This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2019-12-09 12:50 PM

MTA SPAM Alternating drop and accept

Most of the time when we receive spam mail, I'm seeing two entries appears for the mail, and accept followed by a drop. At first I thought this was how the MTA blade behaved, where it was accepting the mail to be scanned, but it looks like it's actually being allowed through. Our secondary spam filter appliance is seeing the accepted spam hit it, and is filtering them.

Our MTA is set to hold mails until scan is finished, 25 min max. max disk usage of 70%. if limits are exceeded or in case of error, it is allowed.

Here's an example from last night where we we're hit with ~6000 emails from a bad rep, where 3000 made it through to our secondary spam filter and blocked.

2019-12-09_15h21_54.png

 

Weird issue. I'm wondering if anyone here has any insight before opening a TAC case.

0 Kudos
7 Replies
TP_Master
Employee
Employee
‎2019-12-10 12:26 AM

@NorthernNetGuy  Can you please share more details - the full log cards of a single e-mail - one reject mail and one bypass mail? It might shed some light.

Thanks

0 Kudos
NorthernNetGuy
Advisor
‎2019-12-10 05:11 AM
In response to TP_Master

@TP_Master 

I can't tell if they are  from the same e-mail, but here are adjacents accepts and reject within the same second from the same source.

 

Heres a Reject:

2019-12-10_08h08_19.png

 

And an Accept:

2019-12-10_08h09_50.png

0 Kudos
TP_Master
Employee
Employee
‎2019-12-10 06:00 AM
In response to NorthernNetGuy

Can you post here (or DM me) results of "fw ctl zdebug + mail" ?

Can you check if you have some entries in the Allowed IP list / Blocked IP list ?
0 Kudos
NorthernNetGuy
Advisor
‎2019-12-10 07:42 AM
In response to TP_Master

We do have entries in the allowed IP list / Blocked IP list, none match the domain or address seen in this example.

We've added items in the block list when the MTA can't successfully detect the spam, and allow list when the false positives are excessive for some senders.

 

the 'fw ctl zdebug' command will be a performance impact, so I'll need to wait for an appropriate window, as we generally sit around 80% CPU and memory utilization throughout the work day (all blades enabled). I'll get this as soon as possible

 

0 Kudos
NorthernNetGuy
Advisor
‎2019-12-11 05:36 AM
In response to TP_Master

Sent you a PM with the relevant data

0 Kudos
Shira
Participant
‎2022-04-13 12:16 AM
In response to NorthernNetGuy

One of our customer-facing similar issue, can you post the solution here.

 

WR,

Shira

0 Kudos
NorthernNetGuy
Advisor
‎2022-07-20 09:28 AM
In response to Shira

Hi Shira,

 

There was no solution. We ended up removing MTA and migrated to a managed M365 services

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events