Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 13764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

need help interpreting message_log

PierreE

Hello. I need to find out why a particular message was quarantined. I got the following snippet from the message_log.

2010-02-18T10:43:38 q=o1I2harw009087 f=<luke@rebels.com> t=<vader@evilempire.com> h=RDNS_SUSP_MSGID h=MSGID_SPAM_5 h=HTML_70_90 h=BODY_SIZE_5000_5999 h=BODY_SIZE_7000_LESS h=INVALID_MSGID_NO_FQDN h=RDNS_NXDOMAIN h=RDNS_SUSP h=RDNS_SUSP_GENERIC h=__BOUNCE_CHALLENGE_SUBJ h=__BOUNCE_NDR_SUBJ_EXEMPT h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__HAS_HTML h=__HAS_MSGID h=__HAS_X_MAILER h=__HTML_FONT_BLUE h=__MIME_HTML h=__MIME_VERSION h=__OUTLOOK_MSGID_1 h=__OUTLOOK_MUA h=__OUTLOOK_MUA_1 h=__SANE_MSGID h=__STYLE_RATWARE h=__STYLE_RATWARE_2 h=__TAG_EXISTS_HTML h=__TO_MALFORMED_2 h=__USER_AGENT_MS_GENERIC Size=7853 fur=0.0.0.0 vs p=0.825 pmx_action=quarantine,-,-,vader@evilempire.com,vader@evilempire.com r=[111.11.11.11] tm=0.81 a=d/eom

I don't know how to interprete this. Can some one help me with this? Or if you point me to some documentation, that would be great too. Thank you.

- Pierre

:1442


This thread was automatically locked due to age.
Parents
  • 0

    Hello PierreE,

    Since the message is quarantined, you can run a command line utility on the quarantined message to find out more information.

    Locate the physical message in your quarantine:

    It will reside on the server that quarantined it, in /opt/pmx/var/qdir/cur/[0-9]

    You can find the ID for it either in the Manager interface or creative grep'ing.

    Once you have located the file, as the pmx user:

    $ pmx-spam scan -v <FILENAME>

    This will give you the most detailed verbose output about which rules cause the message to be quarantined.

    You can send this output in to support, or put it up here and I can discuss what the rules mean and what may have caused it.

    Off the top, I see you hit RDNS_SUSP_MSGID

    If I go into the Manager, Policy -> Anti-Spam Rules -> Search for RDNS_SUSP_MSGID:

    Message contains a ratware message-id pattern and arrived via a host with suspicious rDNS.

    So message heuristics have determined the message-id looks spamish, and the sending MTA was most likely from an IP range that is dynamic, and should not be sending mail.

    This is a very quick look, and the steps above will show in more depth why this message was quarantined.

    Hope this helps!

    :1472
Reply
  • 0

    Hello PierreE,

    Since the message is quarantined, you can run a command line utility on the quarantined message to find out more information.

    Locate the physical message in your quarantine:

    It will reside on the server that quarantined it, in /opt/pmx/var/qdir/cur/[0-9]

    You can find the ID for it either in the Manager interface or creative grep'ing.

    Once you have located the file, as the pmx user:

    $ pmx-spam scan -v <FILENAME>

    This will give you the most detailed verbose output about which rules cause the message to be quarantined.

    You can send this output in to support, or put it up here and I can discuss what the rules mean and what may have caused it.

    Off the top, I see you hit RDNS_SUSP_MSGID

    If I go into the Manager, Policy -> Anti-Spam Rules -> Search for RDNS_SUSP_MSGID:

    Message contains a ratware message-id pattern and arrived via a host with suspicious rDNS.

    So message heuristics have determined the message-id looks spamish, and the sending MTA was most likely from an IP range that is dynamic, and should not be sending mail.

    This is a very quick look, and the steps above will show in more depth why this message was quarantined.

    Hope this helps!

    :1472
Children
No Data