Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

NDR spam

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> NDR spam Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
NDR spam - 22.Oct.2009 8:43:44 AM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		http://kbase.gfi.com/showarticle.asp?id=KBID003322

I have a user who is receiving immense amounts of mail delivery emails.  I performed the above actions a few days ago, but these are still getting through the filter.  I watch the filter and it is catching quite a few of these emails, but still quite a few are getting through.  He probably received around 50 last night.

I also turned off "allow non-delivery reports" in exchange.  I am at a loss on this.  Any other ideas or ways to try to discover the problem?
Post #: 1
RE: NDR spam - 22.Oct.2009 8:48:57 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Which version are you using? If it's 14.x, then what does the dashboard say happened to the emails? If before v14, then what does the monitor say?

Did you restart IIS Admin, or run IISRESET, after changing settings/registry entries?

The "alow non-delivery reports" in exchange only affects outbound reports from the server, ie if someone emails a non-existing user in your system.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 2
RE: NDR spam - 22.Oct.2009 9:10:14 AM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		We are running mailessentials 14.1

I did restart the iis admin service, but did not run iisreset.  I will give that a try right now.

And I did understand that the non-delivery had to do with outbound emails, but I was thinking that it is possible we got into a bouncing of NDR reports affect, but I guess that doesn't make much sense in this case now that I think about it.

(in reply to RSP)
Post #: 3
RE: NDR spam - 22.Oct.2009 9:15:53 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Actually, 14.1 was a big change and now you need to restart the GFI services - I forget which one, probably the scan service, but restarting the lot won't hurt. I still don't understand why it was a point revision!

The dashboard may give you more clues as to what's happening. If not, it's time to delve into the debug logs...

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 4
RE: NDR spam - 22.Oct.2009 9:17:59 AM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		Sorry i did forget to mention about the dashboard.  After looking at which ones got through I found them in dashboard and it stated "Processed Successfully"

Would there be more information in some other file that i am not familiar with?

i believe i did restart the gfi services, but i will try again.

(in reply to RSP)
Post #: 5
RE: NDR spam - 22.Oct.2009 9:38:57 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		"Processed Successfully" means it passed through all modules without being caught.

The ase.gfi_log.txt file contains the overview information as to what happened to an email, the info is bounded by ::MTAM_IM,iFlags[0] and ::MTAM_UM,return[0x0]

However, we also need to take a look at the log file of the module that should have caught it, but this could be one of several modules.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 6
RE: NDR spam - 22.Oct.2009 10:49:20 AM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		Is the ase.gfi_log.txt file just a short term file normally?  Seems to only capture the last 30 minutes or so and then at some points gets backed up to as.gfi_log.txt.bak, which i assume gets overwritten.

thanks for the continued help.

(in reply to RSP)
Post #: 7
RE: NDR spam - 22.Oct.2009 10:52:12 AM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Yes, it's rolled over at 5MB I think. If you're only getting 30 mins of data in there, you must have a reasonable throughput of emails!

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 8
RE: NDR spam - 22.Oct.2009 1:07:15 PM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		I found one that says processed successfully and that i could find in the ase.gfi_log.txt file.  I copied that section that matches the timestamp from the dashboard entry.  Does this indicate anything other than it passed through keyword and dnschecker?  Does it say which one allowed it to go through that i am missing?

2009-10-22,13:29:46,015,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Checking],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:46,015,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Checking],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Checking],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],REFRESHCONTEXT."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNSChecker],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNSChecker],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","---------------------------------------------------------------------------------------"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,dwEngineResult[0]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,return[S_OK]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>] <-----"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","---------------------------------------------------------------------------------------"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0xF1FE408],AutoCritSec[CMTAContext]::~AutoCritSec"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_UM"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_UM,Casting MID[153116280] into CMEASEMessage*"
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::UM"
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::UM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>]<-----"
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::~CMEASEMessage"
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_UM,Del MID[153116280]...ok "
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_UM,return[0x0]"
2009-10-22,13:29:46,078,1,"#00002088","#00001ce8","info   ","ME_ASE","___________________________

(in reply to RSP)
Post #: 9
RE: NDR spam - 22.Oct.2009 1:34:35 PM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Hmm, that's a little worrying - where are all the other checks? I presume you have them enabled?

I'll examine the log more closely, but in the meantime, tell us more about your system: which exchange version? where is ME installed? etc

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 10
RE: NDR spam - 22.Oct.2009 1:46:46 PM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		Exchange 2003 standard
ME is on the c drive of the same server that exchange is on
the priority of filters is (ip whitelist, email\..\whitelist, spf, directory harvesting, phishing, spamrazer, keyword whitelist, blacklist, dns blacklist, spam uri, bayesian, header checking, keyword checking)
Windows 2003 SP2 SBS
ME 14.1
approx. 25 mailboxes

I apologize, I believe I didn't get the full log.  Here is the complete log, which does go through all the filters:
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_IM,iFlags[0]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::CMEASEMessage"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::IM"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::IM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>]----->"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","::MTAM_PM"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],CMEASEMessage::PM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205E78],MC[1]."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9205EAC],CMTAContext::ProcessMessage"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0xF1FE408],AutoCritSec[CMTAContext]::AutoCritSec"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","---------------------------------------------------------------------------------------"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>] ----->"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,Sink-Unique-ID[{00121E29-53BE-4C90-8DAF-15090F129EA9}] ----->"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [IP Whitelist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [IP Whitelist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[IP Whitelist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[IP Whitelist],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [IP Whitelist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [IP Whitelist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Whitelist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Whitelist],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Whitelist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Whitelist],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Whitelist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Whitelist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Sender Policy Framework],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Sender Policy Framework],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Sender Policy Framework],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Sender Policy Framework],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Sender Policy Framework],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Sender Policy Framework],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Directory Harvesting],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Directory Harvesting],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Directory Harvesting],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Directory Harvesting],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Directory Harvesting],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Directory Harvesting],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Phishing URI Realtime Blocklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Phishing URI Realtime Blocklist],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:44,781,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Phishing URI Realtime Blocklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Phishing URI Realtime Blocklist],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Phishing URI Realtime Blocklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Phishing URI Realtime Blocklist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [SpamRazer],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [SpamRazer],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:44,796,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[SpamRazer],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[SpamRazer],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [SpamRazer],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [SpamRazer],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Whitelist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Whitelist],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:44,859,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Whitelist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Whitelist],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Whitelist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Whitelist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Blacklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Blacklist],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Blacklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Blacklist],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Blacklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Blacklist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNS Blacklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNS Blacklist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:44,875,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNS Blacklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNS Blacklist],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNS Blacklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNS Blacklist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Spam URL Blacklist],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Spam URL Blacklist],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:45,078,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Spam URL Blacklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Spam URL Blacklist],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Spam URL Blacklist],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Spam URL Blacklist],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Bayesian Analysis],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Bayesian Analysis],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Bayesian Analysis],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Bayesian Analysis],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Bayesian Analysis],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Bayesian Analysis],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Header Checking],REFRESHCONTEXT."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Header Checking],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Header Checking],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Header Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Header Checking],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Header Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Header Checking],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Checking],REFRESHCONTEXT."
2009-10-22,13:29:45,578,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Checking],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,015,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [Keyword Checking],RefCount[IM:5][IS:7]...ok"
2009-10-22,13:29:46,015,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[Keyword Checking],RefCount[IM:5][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Checking],RefCount[IM:5][IS:7]..."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [Keyword Checking],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],REFRESHCONTEXT."
2009-10-22,13:29:46,031,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_InitMessage   [DNSChecker],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_ProcessMessage[DNSChecker],RefCount[IM:4][IS:7]...ok,dwModuleResult[0]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNSChecker],RefCount[IM:4][IS:7]..."
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,MTAM_UnInitMessage [DNSChecker],RefCount[IM:4][IS:7]...ok"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","---------------------------------------------------------------------------------------"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,dwEngineResult[0]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,return[S_OK]"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","this[0x9206F40],CMTAEngine::PM,Message-ID[<E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>] <-----"
2009-10-22,13:29:46,062,1,"#00002088","#00001ce8","info   ","ME_ASE","---------------------------------------------------------------------------------------"

(in reply to RSP)
Post #: 11
RE: NDR spam - 22.Oct.2009 2:03:28 PM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		Cool, can you post the headers & the content if possible? You may need to locate the Outlook mod to get the headers. Or you could try saving the message and extracting the info through notepad.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 12
RE: NDR spam - 22.Oct.2009 2:15:14 PM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		Here you go.  Let me know if you see anything?  Thanks again.

