cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

MTA SPAM Alternating drop and accept

Most of the time when we receive spam mail, I'm seeing two entries appears for the mail, and accept followed by a drop. At first I thought this was how the MTA blade behaved, where it was accepting the mail to be scanned, but it looks like it's actually being allowed through. Our secondary spam filter appliance is seeing the accepted spam hit it, and is filtering them.

Our MTA is set to hold mails until scan is finished, 25 min max. max disk usage of 70%. if limits are exceeded or in case of error, it is allowed.

Here's an example from last night where we we're hit with ~6000 emails from a bad rep, where 3000 made it through to our secondary spam filter and blocked.

2019-12-09_15h21_54.png

 

Weird issue. I'm wondering if anyone here has any insight before opening a TAC case.

0 Kudos
5 Replies
Employee+
Employee+

Re: MTA SPAM Alternating drop and accept

@David_Spencer  Can you please share more details - the full log cards of a single e-mail - one reject mail and one bypass mail? It might shed some light.

Thanks

0 Kudos

Re: MTA SPAM Alternating drop and accept

@TP_Master 

I can't tell if they are  from the same e-mail, but here are adjacents accepts and reject within the same second from the same source.

 

Heres a Reject:

2019-12-10_08h08_19.png

 

And an Accept:

2019-12-10_08h09_50.png

0 Kudos
Highlighted
Employee+
Employee+

Re: MTA SPAM Alternating drop and accept

Can you post here (or DM me) results of "fw ctl zdebug + mail" ?

Can you check if you have some entries in the Allowed IP list / Blocked IP list ?
0 Kudos

Re: MTA SPAM Alternating drop and accept

We do have entries in the allowed IP list / Blocked IP list, none match the domain or address seen in this example.

We've added items in the block list when the MTA can't successfully detect the spam, and allow list when the false positives are excessive for some senders.

 

the 'fw ctl zdebug' command will be a performance impact, so I'll need to wait for an appropriate window, as we generally sit around 80% CPU and memory utilization throughout the work day (all blades enabled). I'll get this as soon as possible

 

0 Kudos

Re: MTA SPAM Alternating drop and accept

Sent you a PM with the relevant data

0 Kudos