Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2474 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

outgoing mail to IBM marked as SPAM (confirmed)

JasonIstre
9.104-17

Started this morning.  Any mail that any internal user sends to us.ibm.com is coming back immediately as undeliverable.  I looked in the SMTP log and it shows  rejected from our exchange server to us.ibm.com for reason SPAM (confirmed).

How can I get more info like why it's confirmed spam?

It was like this for about 2 hours, then suddenly they started going through again.

Ideas?


This thread was automatically locked due to age.
  • 0
    Please show the lines from the SMTP log file related to one of these rejections.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Can I get this info from mail manager "SMTP LOG"?  or do i need to open the actual log file?
  • 0
    The actual file in 'Reporting & Logging' shows the details of the transaction.  Mail Manager just shows the end result, but, it's where I start in a situation like this so I can jump to a specific area of the file.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    2013:08:13-10:51:31 utm-1 exim-in[18043]: 2013-08-13 10:51:31 [10.3.40.21] F= R= Accepted: from relay
    2013:08:13-10:51:31 utm-1 exim-in[18043]: 2013-08-13 10:51:31 1V9Gsd-0004h1-18 ctasd reports 'Confirmed' RefID:str=0001.0A020203.520A5603.00C9,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
    2013:08:13-10:51:31 utm-1 exim-in[18043]: 2013-08-13 10:51:31 1V9Gsd-0004h1-18 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="10.3.40.21" from="myuser@mydomain.com" to="(removed)@us.ibm.com" subject="Test" queueid="1V9Gsd-0004h1-18" size="3759" reason="as" extra="confirmed"
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [1\27] 2013-08-13 10:51:31 1V9Gsd-0004h1-18 H=ex01.myinternaldomain.loc (smtp01.mydomain.com) [10.3.40.21]:26469 F= rejected after DATA
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [2\27] Envelope-from: 
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [3\27] Envelope-to: 
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [4\27] P Received: from ex01.myinternaldomain.loc ([10.3.40.21]:26469 helo=smtp01.mydomain.com)
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [5\27]  by smtp01.mydomain.com with esmtps (TLSv1:AES128-SHA:128)
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [6\27]  (Exim 4.76)
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [7\27]  (envelope-from )
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [8\27]  id 1V9Gsd-0004h1-18
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [9\27]  for (removed)@us.ibm.com; Tue, 13 Aug 2013 10:51:31 -0500
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [10\27] P Received: from EX01.myinternaldomain.loc ([10.3.40.21]) by ex01.myinternaldomain.loc ([10.3.40.21]) with
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [11\27]  mapi id 14.03.0146.000; Tue, 13 Aug 2013 10:51:31 -0500
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [12\27]   X-CTCH-RefID: str=0001.0A020203.520A5603.00C9,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [13\27] F From: Leslie Hattig 
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [14\27] T To: "Dan Crump ((removed)@us.ibm.com)" 
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [15\27]   Subject: Test
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [16\27]   Thread-Topic: Test
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [17\27]   Thread-Index: Ac6YPPthYj2/ZfceR1+Oohy7+jGL7w==
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [18\27]   Date: Tue, 13 Aug 2013 15:51:30 +0000
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [19\27] I Message-ID: 
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [20\27]   Accept-Language: en-US
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [21\27]   Content-Language: en-US
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [22\27]   X-MS-Has-Attach:
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [23\27]   X-MS-TNEF-Correlator:
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [24\27]   x-originating-ip: [206.83.48.8]
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [25\27]   Content-Type: multipart/alternative;
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [26\27]  boundary="_000_A089A07676BD7A4A9249BF6B09746966A5FF8742ex01m3loc_"
    2013:08:13-10:51:31 utm-1 exim-in[18043]: [27/27]   MIME-Version: 1.0
    2013:08:13-10:51:31 utm-1 exim-in[18043]: 2013-08-13 10:51:31 1V9Gsd-0004h1-18 SMTP connection from ex01.myinternaldomain.loc (smtp01.mydomain.com) [10.3.40.21]:26469 closed by DROP in ACL
  • 0
    ctasd reports 'Confirmed' is what I was looking for, and I see now that your original email had that information in it, but I didn't read it closely enough.  If you look in the file above the first line here, you'll see something like "RefID:str=0001.0A010208.520A6F45.0035,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0".  That was sent to CommTouch, and they reported a match with known spam.  After awhile, their system corrected itself.

    When one sees this, it's possible to get the situation cleared more quickly by selecting the emails on the 'SMTP Quarantine' tab and using the 'Release and report as false positive' selection.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML