Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Spamfilter don't forward some email
  FAQ FAQ  Forum Search   Register Register  Login Login

Spamfilter don't forward some email

 Post Reply Post Reply
Author
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Topic: Spamfilter don't forward some email
    Posted: 06 July 2011 at 10:56am
Spamfilter don't forward some email to my smtp server. As you can see in the log the email is accept but never send to the server. No more entry after. The email in question seems to have image in attachment. But it's not all the email with image just some of it.
 
07/06/11 10:27:21:129 -- (3376) Received MAIL FROM: <mfaucher@xxx.com>
07/06/11 10:27:21:160 -- (3376) Received RCPT TO: dgrenier@ddd.com
07/06/11 10:27:21:535 -- (3376) - SPF analysis for mbiplastic.com done: - none
07/06/11 10:27:21:535 -- (3376) Mail from: mfaucher@xxx.com
07/06/11 10:27:21:848 -- (3376) - MAPS search done...
07/06/11 10:27:21:848 -- (3376) RCPT TO: dgrenier@ddd.com accepted
07/06/11 10:27:21:848 -- (3376) Bypassed all rules for: dgrenier@ddd.com from mfaucher@xxx.com ( Whitelisted EmailTO)
Back to Top
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2011 at 11:02am
other one
 
 
07/06/11 10:19:16:889 -- (35768) Detected TCP Connection: 69.70.131.114
07/06/11 10:19:16:889 -- (35768) Connection from: 69.70.131.114  -  Originating country : Canada
07/06/11 10:19:16:920 -- (35768) Received MAIL FROM: <benoit.charpentier@fff.com>
07/06/11 10:19:17:045 -- (35768) Received RCPT TO: mtheberge@ddd.com
07/06/11 10:19:17:639 -- (35768) found SPF record for polyalto.com: v=spf1 a mx ptr include:videotron.com ~all
07/06/11 10:19:17:889 -- (35768) SPF query result: pass
07/06/11 10:19:17:889 -- (35768) - SPF analysis for polyalto.com done: - pass
07/06/11 10:19:17:889 -- (35768) Mail from: benoit.charpentier@fff.com
07/06/11 10:19:17:889 -- (35768) SPF query result: pass
07/06/11 10:19:17:889 -- (35768) - SPF analysis for polyalto.com done: - pass
07/06/11 10:19:17:889 -- (35768) Mail from: benoit.charpentier@fff.com
07/06/11 10:19:18:218 -- (35768) - MAPS search done...
07/06/11 10:19:18:218 -- (35768) RCPT TO: mtheberge@ddd.com accepted
Back to Top
dotme View Drop Down
Newbie
Newbie


Joined: 27 October 2008
Status: Offline
Points: 20
Post Options Post Options   Thanks (0) Thanks(0)   Quote dotme Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2011 at 1:41pm
The forwarding happens under a different ID number, so search your logs for the next instance of the receipent email address and you should see what's going on with forwarding.
Back to Top
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2011 at 1:47pm
I post the id 2792  and few other line... I don't find anything after that


