This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scan relayed (outgoing) messages

We are having issues with V9.1 tagging outgoing mail as "confirmed" spam. Has anyone had this same issue?

[LOG]

2013:06:06-13:42:32 westerville-2 exim-in[14895]: 2013-06-06 13:42:32 [192.168.1.111] F= R= Accepted: from relay
2013:06:06-13:42:33 westerville-1 exim-in[8578]: 2013-06-06 13:42:33 SMTP connection from [186.105.220.111]:61419 (TCP/IP connection count = 1)
2013:06:06-13:42:33 westerville-2 exim-in[14895]: 2013-06-06 13:42:33 1UkeCm-0003sF-2u ctasd reports 'Confirmed' RefID:str=0001.0A090203.51B0CA09.00A6,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_336916,cl=4,cld=1,fgs=0
2013:06:06-13:42:33 westerville-2 exim-in[14895]: 2013-06-06 13:42:33 1UkeCm-0003sF-2u id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.168.1.111" from="nhayes@mengineering.us.com" to="Brett\_Grobarz@gensler.com, bill\_faasse@gensler.com" subject="RE: MS WFD exhaust fan" queueid="1UkeCm-0003sF-2u" size="50156" reason="as" extra="confirmed"
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [1\61] 2013-06-06 13:42:33 1UkeCm-0003sF-2u H=(Exch1.mengineering.local) [192.168.1.111]:58054 F= rejected after DATA
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [2\61] Envelope-from: 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [3\61] Envelope-to: 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [4\61]     
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [5\61] P Received: from [192.168.1.111] (port=58054 helo=Exch1.mengineering.local)
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [6\61]  by mail.mengineering.us.com with esmtps (TLSv1:AES128-SHA:128)
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [7\61]  (Exim 4.76)
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [8\61]  (envelope-from )
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [9\61]  id 1UkeCm-0003sF-2u; Thu, 06 Jun 2013 13:42:32 -0400
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [10\61] P Received: from EXCH1.mengineering.local ([::1]) by Exch1.mengineering.local
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [11\61]  ([::1]) with mapi id 14.03.0123.003; Thu, 6 Jun 2013 13:42:31 -0400
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [12\61]   X-CTCH-RefID: str=0001.0A090203.51B0CA09.00A6,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_336916,cl=4,cld=1,fgs=0
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [13\61] F From: nate hayes 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [14\61] T To: Brett Grobarz , wayne krystek
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [15\61]  , Bill Faasse 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [16\61] C CC: jason huffman 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [17\61]   Subject: RE: MS WFD exhaust fan
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [18\61]   Thread-Topic: MS WFD exhaust fan
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [19\61]   Thread-Index: Ac5iGunm2uuXvJaLSuSUsjJsNn2h2wAA0izsAAIKbXAABOU23wACaXJAAB2wvGAAAMBt7QABIxiQAAB5vxAABbSLtwAAJK5w
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [20\61]   Date: Thu, 6 Jun 2013 17:42:30 +0000
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [21\61] I Message-ID: 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [22\61]   References: 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [23\61]  ,
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [24\61]  
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [25\61]  ,
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [26\61]  
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [27\61]  ,
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [28\61]  
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [29\61]   In-Reply-To: 
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [30\61]   Accept-Language: en-US
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [31\61]   Content-Language: en-US
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [32\61]   X-MS-Has-Attach:
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [33\61]   X-MS-TNEF-Correlator:
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [34\61]   mmsecondaryref:
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [35\61]   mmbmarkreviewed: false
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [36\61]   mmsavingsubject: RE: MS WFD exhaust fan
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [37\61]   mmdescription: MS Woodfield 12421202
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [38\61]   mmbispending: true
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [39\61]   mmbfileattseparate: true
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [40\61]   mm-guid: 90C5F611-F50B-4618-832E-7E84179B1508
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [41\61]   mmbremoveatt: true
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [42\61]   mmbfilenonunicode: false
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [43\61]   mmsuggestedguid: 86CC9936-6294-49FD-AE88-A8D83644FB92
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [44\61]   mmheaderversion: 4
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [45\61]   mmfilterid: DELL172
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [46\61]   mmbdeleteoriginalmsg: true
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [47\61]   mmrecipientinitial: BG et al
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [48\61]   mmrecipientname: Brett Grobarz et al
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [49\61]   mmsavingfilename: %Sent_Y%-%Sent_m%-%Sent_d%_%Sent_H%%Sent_M%%Sent_S%_%SenderName%_%Subject%
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [50\61]   mmbnotifyparticipants: false
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [51\61]   mmbsendtaskrequest: false
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [52\61]   mmlocation: 86CC9936-6294-49FD-AE88-A8D83644FB92
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [53\61]   mmparententryid: 00000000F7E4F9D1C62E3D49841CAFF5785F2319010043F08ADBAF355447A2CF84CDC3ED349200000002023E0000
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [54\61]   mmprimaryref:
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [55\61]   mmentryid: 00000000F7E4F9D1C62E3D49841CAFF5785F2319070043F08ADBAF355447A2CF84CDC3ED349200000002023E0000AEA5EDF35E175948B955948F233F5389000008E328170000
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [56\61]   mmid: 229
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [57\61]   mmuserinput:
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [58\61]   x-originating-ip: [192.168.1.63]
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [59\61]   Content-Type: multipart/alternative;
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [60\61]  boundary="_000_1E465F99E16BB04AA8071BF1B60E02C911FAFC78Exch1mengineeri_"
2013:06:06-13:42:33 westerville-2 exim-in[14895]: [61/61]   MIME-Version: 1.0
2013:06:06-13:42:33 westerville-2 exim-in[14895]: 2013-06-06 13:42:33 1UkeCm-0003sF-2u SMTP connection from (Exch1.mengineering.local) [192.168.1.111]:58054 closed by DROP in ACL


UTM 320 Cluster
Version: 9.101-12
Exchange 2010/13


This thread was automatically locked due to age.
Parents
  • Hi, Mike,

    Search here in the last day or two for a problem with Exchange 2013.  I wonder if this might be related, but my recollection is that it's a different issue.

    If this is happening only rarely, then have you gotten a look at any of these emails?  Apparently, CommTouch thinks the mail looks like a known spam that also has a calculated RefID:str of "0001.0A090203.51B0CA09.00A6" - I bet you could open a case with Sophos and get them to get you a copy of the known spam with that signature.

    Interesting case, please post back with the result.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Mike,

    Search here in the last day or two for a problem with Exchange 2013.  I wonder if this might be related, but my recollection is that it's a different issue.

    If this is happening only rarely, then have you gotten a look at any of these emails?  Apparently, CommTouch thinks the mail looks like a known spam that also has a calculated RefID:str of "0001.0A090203.51B0CA09.00A6" - I bet you could open a case with Sophos and get them to get you a copy of the known spam with that signature.

    Interesting case, please post back with the result.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data