Why are my rules not firing? (7391)

Problem reported by Robert Simpson - 4/1/2020 at 7:42 AM

Resolved

Given a header that looks like below, two issues. Number one, Cyren is unknown? Number two, my custom rule that checks the "Received" header(s) for contains "mailgun.net" should've fired on this e-mail.

I'm getting a ton more spam than I used to get with the latest build. All my incoming e-mails have "Cyren: [Unknown]" in them, and I'm definitely licensed.

Return-Path: <bounce+1e9bd1.8eebc0-xxx@email.healthywage.com>
Received: from m36-135.mailgun.net (m36-135.mailgun.net [69.72.36.135]) by mail.bcsft.com with SMTP
(version=TLS\Tls12
cipher=Aes256 bits=256);
Tue, 31 Mar 2020 23:31:13 -0700
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=email.healthywage.com;
q=dns/txt; s=mx; t=1585722629; h=Content-Type: Mime-Version: Subject:
From: To: Reply-To: List-Unsubscribe: X-Feedback-Id: Message-Id:
Sender: Date; bh=TPkb15bapQv3HqL51sZqDJlOMZSvhG5ZcZTU/EdlO+U=; b=CIrQ34OBA0uOuRpBn2rwiBTKmNl6u9b+gCjzDUSu6AOlTRBrCdn5tWnpj3dbI90Okh9FNlj5
bTTDxJPfU0dGWKLaOt2vGDvLtAc1HTrEb0VqH5SAiRG2VnrcU++H4FCHVNddJKNDGDewlhjP
MKPl4sJYlBK2meYyFEi+wQfhwow=
X-Mailgun-Sending-Ip: 69.72.36.135
X-Mailgun-Sid: WyIwNDkxYyIsICJzcGFtZmlsdGVyQGJsYWNrY2FzdGxlc29mdC5jb20iLCAiOGVlYmMwIl0=
Received: by luna.mailgun.net with HTTP; Wed, 01 Apr 2020 06:30:14 +0000
Date: Wed, 01 Apr 2020 06:30:14 +0000
Sender: info@email.healthywage.com
Message-Id: <20200401063014.1.2EEDC9FF5F417E91@email.healthywage.com>
X-Mailgun-Variables: {"metadata": "{\"campaignId\":918129,\"messageId\":\"e2fbee559afa475086a8abe6cfbfb762\",\"templateId\":1289578,\"projectId\":6312}"}
Return-Path: bounces@email.healthywage.com
X-Feedback-Id: 1289578:918129:22854:iterable
X-Campaign-Id: 918129
Feedback-Id: 1289578:918129:22854:iterable
X-Message-Id: e2fbee559afa475086a8abe6cfbfb762
List-Unsubscribe: <http://links.healthywage.com/e/encryptedUnsubscribe?_r=ef780e65343d41e79218ff4001b79f74&_s=e2fbee559afa475086a8abe6cfbfb762&_t=x0ZUNJPd7aCZ74sxAG5st86VJdhMfyfwbxwBFG4CJ_pyLzPrLihZFyGALFxod7CnKP4YYZe2ox87jFuAueXLqnnAKqruPF6F9VBh4sLSrP48lg3ksiiPCO1FO7v7Wc3B4Y8EBuLOs3yBdtHseKgqVYLou6v8czkO4k7gdT_mHDWK-tflANGmgQGhkeTY9AUI>;,
<mailto:unsubscribe+918129+1289578@iterable.com>
Reply-To: info@healthywage.com
To: xxx
From: HealthyWage Team <info@email.healthywage.com>
Subject: $40 will be added to your prize!
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="106e784f99f74cbb95768875828b73c2"
X-SmarterMail-Spam: Cyren [Unknown]: 0, ISpamAssassin [raw:1]: 0, SPF [Pass]: 0, DK [None]: 0, DKIM [Pass]: 0
X-SmarterMail-SpamDetail: 0.7 DIET_1 Lose Weight Spam
X-SmarterMail-SpamDetail: 0.5 FRT_TODAY2 ReplaceTags: Today (2)
X-CTCH-RefId: str=0001.0A090201.5E843520.0009,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-SmarterMail-TotalSpamWeight: 0

17 Replies

Reply to Thread

echoDreamz Replied

4/1/2020 at 11:05 AM

We are seeing Cyren unknown as well, for all messages. Something does seem wrong.

