Missing 25% of SPAM

Missing 25% of SPAM (Full Version)

All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP

Message

fatmaninspeedos -> Missing 25% of SPAM (9.Jun.2008 11:18:26 PM)
Of 33 SPAM messages received today, 11 were not detected as Junk, but 25 were. When I look at GFI Monitor it says "Item processed ok" for the message that was SPAM. When I search the log files for GFI, the only file that picks up my "missed" SPAM is the mtastr.log, which is the GFI Monitor. The caught SPAM is found in a log file. I looked into the Message Tracking Log in Exchange 2003 SP2 and found something common to all messages that "slipped through". First, when a SPAM message is caught, I get the following Events: 1019 - A new message is submitted to Advanced Queuing. 1025 - A new message was submitted to Advanced Queuing. 1026 - Advanced Queuing could not process the message. The message caused an NDR to be sent, or the message was put in the Badmail folder When a MISSED SPAM is processed, I get the following Events: 1019 - A new message is submitted to Advanced Queuing. 1025 - A new message was submitted to Advanced Queuing 1024 - Advanced Queuing submitted a message to the categorizer 1033 - SMTP message categorized and queued for routing Is GFI seeing the missed SPAM? Why is GFI getting some of the SPAM but not all? Debug mode is turned on -- is there anything I can gather from GFI logs to help me get closer to a solution?

John Letourneau -> RE: Missing 25% of SPAM (10.Jun.2008 2:42:28 PM)
fatmaninspeedos, If you are looking at the MTASTR.LOG and you see a spam message that was delivered to your user and not caught by GFI MailEssentials you can compare the date and timestamp of that message against ase.gfi_log.txt and ase.gfi_log.bak from ..\Program Files\GFI\MailEssentials\DebugLogs. This log will show the message as it passes through each individual spam module. This should shed some light on the situation for you.

fatmaninspeedos -> RE: Missing 25% of SPAM (10.Jun.2008 9:47:16 PM)
I've looked at a few entries in the ase.gfi_log.txt file. My obvervations are as follows: 1. On messages that "slipped" through, it looks as if GFI put the email through all the filters and it came up with no spam detected. I see the init, process, and uninit for all the GFI modules. 2. On messages that were "caught", during the process message, it says STOPPING ASE PROCESSING CHAIN and the dwModuleResult is 10. 3. On multiple messages that "slipped" through, there is a 14 second gap between 2 "ProcessMessage" entries for DNS Blacklist. 4. On messages that were "caught", there is only a 2 second gap between 2 "ProcessMessage" entries for DNS Blacklist. Some messages that were "caught" took 14 seconds too. 5. On one instance of a message that "slipped", there is a 21 second gap between 2 "ProcessMessage" entries for Spam URI Realtime Blacklist. Does this information help diagnose what the issue is? Is there something else in the log I should be looking for? Thanks.

John Letourneau -> RE: Missing 25% of SPAM (11.Jun.2008 9:31:54 AM)
fatmaninspeedos, It does help to an extent. The fact that you are seeing 14 second gaps in your DNS checks could mean that some spam is getting through due to DNS timeouts. Which DNS Blacklists do you have enabled?

fatmaninspeedos -> RE: Missing 25% of SPAM (11.Jun.2008 10:36:00 AM)
I have all DNS blacklists enabled and all SURBLs enabled as well. Should I not have all enabled? Is there a website that explains which lists do what? Since my last post I reconfigured DNS on that machine so that names would resolve faster. The 'test' button now returns success much faster and this morning I've noticed an improvement in SPAM being caught.

John Letourneau -> RE: Missing 25% of SPAM (11.Jun.2008 11:29:47 AM)
fatmaninspeedos, As far as getting up to speed on DNS Blacklists I'd suggest reading http://en.wikipedia.org/wiki/DNSBL and then http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. I would not recommend having them all enabled. As it currently stands on 6/11/2008 I'd suggest bl.spamcop.net and zen.spamhaus.org as long as you are using GFI MailEssentials 12 build 20071005 or above. If you are using an older build than this then I would suggest bl.spamcop.net and sbl-xbl.spamhaus.org.

fatmaninspeedos -> RE: Missing 25% of SPAM (11.Jun.2008 11:59:59 AM)
Thanks for the information. What is your recommendation for Spam URI Realtime blacklists? Which ones should be enabled?

John Letourneau -> RE: Missing 25% of SPAM (23.Jun.2008 11:27:24 AM)
fatmaninspeedos, I would recommend using multi.surbl.org as it checks the servers listed above.

Page: [1]