There is not much to explain about this service. It does what the name suggests. In the antispam logs, you can see information about the message and how it was evaluated through the antispam service.
In the Anti-spam log, you can see why the e-mail was (or wasn’t) qualified as spam, and if it was rejected, you could see there why (bypassed, SPF reason, etc.)
How to read in the antispam log
The antiSpam log is one of the easiest ones to read; below is an example you can see why.
I just attached one communication with no spam message and only a successful service update. Communication with spam you’ll find down below in various scenarios that might come up.
03:00:47 AS: Checking for a new update...
03:00:48 AS: Checking for new update done [1]
03:00:48 AS: Applying new update 24-1-23
03:00:49 AS: Applying new update done [1]
[00007F1BFF5F5700] 07:43:04 202301250743030216 '<sender@domain.com >' '<recipient@domain.com>' 1 score 0.00 reason [Bypass=T] action NONE
127.0.0.1 [00007F1BFF7F7700] 12:07:50 202301251207490222 '<sender@domain.com>'
'< recipient@domain.com >' 1 score 0.00 reason [Bypass=T] action NONE
Communication Analysis
In the first four lines, we can see information about an update of the antispam service that was successful. \there is not much to explain. The log says what is happening and the time when the update happened.
In the other two lines, we can see two communications that were scanned with antispam, and on the lines, we see “score 0.00 reason [Bypass=T] action NONE”, which is the most important information in the whole log. Now it is okay because you haven’t received spam messages, but when you do, and you are curious about why it was blocked, you’ll see reasons on this line. By the way, if you are asking what means ByPass[T]- this means the sender is Trusted.
Reason codes you will find here
AntiSpam logs are helpful mostly in 3 cases:
You can review the anti-spam settings and what criteria your server has set in the remote administrator console under Anti-spam->action
1. You received the e-mail as spam from a valid sender:
Check the antispam and find the communication in the antispam log; check the time when you received the message and who the sender was; otherwise, you will have a hard time finding It because antispam checks every e-mail that comes. I am attaching a piece of example communication, but please be aware this scenario might also come up when it is a spammer, so you have to know the sender is valid yourself. If you are not sure, it is better to leave it be.
Example communication:
'<recipient@domain.com>(<senders@domain.com>)' '<recipient@domain.com>' 1 score 5.60 reason [SpamAssassin=4.10:(MIME_HTML_ONLY=0.10,SPF_FAIL=4.00,SPF_HELO_FAIL=0.00,HTML_MESSAGE=0.00),Other=1.50:Sender,Bypass=H] action SPAM
Analysis of the example communication:
In the first line, you can see the sender's email address and the recipient's address; next to it is the evaluation score, and here you can see the final score is 5,60, which is normally above the average for accepting the message.
SpamAssassin 4,10 - means that the reason why it is evaluated higher is the work of SpamAssassin. And the row below is the reasons. The crucial one here is SPF 4,00 and the other 1,50.
The SPF reason is that the IP didn't match the sender's domain, and IceWarp recognized it, and therefore, as security against spoofers, this message was rejected.
The other reason is behind the ":". Here it is sender, bypass [H] -This message is flagged as highly likely to be a bulk mail.
Troubleshooting
Sender should check if everything is okay on his side and review his SPF records under DNS, and if everything is correct, and you can trust the sender, you can bypass his domain not to check (or ignore) SPF records.
In the remote console, under Mail->security->general->"B" next to "reject if originator's domain is local and not authorized".
2. You did not receive an e-mail at all:
For this one situation, you’ll have to check first the SMTP log, and, in the SMTP log, you’ll see something like “blocked with antispam Action: Reject”, but the reason why you’ll find it in the antispam log.
Piece of the example communication: From the SMTP log (please note that this is just a regular refused message and we will not dig deeper, it is just what you could see in the SMTP log to look into the AntiSpam log afterwards.)
<sender@domain.com>... Permission denied
<recipient@domain.com> <> 0 0 00:00:00 INCOMPLETE-SESSION
Disconnected
Analysis of the example communication: From the AntiSpam log
<sender@domain.com>' '<recipient@domain.com>' 1 score 9.10 reason [SpamAssassin=-1.90:(HTML_MESSAGE=0.00,BAYES_00=-1.90,SPF_PASS=0.00,SPF_HELO_PASS=0.00),Other=11.00:Body=R,Live=Y] action SPAM
In this case, you can see the final score was 9.10, and the reasons for it were SpamAssasin=1,90 and Other=11.00: Body=R Live=Y.
When you see reason other that evaluates the message with a big score, after ":" you can see "reason for this other reason", which is Body=, Live=Y.
Troubleshooting
Check the reason codes and review your SpamAssassin service settings on your server.
3. You received a spam message in your inbox:
In this situation, check the antispam log, find the message, and see what is missing or is extra for allowing the message to come through (for example, some not very well-specified rules allowed it).
Analysis of the example communication:
'<spammer@domain.com>(recipient <recipient@domain.com>)' '<2nd recipient@domain.com>' 1 score 6.00 reason [SPF = 6.00,Live=N,ContentFilter=Domains that are safe,Bypass=B] action NONE
This row of text after reason is the most crucial one, always. Here we can see SPF =6.00. This is most likely a spammer using a spoofing method, Live=N (check reason codes for antispam Live), next one saying Contentfilter=" name of the filter/rule", bypass B] action NONE. This means you have an active content filter (type of a rule) to bypass (trust) the sender's domain and, therefore, even if it was SPAM, because of SPF.
Troubleshooting
Review your rules or content filters and ensure you want this one, for example.
Comments
0 comments
Article is closed for comments.