Whitelisting does not exclude spam checks with Declude and Smartermail

Hello,

We have a client using a security service (Zix) due to their working in the financial market. We’ve whitelisted the servers that are filtering their emails (in-bound and outbound) and this is clearly shown below in the SMTP logs BUT in the Delivery Logs we are seeing their emails blocked due to a high spam ranking.

How can the whitelists be ignored?

I also added the IP addresses to the Declude whitelist to make sure it was not happening prior to hitting SmarterMail.

SMTP Logs

[2022.09.27] 13:29:29.596 [8.31.233.164][61124116] rsp: 220 mail.sgdesign.net Tue, 27 Sep 2022 20:29:29 +0000 UTC | SmarterMail Enterprise 16.3.0

[2022.09.27] 13:29:29.596 [8.31.233.164][61124116] connected at 9/27/2022 1:29:29 PM

[2022.09.27] 13:29:29.596 [8.31.233.164][61124116] Country code: Unknown

[2022.09.27] 13:29:29.596 [8.31.233.164][61124116] IP in whitelist

[2022.09.27] 13:29:29.627 [8.31.233.164][61124116] cmd: HELO encryptdel201.appriver.com

[2022.09.27] 13:29:29.627 [8.31.233.164][61124116] rsp: 250 mail.sgdesign.net Hello [8.31.233.164]

[2022.09.27] 13:29:29.643 [8.31.233.164][61124116] cmd: MAIL FROM:<karen.mcneill@ticortitle.com>

[2022.09.27] 13:29:29.643 [8.31.233.164][61124116] senderEmail(1): karen.mcneill@ticortitle.com parsed using: <karen.mcneill@ticortitle.com>

[2022.09.27] 13:29:29.643 [8.31.233.164][61124116] rsp: 250 OK <karen.mcneill@ticortitle.com> Sender ok

[2022.09.27] 13:29:29.643 [8.31.233.164][61124116] Sender accepted. Weight: 0. Block threshold: 30.

[2022.09.27] 13:29:29.659 [8.31.233.164][61124116] cmd: RCPT TO:<pj@idealmfghomes.com>

[2022.09.27] 13:29:29.659 [8.31.233.164][61124116] rsp: 250 OK <pj@idealmfghomes.com> Recipient ok

[2022.09.27] 13:29:29.690 [8.31.233.164][61124116] cmd: DATA

[2022.09.27] 13:29:29.690 [8.31.233.164][61124116] Performing PTR host name lookup for 8.31.233.164

[2022.09.27] 13:29:29.690 [8.31.233.164][61124116] PTR host name for 8.31.233.164 resolved as encryptdel201.appriver.com

[2022.09.27] 13:29:29.690 [8.31.233.164][61124116] rsp: 354 Start mail input; end with <CRLF>.<CRLF>

[2022.09.27] 13:29:29.706 [8.31.233.164][61124116] senderEmail(2): karen.mcneill@ticortitle.com parsed using: "McNeill, Karen" <Karen.McNeill@ticortitle.com>

[2022.09.27] 13:29:29.971 [8.31.233.164][61124116] rsp: 250 OK

[2022.09.27] 13:29:29.987 [8.31.233.164][61124116] Received message size: 55476 bytes

[2022.09.27] 13:29:29.987 [8.31.233.164][61124116] Successfully wrote to the HDR file. (c:\SmarterMail\Spool\proc\51025202.hdr)

[2022.09.27] 13:29:29.987 [8.31.233.164][61124116] Data transfer succeeded, writing mail to 51025202.eml (MessageID: <DM6PR07MB49072CFC26E152EA40CCE1DE87559@DM6PR07MB4907.namprd07.prod.outlook.com>)

[2022.09.27] 13:29:29.987 [8.31.233.164][61124116] cmd: RSET

[2022.09.27] 13:29:29.987 [8.31.233.164][61124116] rsp: 250 OK

[2022.09.27] 13:29:30.003 [8.31.233.164][61124116] cmd: MAIL FROM:<karen.mcneill@ticortitle.com>

[2022.09.27] 13:29:30.003 [8.31.233.164][61124116] senderEmail(1): karen.mcneill@ticortitle.com parsed using: <karen.mcneill@ticortitle.com>

[2022.09.27] 13:29:30.003 [8.31.233.164][61124116] rsp: 250 OK <karen.mcneill@ticortitle.com> Sender ok

[2022.09.27] 13:29:30.003 [8.31.233.164][61124116] Sender accepted. Weight: 0. Block threshold: 30.

[2022.09.27] 13:29:30.034 [8.31.233.164][61124116] cmd: RCPT TO:<info@idealmfghomes.com>

[2022.09.27] 13:29:30.034 [8.31.233.164][61124116] rsp: 250 OK <info@idealmfghomes.com> Recipient ok

[2022.09.27] 13:29:30.049 [8.31.233.164][61124116] cmd: DATA

[2022.09.27] 13:29:30.049 [8.31.233.164][61124116] Performing PTR host name lookup for 8.31.233.164

[2022.09.27] 13:29:30.049 [8.31.233.164][61124116] PTR host name for 8.31.233.164 resolved as encryptdel201.appriver.com

[2022.09.27] 13:29:30.049 [8.31.233.164][61124116] rsp: 354 Start mail input; end with <CRLF>.<CRLF>

[2022.09.27] 13:29:30.331 [8.31.233.164][61124116] rsp: 250 OK

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] Received message size: 55488 bytes

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] Successfully wrote to the HDR file. (c:\SmarterMail\Spool\proc\51025203.hdr)

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] Data transfer succeeded, writing mail to 51025203.eml

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] cmd: QUIT

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] rsp: 221 Service closing transmission channel

[2022.09.27] 13:29:30.346 [8.31.233.164][61124116] disconnected at 9/27/2022 1:29:30 PM

Delivery Logs

[2022.09.27] 13:29:36.925 [51025202] Delivery started for karen.mcneill@ticortitle.com at 1:29:36 PM

[2022.09.27] 13:29:36.925 [51025202] pj@idealmfghomes.com is an alias. Expanding recipient list.

[2022.09.27] 13:29:39.925 [51025202] Added to SpamCheckQueue (1 queued; 4/30 processing)

[2022.09.27] 13:29:39.925 [51025202] [SpamCheckQueue] Begin Processing.

[2022.09.27] 13:29:39.925 [51025202] Blocked Sender Checks started.

[2022.09.27] 13:29:39.925 [51025202] Blocked Sender Checks completed.

[2022.09.27] 13:29:39.925 [51025202] Windows Defender Checks error: Unknown error (0x800106ba)

[2022.09.27] 13:29:39.925 [51025202] Spam Checks started.

[2022.09.27] 13:33:23.474 [51025202] Spam Check results: [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 30,Fail], [BACKSCATTER: 0,passed], [BARRACUDA - BRBL: 0,passed], [BONDEDSENDER: 0,passed], [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING: 0,passed], [DNSBL: 0,passed], [GBUDB: 0,passed], [HOSTKARMA-BLACK: 0,passed], [HOSTKARMA-YELLOW: 0,passed], [IADB: 0,passed], [IX: 0,passed], [MAILSPIKE-H1: 0,passed], [MAILSPIKE-H2: 0,passed], [MAILSPIKE-H3: 0,passed], [MAILSPIKE-H4: 0,passed], [MAILSPIKE-H5: 0,passed], [MAILSPIKE-L1: 0,passed], [MAILSPIKE-L2: 0,passed], [MAILSPIKE-L3: 0,passed], [MAILSPIKE-L4: 0,passed], [MAILSPIKE-L5: 0,passed], [MCAFEE: 0,passed], [MSRBL: 0,passed], [NOABUSE: 0,passed], [NOPOSTMASTER: 0,passed], [SEM-BL: 0,passed], [SEM-URIBL: 0,passed], [SEM-URIRED: 0,passed], [SENDERSCORE: 0,passed], [SORBS 02 - HTTP: 0,passed], [SORBS 03 - SOCKS: 0,passed], [SORBS 04 - MISC: 0,passed], [SORBS 05 - SMTP: 0,passed], [SORBS 06 - RECENT: 0,passed], [SORBS 07 - WEB: 0,passed], [SORBS 08 - BLOCK: 0,passed], [SORBS 09 - ZOMBIE: 0,passed], [SORBS 10 - DYNAMIC IP: 0,passed], [SORBS 11 - BAD CONFIG: 0,passed], [SORBS 12 - NOMAIL: 0,passed], [SORBS 13 - NOSERVER: 0,passed], [SORBS-NEW: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - PBL 1: 0,passed], [SPAMHAUS - PBL2: 0,passed], [SPAMHAUS - SBL 1: 0,passed], [SPAMHAUS - SBL 2: 0,passed], [SPAMHAUS - XBL 1: 0,passed], [SPAMHAUS - XBL 2: 0,passed], [SPAMHAUS - XBL 3: 0,passed], [SPAMHAUS - XBL 4: 0,passed], [SPAMHAUS - ZEN: 10,failed], [SPAMRATS: 0,passed], [SURBL: 0,passed], [SURRIEL: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT-2: 0,passed], [UCEPROTECT-3: 0,passed], [URIBL - BLACK: 0,passed], [URIBL - GREY: 0,passed], [URIBL - RED: 0,passed], [URIBL - WHITE: 1 results -2,failed], [VIRUS RBL - MSRBL: 0,passed], [SPAMEATINGMONKEY: 0,passed]

[2022.09.27] 13:33:23.474 [51025202] Spam Checks completed.

[2022.09.27] 13:33:23.474 [51025202] Removed from SpamCheckQueue (9 queued or processing)

[2022.09.27] 13:33:24.943 [51025202] Added to LocalDeliveryQueue (1 queued; 1/50 processing)

[2022.09.27] 13:33:24.943 [51025202] [LocalDeliveryQueue] Begin Processing.

[2022.09.27] 13:33:24.943 [51025202] Starting local delivery to pj1@idealmfghomes.com

[2022.09.27] 13:33:24.943 [51025202] Delivery for karen.mcneill@ticortitle.com to pj1@idealmfghomes.com has completed (Deleted) Filter: Spam (Weight: 34), Action (Global Level): Delete

[2022.09.27] 13:33:24.943 [51025202] End delivery to pj1@idealmfghomes.com (MessageID: <DM6PR07MB49072CFC26E152EA40CCE1DE87559@DM6PR07MB4907.namprd07.prod.outlook.com>)

[2022.09.27] 13:33:24.943 [51025202] Removed from LocalDeliveryQueue (0 queued or processing)

[2022.09.27] 13:33:54.945 [51025202] Added to RemoteDeliveryQueue (1 queued; 1/50 processing)

[2022.09.27] 13:33:54.945 [51025202] [RemoteDeliveryQueue] Begin Processing.

[2022.09.27] 13:33:54.945 [51025202] Sending remote mail from karen.mcneill@ticortitle.com

[2022.09.27] 13:33:54.976 [51025202] Failed to connect to the recipient's mail server. No MX records were found for the 'encryptsh201.appriver.com' domain. Failing over to A records.

[2022.09.27] 13:33:54.976 [51025202] MxRecord count: '1' for domain ''

[2022.09.27] 13:33:54.976 [51025202] Attempting MxRecord Host Name: 'encryptsh201.appriver.com', preference '1', Ip Count: '1'

[2022.09.27] 13:33:54.976 [51025202] Attempting to send to MxRecord 'encryptsh201.appriver.com' ip: '8.31.233.186'

[2022.09.27] 13:33:54.976 [51025202] Sending remote mail to: b4085084c89a07c87ea5013ba2a44171@84386.journal.archive.zixcentral.com

[2022.09.27] 13:33:54.976 [51025202] Initiating connection to 8.31.233.186

[2022.09.27] 13:33:54.976 [51025202] Connecting to 8.31.233.186:25 (Id: 1)

[2022.09.27] 13:33:54.976 [51025202] Binding to local IP 192.168.100.97 (Id: 1)

[2022.09.27] 13:33:54.992 [51025202] Connection to 8.31.233.186:25 from 192.168.100.97:56861 succeeded (Id: 1)

[2022.09.27] 13:33:55.039 [51025202] RSP: 220 ***********************************************************************************

[2022.09.27] 13:33:55.039 [51025202] CMD: EHLO mail.sgdesign.net

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-encryptsh201.appriver.com we trust you mail.sgdesign.net

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-DSN

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-SIZE 104857600

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-STARTTLS

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-ETRN

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-XXXA

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-XXXB

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-XXXXXXXXXXXXC

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-XXXD

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-PIPELINING

[2022.09.27] 13:33:55.070 [51025202] RSP: 250-XXXXXXXE

[2022.09.27] 13:33:55.070 [51025202] RSP: 250 XXXF

[2022.09.27] 13:33:55.070 [51025202] CMD: STARTTLS

[2022.09.27] 13:33:55.101 [51025202] RSP: 220 please start a TLS connection

[2022.09.27] 13:33:55.195 [51025202] CMD: EHLO mail.sgdesign.net

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-encryptsh201.appriver.com we trust you mail.sgdesign.net

