Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor

MTA SPAM Alternating drop and accept

Most of the time when we receive spam mail, I'm seeing two entries appears for the mail, and accept followed by a drop. At first I thought this was how the MTA blade behaved, where it was accepting the mail to be scanned, but it looks like it's actually being allowed through. Our secondary spam filter appliance is seeing the accepted spam hit it, and is filtering them.

Our MTA is set to hold mails until scan is finished, 25 min max. max disk usage of 70%. if limits are exceeded or in case of error, it is allowed.

Here's an example from last night where we we're hit with ~6000 emails from a bad rep, where 3000 made it through to our secondary spam filter and blocked.

2019-12-09_15h21_54.png

 

Weird issue. I'm wondering if anyone here has any insight before opening a TAC case.

7 Replies
TP_Master
Employee
Employee

@NorthernNetGuy  Can you please share more details - the full log cards of a single e-mail - one reject mail and one bypass mail? It might shed some light.

Thanks

NorthernNetGuy
Advisor

@TP_Master 

I can't tell if they are  from the same e-mail, but here are adjacents accepts and reject within the same second from the same source.

 

Heres a Reject:

2019-12-10_08h08_19.png

 

And an Accept:

2019-12-10_08h09_50.png

TP_Master
Employee
Employee

Can you post here (or DM me) results of "fw ctl zdebug + mail" ?

Can you check if you have some entries in the Allowed IP list / Blocked IP list ?
NorthernNetGuy
Advisor

We do have entries in the allowed IP list / Blocked IP list, none match the domain or address seen in this example.

We've added items in the block list when the MTA can't successfully detect the spam, and allow list when the false positives are excessive for some senders.

 

the 'fw ctl zdebug' command will be a performance impact, so I'll need to wait for an appropriate window, as we generally sit around 80% CPU and memory utilization throughout the work day (all blades enabled). I'll get this as soon as possible

 

NorthernNetGuy
Advisor

Sent you a PM with the relevant data

Shira
Participant

One of our customer-facing similar issue, can you post the solution here.

 

WR,

Shira

NorthernNetGuy
Advisor

Hi Shira,

 

There was no solution. We ended up removing MTA and migrated to a managed M365 services

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events