Sébastien Riccio Replied

4/1/2020 at 1:15 PM

Just a little note about the Cyren "Unknown". Usually this does mean that cyren servers returned they have no matching pattern for this particular e-mail so it's not considered as a spam.

"Suspect" means what it means, it could be a SPAM but not sure yet.

"ValidBulk" is bulk mails from known legit mail sources

"Bulk" is bulk mails from unknown source but not considered as real SPAM

"Confirmed", "High", and "Virus" should be considered as SPAM.

Probably in your case, it has not been classified yet by cyren.

About the header check, you use Received. There is multiple received headers maybe it could be source of your issue ?

Try maybe with X-Mailgun-Sid ? How is your rule configured ? using Regex ?

Kind regards

Sébastien Riccio System & Network Admin https://swisscenter.com

echoDreamz Replied

4/1/2020 at 1:17 PM

20 thousand emails though? All unknown, not a single bulk, suspected or confirmed email? No way. I know what "unknown" means, there is no way out of 20k emails that not a single one of them has been even suspected of spam.

Matt Petty Replied

4/2/2020 at 10:19 AM

Employee Post

For anyone who is running the latest beta you can search delivery logs for "[Cyren Client]" and verify that your "Enabled Services: XXXX", matches your license for Cyren. For us it's All, depending on how you've got your licenses it will either be All, Antispam, Antivirus

I was sent a snippet yesterday and it appears enabled services was only showing "Antivirus", even though they were have both trial licenses. We're looking into this now and seeing if there might be a problem. Anyone else able to verify that it's correct on there system or if it's not showing correct I can get more info.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Robert Simpson Replied

4/2/2020 at 10:35 AM

[2020.04.02] 00:33:28.444 [Cyren Client] Cyren Daemon Started.
[2020.04.02] 00:33:28.444 [Cyren Client] TestConnectionToCyren
[2020.04.02] 00:33:28.444 [Cyren Client] Start Scanning Message. Enabled Services: AntiVirus, MailFrom: bounces+179605-4073-xxxxx=me.com@email.news.easyhealthoptions.com, SenderIP: 17.58.38.39, MessagePath: c:\SmarterMail\Spool\SubSpool9\647124641715.eml
[2020.04.02] 00:33:29.475 [Cyren Client] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:8088
[2020.04.02]    at MailService.Spam.SmCyrenClient.<TestConnectionToCyren>d__26.MoveNext()
[2020.04.02] 00:33:29.475 [CyrenClient] Test connection to Cyren Daemon failed.
[2020.04.02] 00:33:29.475 [Cyren Client] Cyren Error: An error occurred while sending the request.
[2020.04.02] 00:33:29.475 [41715] Unable to run Cyren check: An error occurred while sending the request. | error

Matt Petty Replied

4/2/2020 at 10:58 AM

Employee Post

Robert can you do these steps.
Task Manager Kill ctasd.exe
Open Command Prompt
RUN -> cd "C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren"

THEN RUN -> bin\ctasd.exe -i -c etc\ctasd.conf

This should boot up the Cyren daemon into a window. I'm just curious what the output of that window is and if it indicates any issues. You should see something like this below if it connects successfully.

Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Robert Simpson Replied

4/2/2020 at 11:15 AM

C:\Program Files (x86)\SmarterTools\SmarterMail\Service\Cyren>bin\ctasd.exe -i -c etc\ctasd.conf
Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready

Delivery log:

