Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 4639 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

email quarantined (considered as spam), but unclear why

Steven Lievens

Hi all,

a lot of outging messsages, originating from the internal mailserver are marked as spam, mostly autoreply on mailboxes. It is unclear why this problem started recently.

2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="10.143.x.x" from="" to="replaced@gmail.com" subject="Automatisch antwoord: Ziek..." queueid="1hueVQ-0003Ew-CU" size="63346" reason="as" extra=""
2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVO-0004bI-2A => work R=SCANNER T=SCANNERq
2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVO-0004bI-2A Completed

This is an extract from the smtp.log, filtering ons queueid, pid, ... does not reveal more usefull information. Any idea how to identify the exact reason why these type of emails get quarantined? Are there other log files available? I tried working myself through the exim config file as well in order to understand how emails are processed, more specifically by the AV's (Sophos + Avira), but also this does not provide any insights.

Thx for your feedback on this.

Kr,

steven



This thread was automatically locked due to age.
Parents
  • 0

    Hi Steven,

    You may refer to this post by Douglas here:How to analyze the SMTP log file or check this KBA Sophos UTM: Most common issues for SMTP

    Specific to your concern, it looks to be detected by the Spam engine. I would recommend submitting any of the sample emails to our labs or creating a case with Sophos Support.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Thx Jaydeep for the useful feedback.

     

    In the meantime I found it is the CTAS-daemon considering the email as bulk and therefor being quarantined by smtpd.

    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A ctasd reports 'Bulk' RefID:str=0001.0A0B0211.5D4809AA.0060,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A <= <> H=mail-01.domain.be [10.143.20.5]:55549 P=esmtps X=TLSv1.2:AES256-SHA:256 S=65224 id=fd2ba532ae6847269a70ee64840e23f5@MAIL-01.domein.be
    2019:08:05-17:02:35 utm-01-1 smtpd[12347]: QMGR[12347]: 1hueVO-0004bI-2A moved to work queue
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVQ-0003Ew-CU <=  R=1hueVO-0004bI-2A P=INPUT S=63346
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="10.143.x.x" from="" to="destination@gmail.com" subject="Automatisch antwoord: Ziekte..." queueid="1hueVQ-0003Ew-CU" size="63346" reason="as" extra=""

    I logged a case with Sophos for this, but I was also wondering if there is any tool to get more insights in why this daemon considers this email as 'Bulk'?

    I've found a ctasd.bin command line binary which spawns some services, as well as cloud based analyzer url: resolver%d.ast.ctmail.com. So can we use one of these tools and feed it with the specific email and get a more detailed output of the analysis?

    Thx,

    steven

     

     

Reply
  • 0 in reply to Jaydeep

    Thx Jaydeep for the useful feedback.

     

    In the meantime I found it is the CTAS-daemon considering the email as bulk and therefor being quarantined by smtpd.

    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A ctasd reports 'Bulk' RefID:str=0001.0A0B0211.5D4809AA.0060,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A <= <> H=mail-01.domain.be [10.143.20.5]:55549 P=esmtps X=TLSv1.2:AES256-SHA:256 S=65224 id=fd2ba532ae6847269a70ee64840e23f5@MAIL-01.domein.be
    2019:08:05-17:02:35 utm-01-1 smtpd[12347]: QMGR[12347]: 1hueVO-0004bI-2A moved to work queue
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVQ-0003Ew-CU <=  R=1hueVO-0004bI-2A P=INPUT S=63346
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="10.143.x.x" from="" to="destination@gmail.com" subject="Automatisch antwoord: Ziekte..." queueid="1hueVQ-0003Ew-CU" size="63346" reason="as" extra=""

    I logged a case with Sophos for this, but I was also wondering if there is any tool to get more insights in why this daemon considers this email as 'Bulk'?

    I've found a ctasd.bin command line binary which spawns some services, as well as cloud based analyzer url: resolver%d.ast.ctmail.com. So can we use one of these tools and feed it with the specific email and get a more detailed output of the analysis?

    Thx,

    steven

     

     

Children
Unfiltered HTML