RE: [Declude.JunkMail] Message not scanned

[Dan Horne]

"Hijack cares about the senders - not the recipients I do believe"   Yes, but Hijack should be OUTGOING only.  These emails were obviously incoming.   What do hijack the logs say?   06/01/2005 08:53:13 QAFB901A600000E85 [EMAIL PROTECTED] is not local. 06/01/2005 08:53:13 QAFB901A600000E85 Outgoing from 68.118.154.7:    threshold 2 reached; SPAM: HOLDING PERMANENTLY   That is a sample of one of the held emails (loglevel high).  It clearly says [EMAIL PROTECTED] is not local, but that address is set up as an alias on our server (It forwards to AOL).  The domain burnsandco.com is local and it contains an address of pattinelson.   Another:   06/01/2005 08:58:05 QB0DC018200000EDC [EMAIL PROTECTED] is not local. 06/01/2005 08:58:05 QB0DC018200000EDC Outgoing from 68.118.154.7:    threshold 2 reached; SPAM: HOLDING PERMANENTLY   Again, this one clearly states that [EMAIL PROTECTED] is not local but the address is set up on our server.  This one is not an alias and is not forwarded anywhere.  The log shows between those two entries (among many other "is not local" entries) that several messages coming in from the gateway ARE in fact treated as local: 06/01/2005 08:56:50 QB09201A000000EC7 Incoming from 68.118.154.7:    OK. and 06/01/2005 08:56:53 QB095019800000ECB Incoming from 68.118.154.7:    OK.   Were all the held mail prefaced with the gateway ip?   Yes, every single one of nearly 5000..   Do you have the line in hijack.cfg  "ALLOWIP  <gateway ip > ?   I do now, but I shouldn't need to.  The problem is that Hijack somehow started incorrectly identifying local addresses.  For example if I go back to the previous day's log and look I see that all emails coming from the gateway for local addresses are correctly identified as local addresses and get an OK line.    05/31/2005 16:27:38 QC8BA021400003290 Incoming from 68.118.154.7:    OK. 05/31/2005 16:27:39 QC8BA020E00003292 Incoming from 68.118.154.7:    OK. 05/31/2005 16:27:47 QC8C2022200003294 Incoming from 68.118.154.7:    OK. 05/31/2005 16:27:53 QC8C8021A00003296 Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:00 QC8D0021400003298 Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:18 QC8E2020E0000329A Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:27 QC8EB02220000329C Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:27 QC8EB021A0000329E Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:48 QC9000222000032A3 Incoming from 68.118.154.7:    OK. 05/31/2005 16:28:50 QC902021A000032A5 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:01 QC90D020E000032A8 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:01 QC90D0222000032AA Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:03 QC90F021A000032AC Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:04 QC9100214000032AE Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:14 QC91A020E000032B0 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:19 QC91F021A000032B3 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:21 QC9210214000032B5 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:31 QC92B021A000032B9 Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:31 QC92B0214000032BB Incoming from 68.118.154.7:    OK. 05/31/2005 16:29:33 QC92C020E000032BD Incoming from 68.118.154.7:    OK.   This particular problem did not start until yesterday and ended when I put in the ALLOWIP line.  Looking through the entire log shows no incorrect identifications on that day.  This happened suddenly and I don't know why (when last we spoke, neither did Declude). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of NIck Hayer Sent: Thursday, June 02, 2005 8:51 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Message not scanned Hi Dan, Here are some thoughts - I still don't know why Hijack decided to flag my gateway and hold its messages (ALL messages in HOLD2 were verified to be destined for local users). Hijack cares about the senders - not the recipients I do believe I still don't know why it only held SOME messages (around 2500 messages were held out of a total volume of around 10,000 that went through the gateway yesterday). What do hijack the logs say?  [They may explain just what happened. If not run on high so next time more info may be avail] Were all the held mail prefaced with the gateway ip? [Just to be sure they all came from the gateway] Do you have the line in hijack.cfg  "ALLOWIP  <gateway ip > ? ["An ALLOWIP line will let an IP address send unlimited E-mail"] Best, -Nick I still don't know why these messages were delivered without being scanned by Declude (unless that is a "feature" of Hijack, that it runs before AV or JM and doesn't rescan re-queued email; and if so it should be changed to at least run after AV). I have added an ALLOWIP for my gateway, since I don't want to turn Hijack off. BTW, I worked with Ralph Krausse at Declude and with Eric Shanbrom at Ipswitch and both were extremely helpful in diagnosing this problem. Thank you both very much. Dan Horne -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, June 01, 2005 2:53 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Message not scanned Did you not see my response to your earlier post? John T eServices For You -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Dan Horne Sent: Wednesday, June 01, 2005 10:53 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Message not scanned I have received a couple of messages in the last two days in my inbox that were NOT scanned by Declude. I thought the headers below were strange, since they seem to have MIME segments in them. However, another message in my inbox that was spam (below my hold weight) also has similar MIME segments, but was scanned by Declude, evidenced by the Declude headers. The Declude headers are not present (I add several headers with Declude) in the email below. The line "X-Virus-Scanned: amavisd-new 2.3.0 (20050424) at taisweb.net" was added by my gateway postfix box that scans messages with clamav. When searching the Declude logs, the queue number 9F3B01A600000A71 does not appear. Neither does a07e000006888a82, though I wouldn't expect it to as that is the forward message, which should appear after Declude scans. Version info: Imail v8.2 HF2, Declude Junkmail Pro/Virus Standard/Hijack v2.0.6.10. For reference, I have attached a file with the headers of the other spam message I mentioned, so you can see what kind of headers I add that are missing below. --------IMAIL LOG-------- SMTPD (9f3b01a600000a71) [172.20.5.2] connect 68.118.154.7 port 60324 SMTPD (9f3b01a600000a71) [68.118.154.7] EHLO mx2.rmslink.net SMTPD (9f3b01a600000a71) [68.118.154.7] MAIL FROM:<[EMAIL PROTECTED]> SMTPD (9f3b01a600000a71) [68.118.154.7] RCPT TO:<[EMAIL PROTECTED]> SMTPD (9f3b01a600000a71) [x] looking up taisweb.net in HOSTS SMTPD (9f3b01a600000a71) [68.118.154.7] DATA SMTPD (9f3b01a600000a71) [68.118.154.7] S:\imail\spool\D9f3b01a600000a71.SMD 4808 SMTP (0000000000000000) Info - Adding Queue file S:\imail\spool\Q9F3B01A600000A71.SMD SMTP (9f3b01a600000a71) processing S:\imail\spool\Q9F3B01A600000A71.SMD SMTP (9f3b01a600000a71) ldeliver mail.taisweb.net copyall-main (1) [EMAIL PROTECTED] 4808 SMTP (9f3b01a600000a71) forwarded message to [EMAIL PROTECTED] using new file: a07e000006888a82 SMTP (9f3b01a600000a71) finished S:\imail\spool\Q9F3B01A600000A71.SMD status=1 --------HEADERS---------- Microsoft Mail Internet Headers Version 2.0 Received: from mail.taisweb.net ([68.118.153.2]) by ex1.wilcoxent.net with Microsoft SMTPSVC(6.0.3790.211); Wed, 1 Jun 2005 07:48:14 -0400 Received: from SMTP32-FWD by mail.taisweb.net (SMTP32) id A9F3B01A600000A71; Wed, 1 Jun 2005 07:48:14 Received: from mx2.rmslink.net [68.118.154.7] by mail.taisweb.net with ESMTP (SMTPD-8.20) id AF3C0298; Wed, 01 Jun 2005 07:42:52 -0400 Received: from localhost (localhost [127.0.0.1]) by mx2.rmslink.net (Postfix) with ESMTP id 2F58139863 for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 07:20:47 -0400 (EDT) Received: from gatesalbert.com (81-202-101-107.user.ono.com [81.202.101.107]) by mx2.rmslink.net (Postfix) with SMTP id 46D5B39845 for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 07:20:40 -0400 (EDT) From: "Feli Ridgeway" <[EMAIL PROTECTED]> To: "Napier Kincaid" <[EMAIL PROTECTED]> Subject: Re: Really Works GGood Date: Wed, 1 Jun 2005 06:42:20 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0057_01C5669E.F7E87600" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-Id: <[EMAIL PROTECTED]> X-Virus-Scanned: amavisd-new 2.3.0 (20050424) at taisweb.net Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 01 Jun 2005 11:48:14.0907 (UTC) FILETIME=[CB72F8B0:01C5669F] ------=_NextPart_000_0057_01C5669E.F7E87600 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0057_01C5669E.F7E87600 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_0057_01C5669E.F7E87600-- --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.