window is and if it indicates any issues. You should see something like this below if it connects successfully.

Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready


Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert Simpson Replied
C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren>bin\ctasd.exe -i -c etc\ctasd.conf
Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready
Delivery log:
[2020.04.02] 11:10:20.109 [42313] Delivery started for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com at 11:10:20 AM
[2020.04.02] 11:10:32.173 [42313] Added to SpamCheckQueue (0 queued; 1/30 processing)
[2020.04.02] 11:10:32.173 [42313] [SpamCheckQueue] Begin Processing.
[2020.04.02] 11:10:32.265 [42313] Starting Spam Checks.
[2020.04.02] 11:10:32.281 [Cyren Client] Start Scanning Message. Enabled Services: AntiVirus, MailFrom: HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com, SenderIP: 45.131.0.118, MessagePath: c:\SmarterMail\Spool\SubSpool9\647124642313.eml
[2020.04.02] 11:10:32.422 [Cyren Client] Done Scanning Message. MessagePath: c:\SmarterMail\Spool\SubSpool9\647124642313.eml Results AV: Unknown, AS: Did not run.
[2020.04.02] 11:10:33.703 [42313] Spam check results: [REVERSE DNS LOOKUP: 0,Passed], [_CYREN: 0,Unknown], [_INTERNALSPAMASSASSIN: 5:1], [_SPF: 0,None], [_DK: 0,None], [_DKIM: 5,None], [BACKSCATTER: 0,passed], [CBL: 0,passed], [DNS REAL-TIME BLACKHOLE LIST: 0,passed], [HOSTKARMA - BLACKLIST: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [MAILSPIKE L3: 0,passed], [MAILSPIKE L4: 0,passed], [MAILSPIKE L5: 0,passed], [MCAFEE: 0,passed], [SEM - BLACK: 0,passed], [SORBS - ABUSE: 0,passed], [SORBS - DYNAMIC IP: 0,passed], [SORBS - NO SERVER: 0,passed], [SORBS - NOMAIL: 0,passed], [SORBS - PROXY: 0,passed], [SORBS - RECENT: 0,passed], [SORBS - SOCKS: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - CSS: 0,passed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - SBL: 0,passed], [SURRIEL: 0,passed], [TRUNCATE: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [SURBL: 0,passed], [SEM-URI: 0,passed], [URIBL BLACK: 0,passed], [URIBL GREY: 0,passed], [URIBL RED: 0,passed], [SPAMRATS: 0,passed], [SEM-FRESH30: 0,passed], [SEM-FRESHZERO: 0,passed]
[2020.04.02] 11:10:33.703 [42313] Spam Checks completed.
[2020.04.02] 11:10:33.703 [42313] Removed from SpamCheckQueue (0 queued or processing)
[2020.04.02] 11:10:35.203 [42313] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2020.04.02] 11:10:35.203 [42313] [LocalDeliveryQueue] Begin Processing.
[2020.04.02] 11:10:35.203 [42313] Starting local delivery to user@email.com
[2020.04.02] 11:10:35.219 [42313] Process delivery status notification step from local recipient success. Recipient: [user@email.com], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2020.04.02] 11:10:35.219 [42313] Delivery for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com to user@email.com has completed (Delivered) Filter: None
[2020.04.02] 11:10:35.219 [42313] End delivery to user@email.com (MessageID: )
[2020.04.02] 11:10:35.219 [42313] Removed from LocalDeliveryQueue (0 queued or processing)
[2020.04.02] 11:10:38.219 [42313] Removing Spool message: Killed: False, Failed: False, Finished: True
[2020.04.02] 11:10:38.219 [42313] Delivery finished for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com at 11:10:38 AM    [id:647124642313]
0
Robert Simpson Replied
FWIW, I'm licensed for antispam, but not antivirus.

0
Matt Petty Replied
Employee Post
Can you private message me the license key listed in that ctasd.conf file? 
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert Simpson Replied
Done
0
echoDreamz Replied
DM'd you as well Matt, restarting the Cyren process did not change the enabled services.
0
echoDreamz Replied
Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready
No issues. But it still only reports that AV is enabled.
1
Matt Petty Replied
Employee Post
I may have found the issue that atleast Robert was having. Chris are you enabled for just antispam? I can reproduce this problem if you have 1 of 2 services enabled. If both services are enabled it should work fine. Either way I'm going to be addressing the specific issue where if you would have AS enabled it would think you have AV and vice versa.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
echoDreamz Replied
Matt, Yes, I just have AntiSpam enabled.
0
Matt Petty Replied
Employee Post
We've got some fixes going out today for this, Chris I'm aware you are seeing some other license related issues. Are those still occuring? Would be curious to know after the update if this continues for you.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
echoDreamz Replied
Matt, it did start working, about ~12 hours after enabling the trial of AV.
1
Robert Simpson Replied
Latest 7398 fixes my cyren antispam
Jury's still out on my custom rules.

Reply to Thread