[2020.04.02] 11:10:20.109 [42313] Delivery started for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com at 11:10:20 AM
[2020.04.02] 11:10:32.173 [42313] Added to SpamCheckQueue (0 queued; 1/30 processing)
[2020.04.02] 11:10:32.173 [42313] [SpamCheckQueue] Begin Processing.
[2020.04.02] 11:10:32.265 [42313] Starting Spam Checks.
[2020.04.02] 11:10:32.281 [Cyren Client] Start Scanning Message. Enabled Services: AntiVirus, MailFrom: HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com, SenderIP: 45.131.0.118, MessagePath: c:\SmarterMail\Spool\SubSpool9\647124642313.eml
[2020.04.02] 11:10:32.422 [Cyren Client] Done Scanning Message. MessagePath: c:\SmarterMail\Spool\SubSpool9\647124642313.eml Results AV: Unknown, AS: Did not run.
[2020.04.02] 11:10:33.703 [42313] Spam check results: [REVERSE DNS LOOKUP: 0,Passed], [_CYREN: 0,Unknown], [_INTERNALSPAMASSASSIN: 5:1], [_SPF: 0,None], [_DK: 0,None], [_DKIM: 5,None], [BACKSCATTER: 0,passed], [CBL: 0,passed], [DNS REAL-TIME BLACKHOLE LIST: 0,passed], [HOSTKARMA - BLACKLIST: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [MAILSPIKE L3: 0,passed], [MAILSPIKE L4: 0,passed], [MAILSPIKE L5: 0,passed], [MCAFEE: 0,passed], [SEM - BLACK: 0,passed], [SORBS - ABUSE: 0,passed], [SORBS - DYNAMIC IP: 0,passed], [SORBS - NO SERVER: 0,passed], [SORBS - NOMAIL: 0,passed], [SORBS - PROXY: 0,passed], [SORBS - RECENT: 0,passed], [SORBS - SOCKS: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - CSS: 0,passed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - SBL: 0,passed], [SURRIEL: 0,passed], [TRUNCATE: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [SURBL: 0,passed], [SEM-URI: 0,passed], [URIBL BLACK: 0,passed], [URIBL GREY: 0,passed], [URIBL RED: 0,passed], [SPAMRATS: 0,passed], [SEM-FRESH30: 0,passed], [SEM-FRESHZERO: 0,passed]
[2020.04.02] 11:10:33.703 [42313] Spam Checks completed.
[2020.04.02] 11:10:33.703 [42313] Removed from SpamCheckQueue (0 queued or processing)
[2020.04.02] 11:10:35.203 [42313] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2020.04.02] 11:10:35.203 [42313] [LocalDeliveryQueue] Begin Processing.
[2020.04.02] 11:10:35.203 [42313] Starting local delivery to user@email.com
[2020.04.02] 11:10:35.219 [42313] Process delivery status notification step from local recipient success. Recipient: [user@email.com], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2020.04.02] 11:10:35.219 [42313] Delivery for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com to user@email.com has completed (Delivered) Filter: None
[2020.04.02] 11:10:35.219 [42313] End delivery to user@email.com (MessageID: )
[2020.04.02] 11:10:35.219 [42313] Removed from LocalDeliveryQueue (0 queued or processing)
[2020.04.02] 11:10:38.219 [42313] Removing Spool message: Killed: False, Failed: False, Finished: True
[2020.04.02] 11:10:38.219 [42313] Delivery finished for HomeCleaningServicesinyourArea-user=email.com@xrhapticsuits.com at 11:10:38 AM    [id:647124642313]

Robert Simpson Replied

4/2/2020 at 11:16 AM

FWIW, I'm licensed for antispam, but not antivirus.

Matt Petty Replied

4/2/2020 at 12:19 PM

Employee Post

Can you private message me the license key listed in that ctasd.conf file?

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Robert Simpson Replied

4/2/2020 at 12:25 PM

Done

echoDreamz Replied

4/2/2020 at 12:26 PM

DM'd you as well Matt, restarting the Cyren process did not change the enabled services.

echoDreamz Replied

4/2/2020 at 12:33 PM

Loading configuration file etc\ctasd.conf
Synchronize proactive patterns...
Synchronize patterns finished
Http server listening on port 8088
Spamd server listening on port 7830
Stat server is disabled
Ready
Ready

No issues. But it still only reports that AV is enabled.

Matt Petty Replied

4/2/2020 at 1:01 PM

Employee Post

I may have found the issue that atleast Robert was having. Chris are you enabled for just antispam? I can reproduce this problem if you have 1 of 2 services enabled. If both services are enabled it should work fine. Either way I'm going to be addressing the specific issue where if you would have AS enabled it would think you have AV and vice versa.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

echoDreamz Replied

4/2/2020 at 1:26 PM

Matt, Yes, I just have AntiSpam enabled.

Matt Petty Replied

4/3/2020 at 11:17 AM

Employee Post

We've got some fixes going out today for this, Chris I'm aware you are seeing some other license related issues. Are those still occuring? Would be curious to know after the update if this continues for you.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

echoDreamz Replied

4/3/2020 at 12:24 PM

Matt, it did start working, about ~12 hours after enabling the trial of AV.

Robert Simpson Replied

4/3/2020 at 12:56 PM

Latest 7398 fixes my cyren antispam

Jury's still out on my custom rules.

Back to Community Threads

Please leave this box unchecked

17 Replies

Reply to Thread

Tags

Related Knowledge Base Articles