Email Classified as Spam After Scheduled Task Reboot
in [Microsoft Exchange]
|
Prev: SASL query
Next: Block send in a mailbox
From: FS on 8 Jun 2010 01:24 Hi everyone, First of all, let me apologize in advance for the length of this post, but I wanted to give as much detail as I could... I have an intermittent issue with my Exchange 2007 server. Every Saturday at 1am I have a scheduled task that runs a batch file to automatically reboot my Exchange box. The reason we do so is to refresh the server and services, which overall seems to make the system run smoother. At any rate, occasionally, more so rarely, the server will come back up and our spam software (GFI MailEssentials 14.0) begins falsely classifying many (not all) legit emails as spam. When I realized what was happening, I manually rebooted the server and things returned to normal. As I said, the issue only occurs rarely, but when it does, you can imagine, it really can cause havoc. The GFI MailEssentials 14.0 Header Checking filter log indicated the following regarding the false positives: "06/05/10 20:02:53","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:04:29","AntiSpam Header hecking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:07:47","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:07:47","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:07:48","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:09:24","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:17:23","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:17:23","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" "06/05/10 20:17:23","AntiSpam Header checking","n/a","user(a)company.com","n/a","Moved to Exchange folder Spam","From field empty" Now I'm not 100% positive if this is an Exchange issue or a GFI issue, but I was hoping to get a little feedback based on the header info I was able to gather. *** Before Automated Server Reboot *** (when everything was running fine...) Received: from company.com (10.0.0.2) by exch2007.domain.company.com (10.0.0.10) with Microsoft SMTP Server id 8.1.436.0; Fri, 4 Jun 2010 21:15:55 -0700 Date: Fri, 4 Jun 2010 21:15:55 -0700 From: <admin(a)company.com> To: <user(a)company.com> Subject: =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Message-ID: <adb6a01c-2708-422d-b541-c0145fd5dc89(a)exch2007.domain.company.com> Return-Path: admin(a)company.com X-GFI-SMTP-Submission: 1 X-GFI-SMTP-HelloDomain: company.com X-GFI-SMTP-RemoteIP: 10.0.0.2 *** After Automated Server Reboot *** (when all hell broke loose...) Microsoft Mail Internet Headers Version 2.0 Received: from company.com (10.0.0.2) by exch2007.domain.company.com (10.0.0.10) with Microsoft SMTP Server id 8.1.436.0; Sat, 5 Jun 2010 22:06:12 -0700 Date: Sat, 5 Jun 2010 22:06:12 -0700 From: <admin(a)company.com> To: <user(a)company.com> Subject: =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Message-ID: <c24f70b6-f2c6-4e23-8469-ec6c74288f6a(a)exch2007.domain.company.com> Return-Path: admin(a)company.com X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094 (UTC) X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com X-MS-Exchange-Organization-AuthAs: Anonymous X-GFI-SMTP-Submission: 1 X-GFI-SMTP-HelloDomain: company.com X-GFI-SMTP-RemoteIP: 10.0.0.2 X-MS-Exchange-Organization-OriginalSize: 31420 X-GFIME-MASPAM: SPAM *** After Manual Server Reboot *** (things returned to normal...) Received: from company.com (10.0.0.2) by exch2007.domain.company.com (10.0.0.10) with Microsoft SMTP Server id 8.1.436.0; Sun, 6 Jun 2010 22:00:34 -0700 Date: Sun, 6 Jun 2010 22:00:34 -0700 From: <admin(a)company.com> To: <user(a)company.com> Subject: =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Message-ID: <f459e2e6-f62a-4ba7-baab-3c5387db8308(a)exch2007.domain.company.com> Return-Path: admin(a)company.com X-GFI-SMTP-Submission: 1 X-GFI-SMTP-HelloDomain: company.com X-GFI-SMTP-RemoteIP: 10.0.0.2 For whatever reason, when things weren't working, the following info was included in the headers: Microsoft Mail Internet Headers Version 2.0 X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094 (UTC) X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-OriginalSize: 31420 X-GFIME-MASPAM: SPAM Any help would be greatly appreciated. Thanks in advance, Fraser
From: Ed Crowley [MVP] on 8 Jun 2010 12:38 I wouldn't routinely reboot an Exchange server, especially in an unattended mode. Exchange is designed to run and run like the Energizer bunny. If I were investigating the problem you're having, I would start with GFI. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. "FS" <fshortt(a)msn.com> wrote in message news:TtkPn.96405$304.35494(a)newsfe12.iad... > Hi everyone, > > First of all, let me apologize in advance for the length of this post, but > I wanted to give as much detail as I could... > > I have an intermittent issue with my Exchange 2007 server. Every Saturday > at 1am I have a scheduled task that runs a batch file to automatically > reboot my Exchange box. The reason we do so is to refresh the server and > services, which overall seems to make the system run smoother. At any > rate, occasionally, more so rarely, the server will come back up and our > spam software (GFI MailEssentials 14.0) begins falsely classifying many > (not all) legit emails as spam. When I realized what was happening, I > manually rebooted the server and things returned to normal. As I said, > the issue only occurs rarely, but when it does, you can imagine, it really > can cause havoc. > > The GFI MailEssentials 14.0 Header Checking filter log indicated the > following regarding the false positives: > > "06/05/10 20:02:53","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:04:29","AntiSpam Header > hecking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:07:47","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:07:47","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:07:48","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:09:24","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:17:23","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:17:23","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > "06/05/10 20:17:23","AntiSpam Header > checking","n/a","user(a)company.com","n/a","Moved to Exchange folder > Spam","From field empty" > > Now I'm not 100% positive if this is an Exchange issue or a GFI issue, but > I was hoping to get a little feedback based on the header info I was able > to gather. > > *** Before Automated Server Reboot *** (when everything was running > fine...) > > Received: from company.com (10.0.0.2) by exch2007.domain.company.com > (10.0.0.10) > with Microsoft SMTP Server id 8.1.436.0; Fri, 4 Jun 2010 21:15:55 -0700 > Date: Fri, 4 Jun 2010 21:15:55 -0700 > From: <admin(a)company.com> > To: <user(a)company.com> > Subject: > =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= > Content-Type: text/plain; charset="US-ASCII" > MIME-Version: 1.0 > Message-ID: > <adb6a01c-2708-422d-b541-c0145fd5dc89(a)exch2007.domain.company.com> > Return-Path: admin(a)company.com > X-GFI-SMTP-Submission: 1 > X-GFI-SMTP-HelloDomain: company.com > X-GFI-SMTP-RemoteIP: 10.0.0.2 > > *** After Automated Server Reboot *** (when all hell broke loose...) > > Microsoft Mail Internet Headers Version 2.0 > Received: from company.com (10.0.0.2) by exch2007.domain.company.com > (10.0.0.10) with Microsoft > SMTP Server id 8.1.436.0; Sat, 5 Jun 2010 22:06:12 -0700 > Date: Sat, 5 Jun 2010 22:06:12 -0700 > From: <admin(a)company.com> > To: <user(a)company.com> > Subject: > =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= > Content-Type: text/plain; charset="US-ASCII" > MIME-Version: 1.0 > Message-ID: > <c24f70b6-f2c6-4e23-8469-ec6c74288f6a(a)exch2007.domain.company.com> > Return-Path: admin(a)company.com > X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094 > (UTC) > X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com > X-MS-Exchange-Organization-AuthAs: Anonymous > X-GFI-SMTP-Submission: 1 > X-GFI-SMTP-HelloDomain: company.com > X-GFI-SMTP-RemoteIP: 10.0.0.2 > X-MS-Exchange-Organization-OriginalSize: 31420 > X-GFIME-MASPAM: SPAM > > *** After Manual Server Reboot *** (things returned to normal...) > > Received: from company.com (10.0.0.2) by exch2007.domain.company.com > (10.0.0.10) > with Microsoft SMTP Server id 8.1.436.0; Sun, 6 Jun 2010 22:00:34 -0700 > Date: Sun, 6 Jun 2010 22:00:34 -0700 > From: <admin(a)company.com> > To: <user(a)company.com> > Subject: > =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?= > Content-Type: text/plain; charset="US-ASCII" > MIME-Version: 1.0 > Message-ID: > <f459e2e6-f62a-4ba7-baab-3c5387db8308(a)exch2007.domain.company.com> > Return-Path: admin(a)company.com > X-GFI-SMTP-Submission: 1 > X-GFI-SMTP-HelloDomain: company.com > X-GFI-SMTP-RemoteIP: 10.0.0.2 > > For whatever reason, when things weren't working, the following info was > included in the headers: > > Microsoft Mail Internet Headers Version 2.0 > > X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094 > (UTC) > X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com > X-MS-Exchange-Organization-AuthAs: Anonymous > > X-MS-Exchange-Organization-OriginalSize: 31420 > X-GFIME-MASPAM: SPAM > > Any help would be greatly appreciated. > > Thanks in advance, > Fraser
|
Pages: 1 Prev: SASL query Next: Block send in a mailbox |