RBL issues persist. What am I missing? 17.5.5 MR-5

I'm hoping someone is seeing something I'm missing. This is an all day occurrence. 

 

This made it to my inbox 

 

Source server is blacklisted

 

I'm (apparently not) querying the same RBLs.

 

 

Message makes it through. Some smtpd_main capture below.

 

2019-05-16 11:50:13.749 [3803] SMTP connection from [69.162.123.246]:17419 I=[mywanip]:25 (TCP/IP connection count = 1)
2019-05-16 11:50:13.949 [7670] [69.162.123.246] F=<smartshopper@accupackindia.com> R=<userulkin@mydomain.com> Accepted: upstream host
2019-05-16 11:50:14.073 [7670] 1hRIe5-0001zi-Ud DKIM: d=accupackindia.com s=zs9pu c=relaxed/relaxed a=rsa-sha1 b=1024 i=smartshopper@accupackindia.com [verification succeeded]
2019-05-16 11:50:14.095 [7670] 1hRIe5-0001zi-Ud <= smartshopper@accupackindia.com H=tealeaf.accupackindia.com [69.162.123.246]:17419 I=[mywanip]:25 P=esmtp S=24516 M8S=8 DKIM=accupackindia.com RT=0.122s id=BA7K.A6DX5V6G.2LTAC59OV0HUK2V@tealeaf.accupackindia.com T="Tired of fighting over the thermostat?" from <smartshopper@accupackindia.com> for userulkin@mydomain.com
MSG May 16 11:50:14 [ T_SMTPD-M]: new mail queued, add to inqueue '1hRIe5-0001zi-Ud-D'
MSG May 16 11:50:14 [ T_SMTPD-W]: Mail assigned to 'MS-16658' for scanning '1hRIe5-0001zi-Ud-D'
MSG May 16 11:50:14 [ MS-16658]: scan request 1hRIe5-0001zi-Ud-D
MSG May 16 11:50:14 [ MS-16658]: S='smartshopper@accupackindia.com' R='userulkin@mydomain.com' Subject='Tired of fighting over the thermostat?' Size='24516' Status='Mail has been queued for delivery.' src_ip='69.162.123.246' src_port=17419
MSG May 16 11:50:14 [1hRIe5-0001zi-Ud]: spam scanning result: 'bulk spam'
MSG May 16 11:50:14 [1hRIe5-0001zi-Ud]: [0x9fafe38](userulkin@mydomain.com)SF Policy Action: QUARANTINE
MSG May 16 11:50:14 [ MS-16658]: move 'hwAkeS-oqE601-7Z' to quarantine
MSG May 16 11:50:14 [ MS-16658]: do_post_policy_stuff: q_path = /sdisk/spool//quarantine/0/Z/
MSG May 16 11:50:14 [1hRIe5-0001zi-Ud]: hwAkeS-oqE601-7Z <= smartshopper@accupackindia.com R=1hRIe5-0001zi-Ud
MSG May 16 11:50:14 [ MS-16658]: processing for 1hRIe5-0001zi-Ud completed
MSG May 16 11:50:14 [ T_SMTPD-W]: [SMTPD] mail '1hRIe5-0001zi-Ud-D' processed sucessfully
2019-05-16 11:50:14.528 [7670] SMTP connection from tealeaf.accupackindia.com [69.162.123.246]:17419 I=[mywanip]:25 closed by QUIT
2019-05-16 11:50:17.569 [3803] SMTP connection from [69.162.123.245]:19777 I=[mywanip]:25 (TCP/IP connection count = 1)
2019-05-16 11:50:17.751 [7687] [69.162.123.245] F=<everything.camping@wildlittlebear.com> R=<users@mydomain.com> Accepted: upstream host
2019-05-16 11:50:18.021 [3803] SMTP connection from [69.162.123.246]:57855 I=[mywanip]:25 (TCP/IP connection count = 2)
2019-05-16 11:50:18.177 [7687] 1hRIe9-0001zz-OF DKIM: validation error: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
2019-05-16 11:50:18.177 [7687] 1hRIe9-0001zz-OF DKIM: d=wildlittlebear.com s=8bww c=relaxed/relaxed a=rsa-sha1 b=1024 i=everything.camping@wildlittlebear.com [verification failed - signature did not verify (headers probably modified in transit)]
2019-05-16 11:50:18.180 [7693] [69.162.123.246] F=<thrifty.home@accupackindia.com> R=<user@mydomain.com> Accepted: upstream host
2019-05-16 11:50:18.200 [7687] 1hRIe9-0001zz-OF <= everything.camping@wildlittlebear.com H=yogi.wildlittlebear.com [69.162.123.245]:19777 I=[mywanip]:25 P=esmtp S=24597 M8S=8 RT=0.425s id=XGHA.NYO3AFD.U5I03BN5US@yogi.wildlittlebear.com T="=?UTF-8?B?U2F2ZSBvbiBjb29saW5nIGNvc3RzIHRoaXMgc3VtbWVyIHdpdGggYW4gZXZhcG9yYXRpdmUgYWlyIGNvb2xlci4=?=" from <everything.camping@wildlittlebear.com> for users@mydomain.com
MSG May 16 11:50:18 [ T_SMTPD-M]: new mail queued, add to inqueue '1hRIe9-0001zz-OF-D'
2019-05-16 11:50:18.312 [7693] 1hRIeA-000205-5o DKIM: d=accupackindia.com s=zs9pu c=relaxed/relaxed a=rsa-sha1 b=1024 i=thrifty.home@accupackindia.com [verification succeeded]
2019-05-16 11:50:18.316 [7687] [69.162.123.245] F=<thrifty.home@wildlittlebear.com> R=<user@mydomain.com> Accepted: upstream host
2019-05-16 11:50:18.331 [7693] 1hRIeA-000205-5o <= thrifty.home@accupackindia.com H=tealeaf.accupackindia.com [69.162.123.246]:57855 I=[mywanip]:25 P=esmtp S=24520 M8S=8 DKIM=accupackindia.com RT=0.131s id=P33L.DV8D3C.BD2ZUZBDZRYKRZ6LEX@tealeaf.accupackindia.com T="Air cooling device that travels with you" from <thrifty.home@accupackindia.com> for user@mydomain.com
MSG May 16 11:50:18 [ T_SMTPD-M]: new mail queued, add to inqueue '1hRIeA-000205-5o-D'
2019-05-16 11:50:18.398 [7687] 1hRIeA-0001zz-AC DKIM: d=wildlittlebear.com s=8bww c=relaxed/relaxed a=rsa-sha1 b=1024 i=thrifty.home@wildlittlebear.com [verification succeeded]
2019-05-16 11:50:18.418 [7687] 1hRIeA-0001zz-AC <= thrifty.home@wildlittlebear.com H=yogi.wildlittlebear.com [69.162.123.245]:19777 I=[mywanip]:25 P=esmtp S=24558 M8S=8 DKIM=wildlittlebear.com RT=0.081s id=NBPP.F68BUIY.NBXWRWAYTL0B31ZRW0@yogi.wildlittlebear.com T="Staying cool this summer the smart way" from <thrifty.home@wildlittlebear.com> for user@mydomain.com
MSG May 16 11:50:18 [ T_SMTPD-M]: new mail queued, add to inqueue '1hRIeA-0001zz-AC-D'
MSG May 16 11:50:18 [ T_SMTPD-W]: Mail assigned to 'MS-16658' for scanning '1hRIe9-0001zz-OF-D'
MSG May 16 11:50:18 [ MS-16658]: scan request 1hRIe9-0001zz-OF-D
MSG May 16 11:50:18 [ T_SMTPD-W]: Mail assigned to 'MS-3790' for scanning '1hRIeA-000205-5o-D'
MSG May 16 11:50:18 [ T_SMTPD-W]: Mail assigned to 'MS-3793' for scanning '1hRIeA-0001zz-AC-D'
MSG May 16 11:50:18 [ MS-3790]: scan request 1hRIeA-000205-5o-D
MSG May 16 11:50:18 [ MS-3790]: S='thrifty.home@accupackindia.com' R='user@mydomain.com' Subject='Air cooling device that travels with you' Size='24520' Status='Mail has been queued for delivery.' src_ip='69.162.123.246' src_port=57855
MSG May 16 11:50:18 [ MS-16658]: S='everything.camping@wildlittlebear.com' R='users@mydomain.com' Subject='Save on cooling costs this summer with an evaporative air cooler.' Size='24597' Status='Mail has been queued for delivery.' src_ip='69.162.123.245' src_port=19777
MSG May 16 11:50:18 [ MS-3793]: scan request 1hRIeA-0001zz-AC-D
MSG May 16 11:50:18 [ MS-3793]: S='thrifty.home@wildlittlebear.com' R='user@mydomain.com' Subject='Staying cool this summer the smart way' Size='24558' Status='Mail has been queued for delivery.' src_ip='69.162.123.245' src_port=19777
MSG May 16 11:50:18 [1hRIeA-000205-5o]: spam scanning result: 'not spam'
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: spam scanning result: 'not spam'
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: spam scanning result: 'not spam'
MSG May 16 11:50:18 [1hRIeA-000205-5o]: Sophos Antivirus Scanned result: Clean (file number:-1)
MSG May 16 11:50:18 [1hRIeA-000205-5o]: Avira Antivirus Scanned result: Clean (file number:-1)
CRT May 16 11:50:18 [ MS-3790]: missing filename in this MIME part !!!
CRT May 16 11:50:18 [ MS-3790]: missing filename in this MIME part !!!
MSG May 16 11:50:18 [1hRIeA-000205-5o]: [0x9c239b80] FROM: thrifty.home@accupackindia.com , TO: user@mydomain.com
MSG May 16 11:50:18 [1hRIeA-000205-5o]: [0x9c239b80](user@mydomain.com)SF Policy Action: ACCEPT
MSG May 16 11:50:18 [1hRIeA-000205-5o]: move 'bG21Bl-VoKH2a-uO' to forwarder queue
