Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » QUEUE filling up
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
Hello, we get a lot of connections from spammers sending to addresses that simply do not exist. I have some examples below and this goes on like every second all day/night. 99.9% of the connections are not made from here within the U.S. The problem that exists is that when, on the spamassassin tab, the checkbox is checked to check every incoming message in the spam URI Realtime Blocklist, my queue is filling up with hundreds of emails that are waiting to get sent (actually 1500 yesterday). what i've seen is that when i look at "message queue" under the "status" option on the left then click on the "message queue processing" tab, all of the messages are stuck on "content filter" under the "status" field. If i remove the check though on the spamassassin tab and not have it use the spam URI realtime blocklist, this goes away. didn't know if anyone had ever experienced anything like that or not or what the possible cause could be.

thanks


[30/May/2009 08:10:19] Recv: Queue-ID: 4a21303a-0000a002, Service: SMTP, From: <laowco<_a.t_>bradleyandassociates.com>, To: <djx<_a.t_>mydomain.com>, Size: 1951, Sender-Host: 82.206.160.70
[30/May/2009 08:10:19] Recv: Queue-ID: 4a21303a-0000a002, Service: SMTP, From: <laowco<_a.t_>bradleyandassociates.com>, To: <dond<_a.t_>mydomain.com>, Size: 1951, Sender-Host: 82.206.160.70
[30/May/2009 08:10:19] Recv: Queue-ID: 4a21303a-0000a002, Service: SMTP, From: <laowco<_a.t_>bradleyandassociates.com>, To: <dstevenson<_a.t_>mydomain.com>, Size: 1951, Sender-Host: 82.206.160.70
[30/May/2009 08:10:19] Recv: Queue-ID: 4a21303a-0000a002, Service: SMTP, From: <laowco<_a.t_>bradleyandassociates.com>, To: <dthompson<_a.t_>mydomain.com>, Size: 1951, Sender-Host: 82.206.160.70
[30/May/2009 08:10:19] Recv: Queue-ID: 4a21303a-0000a002, Service: SMTP, From: <laowco<_a.t_>bradleyandassociates.com>, To: <dthompsonnn<_a.t_>mydomain.com>, Size: 1951, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <eb48f<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <ebster<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <ebstern<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <ebsternn<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <elln<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:10:20] Recv: Queue-ID: 4a21303a-0000a001, Service: SMTP, From: <wiliehu<_a.t_>blinds-to-go.com>, To: <ellnn<_a.t_>mydomain.com>, Size: 2063, Sender-Host: 82.206.160.70
[30/May/2009 08:11:16] Recv: Queue-ID: 4a213071-0000a036, Service: SMTP, From: <welterweights244<_a.t_>local.net.nz>, To: <ter<_a.t_>mydomain.com>, Size: 3470, Sender-Host: 41.221.16.149
[30/May/2009 08:11:16] Recv: Queue-ID: 4a213071-0000a036, Service: SMTP, From: <welterweights244<_a.t_>local.net.nz>, To: <spierce<_a.t_>mydomain.com>, Size: 3470, Sender-Host: 41.221.16.149
[30/May/2009 08:11:16] Recv: Queue-ID: 4a213071-0000a036, Service: SMTP, From: <welterweights244<_a.t_>local.net.nz>, To: <spierced<_a.t_>mydomain.com>, Size: 3470, Sender-Host: 41.221.16.149
[30/May/2009 08:11:16] Recv: Queue-ID: 4a213071-0000a036, Service: SMTP, From: <welterweights244<_a.t_>local.net.nz>, To: <spiercedd<_a.t_>mydomain.com>, Size: 3470, Sender-Host: 41.221.16.149
[30/May/2009 08:11:28] Recv: Queue-ID: 4a21307f-0000a042, Service: SMTP, From: <kefxenacomdiz<_a.t_>xenacom.net>, To: <charlie<_a.t_>mydomain.com>, Size: 845, Sender-Host: 78.176.43.22
[30/May/2009 08:11:28] Recv: Queue-ID: 4a21307f-0000a042, Service: SMTP, From: <kefxenacomdiz<_a.t_>xenacom.net>, To: <boydomycy<_a.t_>mydomain.com>, Size: 845, Sender-Host: 78.176.43.22
[30/May/2009 08:11:28] Recv: Queue-ID: 4a21307f-0000a042, Service: SMTP, From: <kefxenacomdiz<_a.t_>xenacom.net>, To: <delliott<_a.t_>mydomain.com>, Size: 845, Sender-Host: 78.176.43.22
[30/May/2009 08:11:28] Recv: Queue-ID: 4a21307f-0000a042, Service: SMTP, From: <kefxenacomdiz<_a.t_>xenacom.net>, To: <delliottd<_a.t_>mydomain.com>, Size: 845, Sender-Host: 78.176.43.22
[30/May/2009 08:11:28] Recv: Queue-ID: 4a21307f-0000a042, Service: SMTP, From: <kefxenacomdiz<_a.t_>xenacom.net>, To: <delliottdd<_a.t_>mydomain.com>, Size: 845, Sender-Host: 78.176.43.22
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Is there any particular reason for receiving emails for non-existent users? KMS is rejecting such emails by default unless there is a catch-all account or redirect for unknown users.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Sun, 31 May 2009 05:30

Is there any particular reason for receiving emails for non-existent users? KMS is rejecting such emails by default unless there is a catch-all account or redirect for unknown users.


hi. i have one domain that if a local user doesn't exist on kerio, it's set to forward the email to another server where the user exists. it doesn't seem to be an issue now for whatever reason. it could have to do with the fact that when this was going on, i was in the process of re-ip'ing my network and dns had not fully propagated yet..dunno. anyway, i have a question about how the new Spam filtration works in regards to the black lists.

I had read where spamassassin is looking at messages that are on the blacklists and whatnot now. how about messages that come through that are NOT spam yet are on a blacklist? i just wouldn't want spamassassin to count that as spam just because they are on a blacklist. i don't block messages that are on those lists; i merely add a number to their spam count like +3 or so.

thanks.
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
something else i noticed in regards to unknown recipients:

this logfile shows that an email was being sent to ford<_a.t_>mydomain.com and that address does not exist, however kerio did look at the email and see it as spam. based on the info below is any of this from spamassassin or is this built in kerio stuff? i realize the blacklist calculation is based on my settings in kerio.

my point in this is basically this. does KMS first look at the message and judge as spam before it rejects the email since it is an unknown recipient? OR, since this was again an email to a user that was set to forward to another server since it was an unknown recipient, does it first check the message for spam before forwarding? If so, if this was a domain that was NOT set to forward, would it block the email since it was an unknown recipient instead of judging it for spam?

thanks again.

X-Spam-Status: Yes, hits=10.0 required=5.0
tests=DNSBL_ZEN.SPAMHAUS.ORG: 5.00,DNSBL_BL.SPAMCOP.NET: 5.00,DNSBL_NOPTR.SPAMRATS.COM: 5.00,
DNSBL_DNSBL-2.UCEPROTECT.NET: 5.00,BAYES_99: 4.07,RDNS_NONE: 0,
TVD_RCVD_SINGLE: 2.999,TOTAL_SCORE: 27.069,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: **********
Received: from CHMEYKMH ([62.117.45.222])


[31/May/2009 09:57:59] Message rejected as spam with score: 10.00, threshold 5.00, From: conductednpl3<_a.t_>noble365.com, To: ford<_a.t_>mydomain.com, Sender IP: 62.117.45.222, Subject: You can trick the nature and make a monster out of your timid animal., Message size: 1038
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
linuxbox wrote on Sun, 31 May 2009 08:08

my point in this is basically this. does KMS first look at the message and judge as spam before it rejects the email since it is an unknown recipient? OR, since this was again an email to a user that was set to forward to another server since it was an unknown recipient, does it first check the message for spam before forwarding? If so, if this was a domain that was NOT set to forward, would it block the email since it was an unknown recipient instead of judging it for spam?

Your problem is the forwarding to another server. This causes KMS to accept any mail for that domain since it doesn't know what accounts are one the second server. When the second server rejects the email because the recipient is invalid, the first server has to try to send a non-delivery report and its those reports that are clogging up your queue.

You need to re-evaluate your setup. If there are a relatively small number of users on your second server, consider creating aliases on your first server that point to the second server (using a domain alias). There are other ways around this too, but it won't take long for your server to get blacklisted as a backscatter source, so you definitely need to fix this asap.

-Elias
  •  
linuxbox

Messages: 139
Karma: 0
Send a private message to this user
elias wrote on Mon, 01 June 2009 13:58

linuxbox wrote on Sun, 31 May 2009 08:08

my point in this is basically this. does KMS first look at the message and judge as spam before it rejects the email since it is an unknown recipient? OR, since this was again an email to a user that was set to forward to another server since it was an unknown recipient, does it first check the message for spam before forwarding? If so, if this was a domain that was NOT set to forward, would it block the email since it was an unknown recipient instead of judging it for spam?

Your problem is the forwarding to another server. This causes KMS to accept any mail for that domain since it doesn't know what accounts are one the second server. When the second server rejects the email because the recipient is invalid, the first server has to try to send a non-delivery report and its those reports that are clogging up your queue.

You need to re-evaluate your setup. If there are a relatively small number of users on your second server, consider creating aliases on your first server that point to the second server (using a domain alias). There are other ways around this too, but it won't take long for your server to get blacklisted as a backscatter source, so you definitely need to fix this asap.

-Elias


ok. it's been like this for years and i haven't seen a blacklist yet. Okay i see what backscatter is. the problem though is that they are the same domains. in other words, email for "mydomain.com" is first handled by the kerio server and some accounts for mydomain.com are on the kerio server but some are on the 2ndary server for which kerio forwards those emails through to!

thanks.

[Updated on: Mon, 01 June 2009 21:13]

Previous Topic: Making the Leap
Next Topic: Purge old Archives?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 20:03:10 CET 2017

Total time taken to generate the page: 0.00397 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.