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-DSN

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-SIZE 104857600

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-ETRN

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-TURN

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-ATRN

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-NO-SOLICITING

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-HELP

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-PIPELINING

[2022.09.27] 13:33:55.242 [51025202] RSP: 250-SMTPUTF8

[2022.09.27] 13:33:55.242 [51025202] RSP: 250 EHLO

[2022.09.27] 13:33:55.242 [51025202] CMD: MAIL FROM:<karen.mcneill@ticortitle.com> RET=HDRS ENVID=cc93b316-821c-4fc4-ace2-901dc595452c SIZE=56318

[2022.09.27] 13:33:55.273 [51025202] RSP: 250 karen.mcneill@ticortitle.com sender accepted

[2022.09.27] 13:33:55.273 [51025202] CMD: RCPT TO:<b4085084c89a07c87ea5013ba2a44171@84386.journal.archive.zixcentral.com> NOTIFY=FAILURE

[2022.09.27] 13:33:55.304 [51025202] RSP: 250 b4085084c89a07c87ea5013ba2a44171@84386.journal.archive.zixcentral.com accepting mail from a client address

[2022.09.27] 13:33:55.304 [51025202] CMD: DATA

[2022.09.27] 13:33:55.336 [51025202] RSP: 354 Enter mail, end with "." on a line by itself

[2022.09.27] 13:33:55.414 [51025202] RSP: 250 191142352 message accepted for delivery

[2022.09.27] 13:33:55.414 [51025202] CMD: QUIT

[2022.09.27] 13:33:55.445 [51025202] RSP: 221 encryptsh201.appriver.com SMTP closing connection

[2022.09.27] 13:33:55.445 [51025202] Attempt to ip, '8.31.233.186' success: 'True'

[2022.09.27] 13:33:55.445 [51025202] Delivery for karen.mcneill@ticortitle.com to b4085084c89a07c87ea5013ba2a44171@84386.journal.archive.zixcentral.com has completed (Delivered)

[2022.09.27] 13:33:55.445 [51025202] Removed from RemoteDeliveryQueue (1 queued or processing)

[2022.09.27] 13:33:57.945 [51025202] Removing Spool message: Killed: False, Failed: False, Finished: True

[2022.09.27] 13:33:57.945 [51025202] Delivery finished for karen.mcneill@ticortitle.com at 1:33:57 PM [id:x51025202]

Tim Uzzanti Replied

9/29/2022 at 8:38 AM

Employee Post Marked As Answer

Be sure you also have the IP in Antispam > IP Bypass as well!

Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com

Tony Scholz Replied

10/6/2022 at 10:07 AM

Employee Post

Hello Steve,

Looking at your Deliver logs, the SPF check is failing. SPF and DKIM are two checks that bypass the Whitelist and will apply spam scores

[_SPF: 30,Fail],
[SPAMHAUS - ZEN: 10,failed],
[URIBL - WHITE: 1 results -2,failed],

https://help.smartertools.com/SmarterMail/current/Topics/SystemAdmin/Security/BlacklistWhitelist.aspx

IMPORTANT NOTE: If SPF and DKIM spam checks are enabled, SmarterMail will run those checks on ALL emails, including those from trusted senders, whitelisted IP addresses and IP bypasses. Because anyone can write any return path that they want when sending a message, this extra check helps prevent spammers from flooding users with hundreds of messages that aren't truly from a trusted sender.

when we look at the connecting IP and the domains SPF record it fails.

Following Tims advice above should resolve this issue by adding your spam filter to the IP Bypass settings so that the SPF and other checks skip the appriver IPs and move on to the next set of IPs in the header.

https://help.smartertools.com/smartermail/current/topics/systemadmin/settings/antispam/IPBypasses.aspx

IP Bypasses allow a System Administrator to prevent spam checks and greylisting on email delivered from specific IP addresses. Typically, this functionality is used to enter the IP address of an inbound gateway. In incoming messages, SmarterMail will analyze the .EML file and pull the most recent IP Address from the header, which will usually be an organization's inbound gateway. Inputting that IP address on this page will allow SmarterMail to analyze the IP of the originating server rather than focusing on the gateway that SmarterMail received the message from. This is important because the majority of the time an organization's incoming gateway will not be listed on any RBL lists, but the originating server may be.

Thank you

Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles