cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2846
Views
0
Helpful
15
Replies

"Stopped by Reputation Filtering" without a connec

Pat_ironport
Level 1
Level 1

We had a connection-problem from our ASP to our local IronPort. No mails were transferred since 22.00 Uhr last night until 07.00 Uhr this morning.

How can it be, that the overview-statistic displays tousends of "Incoming Mail - Stopped by Reputation Filtering" in the time that we had no connection at all?

All the other categories
- Stopped as Invalid Recipients
- Spam Detected
- Virus Detected
- Stopped by Content Filter
are empty for this time.

Could someone explain this behaviour?

15 Replies 15

kluu_ironport
Level 2
Level 2

Try running this "grep" query on the command line of your Ironport appliance.

Replace June 20th with the date that you're interested in where there should not have been any connections. The grep below will show ICID connections for June 20th from 00:00 to 06:00 in the morning.

grep -e "Fri Jun 20 0[0-6]:.*ICID" mail_logs



For activity during this period, use this also:


grep -e "Fri Jun 20 0[0-6]:" mail_logs





We had a connection-problem from our ASP to our local IronPort. No mails were transferred since 22.00 Uhr last night until 07.00 Uhr this morning.

How can it be, that the overview-statistic displays tousends of "Incoming Mail - Stopped by Reputation Filtering" in the time that we had no connection at all?

All the other categories
- Stopped as Invalid Recipients
- Spam Detected
- Virus Detected
- Stopped by Content Filter
are empty for this time.

Could someone explain this behaviour?

Pat_ironport
Level 1
Level 1

Thank you for this hint.
I will try it Monday@work and let you know the result.

Pat_ironport
Level 1
Level 1

In the time between 22.00 and 07.00 we have only such entries:

Thu Jun 19 23:56:03 2008 Info: ICID 2365363 Address:  sender rejected, envelope sender domain could not be resolved
Thu Jun 19 23:56:16 2008 Info: New SMTP ICID 2365364 interface Incoming (1.1.1.1) address 2.2.2.2 reverse dns host unknown verified no
Thu Jun 19 23:56:16 2008 Info: ICID 2365364 ACCEPT SG None match 2.2.2.2 SBRS rfc1918
Thu Jun 19 23:56:16 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'O\\x8c\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0bbalitribune\\x03com\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.4 looking up balitribune.com
Thu Jun 19 23:56:20 2008 Info: New SMTP ICID 2365365 interface Incoming (1.1.1.1) address 2.2.2.2 reverse dns host unknown verified no
Thu Jun 19 23:56:20 2008 Info: ICID 2365365 ACCEPT SG None match 2.2.2.2 SBRS rfc1918
Thu Jun 19 23:56:27 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xf2\\xa8\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\rconfidentgolf\\x03com\\x02au\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.5 looking up confidentgolf.com.au
Thu Jun 19 23:56:27 2008 Info: New SMTP ICID 2365366 interface Incoming (1.1.1.1) address 2.2.2.2 reverse dns host unknown verified no
Thu Jun 19 23:56:27 2008 Info: ICID 2365366 ACCEPT SG None match 2.2.2.2 SBRS rfc1918
Thu Jun 19 23:56:31 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xb5\\xd8\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\nmoviesweep\\x03com\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.6 looking up moviesweep.com
Thu Jun 19 23:56:32 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xae{\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0eNAVISINCONTROL\\x02RU\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.4 looking up NAVISINCONTROL.RU
Thu Jun 19 23:56:32 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'Eu\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x04lbia\\x03org\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.6 looking up lbia.org
Thu Jun 19 23:56:32 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xdc\\xc9\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x0bbalitribune\\x03com\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.6 looking up balitribune.com
Thu Jun 19 23:56:32 2008 Info: ICID 2365358 Address: sender rejected, envelope sender domain could not be resolved
Thu Jun 19 23:56:34 2008 Info: ICID 2365348 lost
Thu Jun 19 23:56:34 2008 Info: ICID 2365348 close
Thu Jun 19 23:56:38 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xd5\\x85\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x07epomail\\x03com\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.6 looking up epomail.com
Thu Jun 19 23:56:40 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'8y\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x07netsiam\\x03com\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.6 looking up netsiam.com
Thu Jun 19 23:56:42 2008 Info: New SMTP ICID 2365367 interface Incoming (1.1.1.1) address 2.2.2.2 reverse dns host unknown verified no
Thu Jun 19 23:56:42 2008 Info: ICID 2365367 ACCEPT SG None match 2.2.2.2 SBRS rfc1918
Thu Jun 19 23:56:45 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'\\xfb\\xa4\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x1221stcenturyaircrew\\x02co\\x02uk\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.5 looking up 21stcenturyaircrew.co.uk
Thu Jun 19 23:56:45 2008 Warning: Received an invalid DNS Response: rcode=ServFail data="'k\\xcf\\x81\\x82\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\rconfidentgolf\\x03com\\x02au\\x00\\x00\\x0f\\x00\\x01'" to IP 1.2.3.4 looking up confidentgolf.com.au
Thu Jun 19 23:56:47 2008 Info: ICID 2365341 lost
Thu Jun 19 23:56:47 2008 Info: ICID 2365341 close

(1.1.1.1 is the placeholder for our internal IronPort-IP
2.2.2.2 is the placeholder for the ASP-sendmail-application
1.2.3.4-1.2.3.6 are placeholders for our internal DNS-Server)

What do you think about the above lines?

kluu_ironport
Level 2
Level 2

Does the Ironport appliance only see connections from the ASP-sendmail app? In other words, the ASP-sendmail acts as a relay server and the Ironport only gets connections from that and not the Internet directly. Also, the time only shows between 11pm and midnight. There was not connections at all between 0-7am. On the GUI interface, does it show any IP addresses/hosts that are categorized in the Stopped by reputation filtering.


2.2.2.2 is the placeholder for the ASP-sendmail-application

Pat_ironport
Level 1
Level 1

Does the Ironport appliance only see connections from the ASP-sendmail app?  In other words, the ASP-sendmail acts as a relay server and the Ironport only gets connections from that and not the Internet directly.
Exactly!
Also, the time only shows between 11pm and midnight.  There was not connections at all between 0-7am. 

This is just a code-snippet. The log is full of this entries between 22.00 and 07.00. We got NOT ONE mail in this time
On the GUI interface, does it show any IP addresses/hosts that are categorized in the Stopped by reputation filtering.
Where do I have to watch/check exactly for this information?

Are you sure the configured DNS servers worked properly during that timeframe?

It might just be coincidence, but there are a few too many DNS errors in there, if you ask me.

-T

kluu_ironport
Level 2
Level 2

I would suggest that you ftp the mail_logs that pertain to that time to a workstation and open up one of those files in Wordpad/Textpad and just follow a few of the ICID's and see what's occurring. Sometimes examining the logs for a 30 minute time span is more informative then just grepping for the file..

Pat_ironport
Level 1
Level 1

To be honest: I don't know.
I'm only sure, that we don't have changed anything around DNS.
(I had a similar question about this fact here: https://www.ironportnation.com/forums/viewtopic.php?t=642 )
How could I check this more detailed?

We don't have any issues sending/receiving mails, if the sendmail-gateway from our ASP is working, so we didn't had a reason to follow it.. :oops:

@kluu:
"Sometimes examining the logs for a 30 minute time span is more informative then just grepping for the file.."
What exactly should I looking for?
(I have openend the mail-log in my UltraEdit, but I'm not that familiar with parsing/detecting a perfect mailflow).

pvdberg00
Level 1
Level 1

Pat, what version of aSyncOS do you use ? If you are using version 6 with on box tracking you can check that specific period.

Pat_ironport
Level 1
Level 1

Unfortunately, our (two) C100 are not capable to do this 'on box tracking'.
And our management doesn't acceppt my reasons to upgrade to a machine-type that would help me on this issue. :?

Maybe next year ... :(

Hi Pat,
Add the IP Address of your appliance into the relaylist, I'm guessing that you are using hostname information in the Sendergroup on your outbound listener.
And what seems to be happening is that DNS couldn't do a reverse lookup so it rejected your connection.

Please let me know if this works

Pat_ironport
Level 1
Level 1

@monkeymadness: Thank you for the hint.
Where exactly do I have to add the IP from our IronPorts?
Which relaylist do you mean? :oops:

I'm guessing that you are using hostname information in the Sendergroup on your outbound listener. 
How can I check that?

Just to be sure:
After restarting a certain process by our ASP, all the mails were processed as usual.

Should I add the IP-address regardless of the above fact?
Thank you for your help :!:

Go to the HAT Overview from the Mail Policies tab, now it depends if you have 2 listeners or not, if you have 1 listener then you should see a Sendergroup called "RelayList" click on that and add in your IP in there as a sender.
If you have 2 listeners then from the HAT Overview, you select the drop down list and select "Outboundmail" you will see a sendergoup called "Relaylist" and you can add in the IP address there.

Pat_ironport
Level 1
Level 1

We have 2 Listener. On the "Outgoing Mail" Listener we have 2 Sendergroups:
1) RELAYLIST with Mail Flow Policy RELAYED
2) ALL with Mail Flow Policy BLOCKED

In the RELAYLIST we have already added all the IP-Adresses from all our internal Exchange-Servers.

Is this the point, where I have to add the two IP-Adresses from our two IronPorts?

You wrote earlier:

I'm guessing that you are using hostname information in the Sendergroup on your outbound listener.  
How can I check that?

Thanks again for your patience and your help!