- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: MTA SPAM Alternating drop and accept
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MTA SPAM Alternating drop and accept
Most of the time when we receive spam mail, I'm seeing two entries appears for the mail, and accept followed by a drop. At first I thought this was how the MTA blade behaved, where it was accepting the mail to be scanned, but it looks like it's actually being allowed through. Our secondary spam filter appliance is seeing the accepted spam hit it, and is filtering them.
Our MTA is set to hold mails until scan is finished, 25 min max. max disk usage of 70%. if limits are exceeded or in case of error, it is allowed.
Here's an example from last night where we we're hit with ~6000 emails from a bad rep, where 3000 made it through to our secondary spam filter and blocked.
Weird issue. I'm wondering if anyone here has any insight before opening a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@NorthernNetGuy Can you please share more details - the full log cards of a single e-mail - one reject mail and one bypass mail? It might shed some light.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't tell if they are from the same e-mail, but here are adjacents accepts and reject within the same second from the same source.
Heres a Reject:
And an Accept:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if you have some entries in the Allowed IP list / Blocked IP list ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do have entries in the allowed IP list / Blocked IP list, none match the domain or address seen in this example.
We've added items in the block list when the MTA can't successfully detect the spam, and allow list when the false positives are excessive for some senders.
the 'fw ctl zdebug' command will be a performance impact, so I'll need to wait for an appropriate window, as we generally sit around 80% CPU and memory utilization throughout the work day (all blades enabled). I'll get this as soon as possible
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sent you a PM with the relevant data
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One of our customer-facing similar issue, can you post the solution here.
WR,
Shira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shira,
There was no solution. We ended up removing MTA and migrated to a managed M365 services