Microsoft Mail Internet Headers Version 2.0
Received: from blade27.geenpunt.nl ([81.4.97.193]) by iccserver.icccap.local with Microsoft SMTPSVC(6.0.3790.3959);
    Thu, 22 Oct 2009 13:29:44 -0400
Received: from Debian-exim by blade27.geenpunt.nl with local (Exim 4.63)
   id 1N11Vc-0006xN-Jr
   for rnolan@icccapital.com; Thu, 22 Oct 2009 19:31:33 +0200
X-Failed-Recipients: kxanxnerkldb@msn.com
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@geenpunt.nl>
To: rnolan@icccapital.com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1N11Vc-0006xN-Jr@blade27.geenpunt.nl>
Date: Thu, 22 Oct 2009 19:31:32 +0200
Return-Path: <>
X-OriginalArrivalTime: 22 Oct 2009 17:29:44.0593 (UTC) FILETIME=[3ED7F010:01CA533D]

CONTENT:
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

kxanxnerkldb@msn.com
   SMTP error from remote mail server after RCPT TO:<kxanxnerkldb@msn.com>:
   host mx4.hotmail.com [65.55.37.88]: 550 Requested action not taken:
   mailbox unavailable

------ This is a copy of the message, including all the headers. ------

Return-path: <rnolan@icccapital.com>
Received: from localhost ([127.0.0.1])
   by blade27.geenpunt.nl with smtp (Exim 4.63)
   (envelope-from <rnolan@icccapital.com>)
   id 1N11VV-0006tP-Ou; Thu, 22 Oct 2009 19:31:26 +0200
Reply-To: <rnolan@icccapital.com>
Date: Thu, 22 Oct 2009 19:27:45 -0500
Subject: Certainly flowers have the easiest time on earth
From: <rnolan@icccapital.com>
Message-ID: <01CA533C.78DC2998@icccapital.com>
To: <kx80bw89@msn.com>,
       <kx80drew@msn.com>,
       <kxa9@msn.com>,
       <kxanxnerkldb@msn.com>
X-Priority: 1 (High)
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<html>
<head>
<title>
Of playing out in the yard
</title>
</head>
<body>
<style>Till he heard as the roar of a rain-fed ford the roar of the Milky Way</style> <a href="http://www.hondesign.hu/3.html">Bring electricity back to your love circle! The voltage will be high between you and your lady!</a> </body> </html>

(in reply to RSP)
Post #: 13
RE: NDR spam - 22.Oct.2009 4:58:54 PM   
RSP

 

Posts: 1270
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		This is embarassing: I'm not getting any NDR spam on any of my servers, so I cannot compare debug logs!

However, I have noticed on a virgin installation that the NDRSpamNewSenders and NDRSpamAllowSameDomain are DISABLED contrary to the KB article you quoted. Check your registry. I would suggest keeping NDRSpamAllowSameDomain disabled seeing as the message you quoted came from msn.com and you're likely to have an msn.com in your auto whitelist.

Don't forget to restart services after making registry changes.

_____________________________

Disclaimer: I don't work for GFI, I just use their products.

(in reply to icccapital)
Post #: 14
RE: NDR spam - 23.Oct.2009 1:24:56 PM   
icccapital

 

Posts: 36
Joined: 4.May2006
Status: offline 		Thanks, I actually found that to be true as well.  Odd they say what the default is, but it appears to not be functioning correctly.

As for the whitelist, would it still run through all the other filters if it was in the whitelist?  Or would it stop at whitelist and thus the log would only show whitelist ok and end there?  Because that one that processed correctly went through all of the filters.

I can't figure out how it blocks the others by bayesian analysis and not these, some get blocked by new senders and others by dns blacklist, which these i get.  But i wonder what is different about the ones that get through and the ones that bayesian picks up.

thanks for the continued thought.

(in reply to icccapital)
Post #: 15
Page:   [1] 2   next >   >>
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> NDR spam Page: [1] 2   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts