Inquiry on Outgoing Mail Summary

Mady · ‎04-04-2017

I would like to inquire about Outgoing Mail Summary. I checked on the Overview>Outgoing Mail Summary we have 10 Spam Detected and when see it on Outgoing sender it shows "unknown domain".

Can you explain me what does this "unknown domain" means? and how does it become "unknown domain" outgoing mail which it should have our domain when sending mails?

Also, when I checked it on Message Tracking with Envelope header as our domain and spam positive, it does not show any thing.

Please help me on this.

Thank you.

Libin Varghese · ‎04-05-2017

Hi Mady,

This is usually a DNS issue. Most commonly, the "unknown domain" is shown in the Outgoing Senders - Domain page because ESA is performing a DNS reverse lookup for the connecting IP address and cannot resolve this IP address to a matching domain name. This happens either because there is no entry in DNS for this IP address, or because ESA cannot successfully perform any DNS lookups due to connectivity issues with DNS Server(s). As DNS resolution fails, ESA will report unknown domain for this IP address.

If you review the Online Help under Help and Support from the Web UI and search for the required reports.
Spam Messages Detected: The total count of messages detected by the anti-spam scanning engine as positive or suspect and also those that were both spam and virus positive.

So you could try searching again for anti-spam positive, suspect as well as virus positive.

Thank You!

Libin Varghese

Mady · ‎04-05-2017

Hi Libin,

Thanks for your reply. I am just new on ESA, can you share how can I check which IP is the connecting IP on the ESA. Is there a way that I can proactively check the dns records of that connecting IP?

Thank you.:)

Mady

Libin Varghese · ‎04-05-2017

The mail_log should show that the connecting internal mail server is not resolved in DNS.

Thu Sep 24 18:14:19 2009 Info: New SMTP ICID 27290217 interface outbound (192.168.10.10) address 192.168.10.20 reverse dns verified no

Successfully it should look like this:

Thu Sep 24 18:14:19 2009 Info: New SMTP ICID 27290217 interface outbound (192.168.10.10) address 192.168.10.20 reverse dns host mail.domain.com verified yes

If you know the sending server IP address you can lookup PTR records for the same using command such as below:

nslookup 192.168.10.20

If you are unsure of the IP you could grep the mail_logs for specific date such as below.

grep "Sep 24.*reverse dns verified no" mail_logs

This would display all lines with the date Sep 24 and reverse dns verified no.

If these are outgoing emails the IP address/hostname should be listed under Mail Policies -> HAT Overview -> Relaylist.

- Libin V

Mady · ‎04-05-2017

Hi Libin,

Thank you for your inputs :) will follow your recommendations.

Mady

Mady · ‎04-06-2017

Hi Libin,

I confirmed that the mail server has no DNS entry and there is only one mail server entry on relay list. I'm just confuse why ESA only tags few spam message as "unknown domain" how about the good email, those are not tag as unknown? Both spam and good email come from same mail server.

Regards,

Miradel

Libin Varghese · ‎04-07-2017

I would suspect there was a result for the DNS query at some point which was logged as the domain name.

The mail log should show that the connecting internal mail server is not resolved in DNS.

Thu Sep 24 18:14:19 2009 Info: New SMTP ICID 27290217 interface outbound (192.168.10.10) address 192.168.10.20 reverse dns verified no

Successfully it should look like this:

Thu Sep 24 18:14:19 2009 Info: New SMTP ICID 27290217 interface outbound (192.168.10.10) address 192.168.10.20 reverse dns host mail.domain.com verified yes

Try to narrow down the report for certain period of time and look for successful verification in the mail logs being generated from the same server.

- Libin V

Sriram Subramanian · ‎04-21-2017

The unknown issue seems to be a DNS reverse look up issue but it is best not to enable Antispam for outgoing mail policy since it is designed mainly for Incoming Mail Policy and could create false positive.

If you are worried about mass spam emails sent out by internal users, it would be best to set a message flow restriction in your Relayed Mail Flow Policy per user.