07/06/11 11:02:54:104 -- (2792) Detected TCP Connection: 69.70.131.114
07/06/11 11:02:54:104 -- (2792) Connection from: 69.70.131.114  -  Originating country : Canada
07/06/11 11:02:54:135 -- (2792) Received MAIL FROM: <benoit.charpentier@polyalto.com>
07/06/11 11:02:54:182 -- (2792) Received RCPT TO: mtheberge@bainultra.com
07/06/11 11:02:55:745 -- (2792) found SPF record for polyalto.com: v=spf1 a mx ptr include:videotron.com ~all
07/06/11 11:02:55:823 -- (2792) SPF query result: pass
07/06/11 11:02:55:823 -- (2792) - SPF analysis for polyalto.com done: - pass
07/06/11 11:02:55:823 -- (2792) Mail from: benoit.charpentier@polyalto.com
07/06/11 11:02:56:104 -- (2792) - MAPS search done...
07/06/11 11:02:56:104 -- (2792) RCPT TO: mtheberge@bainultra.com accepted
07/06/11 11:03:18:196 -- (2276) Detected TCP Connection: 89.122.118.72
07/06/11 11:03:18:212 -- (2276) Connection from: 89.122.118.72  -  Originating country : Romania
07/06/11 11:03:18:540 -- (2276) Received MAIL FROM: <palmer@bainsultra.com>
07/06/11 11:03:18:712 -- (2276) Received RCPT TO: palmer@bainsultra.com
07/06/11 11:03:18:712 -- (2276) - IP address is from a blacklisted country...
07/06/11 11:03:18:712 -- (2276) 89.122.118.72 - Mail from: palmer@bainsultra.com To: palmer@bainsultra.com will be rejected
07/06/11 11:03:19:290 -- (2276) Starting quarantine procedures
07/06/11 11:03:19:337 -- (2276) Created thread (832) to add email to quarantine
07/06/11 11:03:19:337 -- (832) Adding to Quarantine file:Qrtn30C5675B-8C9E-4914-A21A-75A0F3A425C0.tmp
07/06/11 11:03:19:368 -- (832) EMail from palmer@bainsultra.com to palmer@bainsultra.com was received and quarantined. Size: 2 KB, 2048 bytes
07/06/11 11:03:19:509 -- (2276) Blacklist cache - Added 89.122.118.72 to limbo
07/06/11 11:03:19:681 -- (2276) SFDB - Added 89.122.118.72 - Response: Error=0
07/06/11 11:03:19:681 -- (2276) Disconnect
07/06/11 11:03:34:852 -- (1496) Starting to process queue directory...
07/06/11 11:03:34:867 -- (760) Running TTerminateIdleThreads - SFTC=4 - SFFC=4
07/06/11 11:03:34:867 -- (760) Running TTerminateIdleThreads SSL - SFTC=0 - SFFC=4
07/06/11 11:03:34:899 -- (4008) Saved GreyListAllowed.txt
07/06/11 11:03:34:899 -- (3700) Blacklist cache - starting cleanup
07/06/11 11:03:34:899 -- (2244) Starting to process quarantine directory...
07/06/11 11:03:35:008 -- (3700) IPcache Limbo - removed 6 entries during cleanup
07/06/11 11:03:54:960 -- (424) No Data Received
07/06/11 11:03:54:960 -- (424) Disconnect
07/06/11 11:03:57:475 -- (3516) Detected TCP Connection: 85.101.21.154
07/06/11 11:03:57:475 -- (3516) Connection from: 85.101.21.154  -  Originating country : Turkey
07/06/11 11:04:00:194 -- (2264) Detected TCP Connection: 220.232.206.9
07/06/11 11:04:00:194 -- (2264) Connection from: 220.232.206.9  -  Originating country : Hong Kong

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2011 at 5:40pm
vbourbeau,

The three log snippets are all for 3 different times and different connections. The first recipient in the first snippet - dgrenier@ddd.com - does not appear in the other two. We can't follow what happens unless you have the full log entries relative to an email attempt. 

FYI a typical email sequence will begin with a line similar to the following (all sharing the same thread id - 2792 in this case):

07/06/11 11:02:54:104 -- (2792) Detected TCP Connection: 69.70.131.114
and will finish with:
07/06/11 11:04:51:204 -- (2792) Disconnect

After that, if the email is accepted, there will be more entries showing the email being delivered:

07/06/11 11:04:50:044 -- (796) Sending email from ...userA... to ..userB... -- 
07/06/11 11:04:51:14 -- (796) EMail from ..userA... to ..userB... --  was forwarded to mail2.netwide.net:587


Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Posted: 07 July 2011 at 8:17am
If you give me your email I can send you the log file. 
Back to Top
vbourbeau View Drop Down
Newbie
Newbie


Joined: 14 April 2010
Status: Offline
Points: 19
Post Options Post Options   Thanks (0) Thanks(0)   Quote vbourbeau Quote  Post ReplyReply Direct Link To This Post Posted: 07 July 2011 at 11:01am
I found the problem... It was a IDS firewall policy who is close the connection. I don't know why because I found nothing in the firewall log. But disactivate this policy let the email enter.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.281 seconds.