Outbound with 0 score being dropped?

RGPEC · 02-10-2010, 04:59 AM

Edit: Problem has happened once outbound as well!!!

I'm testing out a box with commtouch - first couple of days were brilliant until we had a major power cut here yesterday.

Now since the box came back on line, it seems to be finding a lower proportion of junk, although this could be the law of averages.

However, a handful of outbound emails were dropped even though they scored zero!!

I have now stopped scanning outbound, but I was wondering if anyone knows what could have happened - I was extremely impressed with the product's effectiveness but this dents my confidence slightly!

dwasserman · 02-10-2010, 05:49 AM

Why scan outbound connection? Tell us better your envoirment, if you have an internal SMTP server not have sense to scan outbound for spam.

RGPEC · 02-10-2010, 10:24 AM

We have two isa servers both taking care of smtp mailflow (as well as general internet access and BES) for an exchange box which probably handles about 4k emails per day. Untangle has been put inbetween the the isa boxes and the rest of our network as a tranparent bridge.

To be honest, I only set it to scan outbound so I could view all emails easily and pick out other companies we deal with so I can whitelist them. I've since set to not scan outbound and am please to see these are still logged.

Also anyone know how to keep logs until I clear them? With this problem, I am really worried at the moment that genuine emails may be rejected without reason, and I won't even be able to pick up on the event.

RGPEC · 02-11-2010, 05:11 AM

Stopped scanning message headers last night, thought all was good, but then two more legitmate emails with 0 spam score have been dropped. Anyone else had a simliar issue at all?

RGPEC · 02-11-2010, 09:09 AM

Told the box to stop dropping superspam as this is a big worry of mine.

However, it has still dropped 5 since I made the change - 2 genuine and 3 spam!

dmorris · 02-11-2010, 10:58 AM

what version are you running? can you post a screenshot of the event log?

RGPEC · 02-11-2010, 02:57 PM

Hi dmorris,

I am running build 7.1.1 - only had the test server up 9 days.

Here's a screenshot of the log with dropped items highlighted (I had a bit of a dozy moment and was meant to highlight all dropped items, especially no 4&5).

I've also copied the config - the strange number for inbound scan is 11Mb (our limit is 10, and I already have seen the odd message to large to be scanned)

If you have any ideas I would be incredibly grateful.

dmorris · 02-11-2010, 03:13 PM

the first think I would do is email the recipients and verify that they were *actually* blocked and that it doesn't just say they were blocked. The reason I say this is that we had a bug in the past where it just said blocked when an exception occurred leading users to thinking it was blocked when it was not.

from there you'll have to do some more digging in either syslog or the database to figure out what happened.

if you have support i'd recommend you call support at this point.

02-10-2010, 04:59 AM	#1 (permalink)
RGPEC Untangler Join Date: Nov 2009 Posts: 48	0 score being dropped? Edit: Problem has happened once outbound as well!!! I'm testing out a box with commtouch - first couple of days were brilliant until we had a major power cut here yesterday. Now since the box came back on line, it seems to be finding a lower proportion of junk, although this could be the law of averages. However, a handful of outbound emails were dropped even though they scored zero!! I have now stopped scanning outbound, but I was wondering if anyone knows what could have happened - I was extremely impressed with the product's effectiveness but this dents my confidence slightly! Last edited by RGPEC; 02-10-2010 at 10:28 AM..

02-11-2010, 10:58 AM	#6 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,614	what version are you running? can you post a screenshot of the event log? __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

02-11-2010, 02:57 PM	#7 (permalink)
RGPEC Untangler Join Date: Nov 2009 Posts: 48	Hi dmorris, I am running build 7.1.1 - only had the test server up 9 days. Here's a screenshot of the log with dropped items highlighted (I had a bit of a dozy moment and was meant to highlight all dropped items, especially no 4&5). I've also copied the config - the strange number for inbound scan is 11Mb (our limit is 10, and I already have seen the odd message to large to be scanned) If you have any ideas I would be incredibly grateful. Last edited by RGPEC; 02-11-2010 at 03:16 PM..

02-11-2010, 03:13 PM	#8 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,614	the first think I would do is email the recipients and verify that they were actually blocked and that it doesn't just say they were blocked. The reason I say this is that we had a bug in the past where it just said blocked when an exception occurred leading users to thinking it was blocked when it was not. from there you'll have to do some more digging in either syslog or the database to figure out what happened. if you have support i'd recommend you call support at this point. __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

Protect

Filter

Perform

Connect

Manage

Add-Ons

02-10-2010, 05:49 AM	#2 (permalink)
dwasserman Join Date: Jun 2008 Location: Argentina URLs submitted: 57 Posts: 3,634	Why scan outbound connection? Tell us better your envoirment, if you have an internal SMTP server not have sense to scan outbound for spam.

02-10-2010, 10:24 AM	#3 (permalink)
RGPEC Untangler Join Date: Nov 2009 Posts: 48	We have two isa servers both taking care of smtp mailflow (as well as general internet access and BES) for an exchange box which probably handles about 4k emails per day. Untangle has been put inbetween the the isa boxes and the rest of our network as a tranparent bridge. To be honest, I only set it to scan outbound so I could view all emails easily and pick out other companies we deal with so I can whitelist them. I've since set to not scan outbound and am please to see these are still logged. Also anyone know how to keep logs until I clear them? With this problem, I am really worried at the moment that genuine emails may be rejected without reason, and I won't even be able to pick up on the event.

02-11-2010, 05:11 AM	#4 (permalink)
RGPEC Untangler Join Date: Nov 2009 Posts: 48	Stopped scanning message headers last night, thought all was good, but then two more legitmate emails with 0 spam score have been dropped. Anyone else had a simliar issue at all?

02-11-2010, 09:09 AM	#5 (permalink)
RGPEC Untangler Join Date: Nov 2009 Posts: 48	Told the box to stop dropping superspam as this is a big worry of mine. However, it has still dropped 5 since I made the change - 2 genuine and 3 spam!