MSG May 16 11:50:18 [1hRIeA-000205-5o]: bG21Bl-VoKH2a-uO <= thrifty.home@accupackindia.com R=1hRIeA-000205-5o
MSG May 16 11:50:18 [ MS-3790]: processing for 1hRIeA-000205-5o completed
MSG May 16 11:50:18 [ T_SMTPD-W]: [SMTPD] mail '1hRIeA-000205-5o-D' processed sucessfully
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: Sophos Antivirus Scanned result: Clean (file number:-1)
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: Avira Antivirus Scanned result: Clean (file number:-1)
CRT May 16 11:50:18 [ MS-3793]: missing filename in this MIME part !!!
CRT May 16 11:50:18 [ MS-3793]: missing filename in this MIME part !!!
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: [0x9b985b80] FROM: thrifty.home@wildlittlebear.com , TO: user@mydomain.com
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: [0x9b985b80](user@mydomain.com)SF Policy Action: ACCEPT
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: move 'z3zqlP-FlUFrx-YH' to forwarder queue
MSG May 16 11:50:18 [1hRIeA-0001zz-AC]: z3zqlP-FlUFrx-YH <= thrifty.home@wildlittlebear.com R=1hRIeA-0001zz-AC
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: Sophos Antivirus Scanned result: Clean (file number:-1)
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: Avira Antivirus Scanned result: Clean (file number:-1)
CRT May 16 11:50:18 [ MS-16658]: missing filename in this MIME part !!!
CRT May 16 11:50:18 [ MS-16658]: missing filename in this MIME part !!!
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: [0x9f816000] FROM: everything.camping@wildlittlebear.com , TO: users@mydomain.com
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: [0x9f816000](users@mydomain.com)SF Policy Action: ACCEPT
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: move '3pJlzF-RAsATs-8E' to forwarder queue
MSG May 16 11:50:18 [1hRIe9-0001zz-OF]: 3pJlzF-RAsATs-8E <= everything.camping@wildlittlebear.com R=1hRIe9-0001zz-OF
MSG May 16 11:50:18 [ MS-3793]: processing for 1hRIeA-0001zz-AC completed
MSG May 16 11:50:18 [ T_SMTPD-W]: [SMTPD] mail '1hRIeA-0001zz-AC-D' processed sucessfully
MSG May 16 11:50:18 [ MS-16658]: processing for 1hRIe9-0001zz-OF completed
MSG May 16 11:50:18 [ T_SMTPD-W]: [SMTPD] mail '1hRIe9-0001zz-OF-D' processed sucessfully
2019-05-16 11:50:19.074 [7693] SMTP connection from tealeaf.accupackindia.com [69.162.123.246]:57855 I=[mywanip]:25 closed by QUIT

 

Does anyone have any recommendations on how to diagnose this? 

Thanks much

Gary

 

Edit: 05/21/19 Opened a support case...

  • Hi  

    Apologies for this inconvenience. I would have suggested submitting this spam sample to our Labs for further investigation.

    Would it be possible to please PM me with your support case number so that I can follow up?

    Thanks,

  • In reply to FloSupport:

    I've submitted many samples including a few just now. All of them have been successfully blocked on your end I'm told. I'm now on my 3rd support rep so it looks like I'm starting at square one again. My prior rep was able to read through the smtpd log, which was left in verbose mode by the first rep, and find that the firewall is properly checking the RBL providers I'm using. The emails should be dropped when there is a match but it seems the XG is passing them along to the exchange server instead. I'm told my configuration is correct and it has been reviewed by the two prior reps. This has gone on far too long and I'm being pressured into looking at alternative providers. I don't think this one will be resolved. Many thanks to the reps and yourself for reaching out.

     

    Gary