Missing 25% of SPAM
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Missing 25% of SPAM - 9.Jun.2008 11:18:26 PM
|
|
|
fatmaninspeedos
Posts: 9
Joined: 4.Jun.2008
Status: offline
|
Of 33 SPAM messages received today, 11 were not detected as Junk, but 25 were.
When I look at GFI Monitor it says "Item processed ok" for the message that was SPAM. When I search the log files for GFI, the only file that picks up my "missed" SPAM is the mtastr.log, which is the GFI Monitor. The caught SPAM is found in a log file.
I looked into the Message Tracking Log in Exchange 2003 SP2 and found something common to all messages that "slipped through". First, when a SPAM message is caught, I get the following Events:
1019 - A new message is submitted to Advanced Queuing.
1025 - A new message was submitted to Advanced Queuing.
1026 - Advanced Queuing could not process the message. The message caused an NDR to be sent, or the message was put in the Badmail folder
When a MISSED SPAM is processed, I get the following Events:
1019 - A new message is submitted to Advanced Queuing.
1025 - A new message was submitted to Advanced Queuing
1024 - Advanced Queuing submitted a message to the categorizer
1033 - SMTP message categorized and queued for routing
Is GFI seeing the missed SPAM? Why is GFI getting some of the SPAM but not all? Debug mode is turned on -- is there anything I can gather from GFI logs to help me get closer to a solution?
|
|
|
|
|
RE: Missing 25% of SPAM - 10.Jun.2008 2:42:28 PM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
fatmaninspeedos,
If you are looking at the MTASTR.LOG and you see a spam message that was delivered to your user and not caught by GFI MailEssentials you can compare the date and timestamp of that message against ase.gfi_log.txt and ase.gfi_log.bak from ..\Program Files\GFI\MailEssentials\DebugLogs. This log will show the message as it passes through each individual spam module. This should shed some light on the situation for you.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Missing 25% of SPAM - 10.Jun.2008 9:47:16 PM
|
|
|
fatmaninspeedos
Posts: 9
Joined: 4.Jun.2008
Status: offline
|
I've looked at a few entries in the ase.gfi_log.txt file. My obvervations are as follows:
1. On messages that "slipped" through, it looks as if GFI put the email through all the filters and it came up with no spam detected. I see the init, process, and uninit for all the GFI modules.
2. On messages that were "caught", during the process message, it says STOPPING ASE PROCESSING CHAIN and the dwModuleResult is 10.
3. On multiple messages that "slipped" through, there is a 14 second gap between 2 "ProcessMessage" entries for DNS Blacklist.
4. On messages that were "caught", there is only a 2 second gap between 2 "ProcessMessage" entries for DNS Blacklist. Some messages that were "caught" took 14 seconds too.
5. On one instance of a message that "slipped", there is a 21 second gap between 2 "ProcessMessage" entries for Spam URI Realtime Blacklist.
Does this information help diagnose what the issue is? Is there something else in the log I should be looking for?
Thanks.
|
|
|
|
|
RE: Missing 25% of SPAM - 11.Jun.2008 9:31:54 AM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
fatmaninspeedos,
It does help to an extent. The fact that you are seeing 14 second gaps in your DNS checks could mean that some spam is getting through due to DNS timeouts. Which DNS Blacklists do you have enabled?
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Missing 25% of SPAM - 11.Jun.2008 10:36:00 AM
|
|
|
fatmaninspeedos
Posts: 9
Joined: 4.Jun.2008
Status: offline
|
I have all DNS blacklists enabled and all SURBLs enabled as well. Should I not have all enabled? Is there a website that explains which lists do what?
Since my last post I reconfigured DNS on that machine so that names would resolve faster. The 'test' button now returns success much faster and this morning I've noticed an improvement in SPAM being caught.
|
|
|
|
|
RE: Missing 25% of SPAM - 11.Jun.2008 11:29:47 AM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
fatmaninspeedos,
As far as getting up to speed on DNS Blacklists I'd suggest reading http://en.wikipedia.org/wiki/DNSBL and then http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. I would not recommend having them all enabled. As it currently stands on 6/11/2008 I'd suggest bl.spamcop.net and zen.spamhaus.org as long as you are using GFI MailEssentials 12 build 20071005 or above. If you are using an older build than this then I would suggest bl.spamcop.net and sbl-xbl.spamhaus.org.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Missing 25% of SPAM - 11.Jun.2008 11:59:59 AM
|
|
|
fatmaninspeedos
Posts: 9
Joined: 4.Jun.2008
Status: offline
|
Thanks for the information.
What is your recommendation for Spam URI Realtime blacklists? Which ones should be enabled?
|
|
|
|
|
RE: Missing 25% of SPAM - 23.Jun.2008 11:27:24 AM
|
|
|
John Letourneau
Posts: 923
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
fatmaninspeedos,
I would recommend using multi.surbl.org as it checks the servers listed above.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
