Hyperactive filters can be cause for a headache!
About a week ago, a network administrator that our company provides assistance to contacted us with an oddball issue…
All mail seemed to be working well, both in and out, except for mail coming into her domain from one company. The obvious was checked, such as the other company’s IP against all known block lists (RBLS), logs for blocked spam from the origin, and then it got even more odd. SOME mail from that domain was making it in, such as from their generic “info@somecompany.com”: address, then another address was able to send mail, but it was narrowed down to 3 addresses that could not send mail. Such as lisa@somecompany.com and art@somecompany.com.
At this point, the network administrator was at her wits end and we checked it out for her, having the company try to send a few mails, and sure enough, some were coming in, and others were not, but it was dependent upon the email address. We checked filters for those email addresses and none existed.
Everything was checked at the Exchange server, full logging was enabled, to watch for mail as it came in, and sure enough, nothing came in to the Exchange server from those email addies. Not even a connection. After ruling out the Exchange server, we went back to the Alt-N MDaemon server, which is a gateway that handles all incoming email, checks it against RBLs, content, viruses, whitelists, blacklists, attachments, etc, then if it thinks the mail is good, it sends it on to Exchange. We watched the logs as mail came in from lisa@somecompany.com and MDaemon reported it was totally happy.
Just to make sure, we added lisa@somecompany.com to the whitelists, and then *@somecompany.com was added. Still MDaemon reported it was happy and nothing was being filtered.
Still, the issue remained. Info@somecompany.com could send email, lisa@somecompany.com could not. The logs in MDaemon read the same, kind of placing the blame back on Exchange, however, Exchange was never seeing a connection.
Long story short, after several emails being sent back and forth with the wonderfully patient people at somecompany.com, MDaemon’s support was enlisted to find the issue. Which took many emails back and forth between our network administrator friend and them, and several days… In the end, the problem was a content filter inside MDaemon. A filter for certain phrases had been added, such as “Breast Enhancement”, “Penis Enlargement”, “Viagra” and “Cialis”… This filter was to blame, even though no logs indicated this was the case.
Just what was triggering the content filter? It was the word “Cialis”… Each individual at Somecompany.com who could not email in, had content in their email that contained the word “Specialist”, and MDaemon was most interested in “Specialist…
The lesson to be learned from this is that careful selection of your content filtering keywords is crucial to a smooth flowing mail system. We have seen content filters block mail in Trend Micro’s CSM (now Worry Free Business Security Advanced) and Scan Mail, but usually there is a log filled with the results that you can use to find an issue quickly.
In this case, “Cialis” was found in the word “Specialist”, but others have been as simple as filtering profanity such as the word “dick”, which happens to be some people’s first name… Even the word “Fanny” was someone’s given name.
More about MDaemon:
In MDaemon, this is what the logs look like when it encounters content:
Wed 2010-09-22 10:47:31: Start Content Filter results
Wed 2010-09-22 10:47:31: * Message matched rule: Penis <- this was the name of the rule
Wed 2010-09-22 10:47:31: * Matched 1 of 14 active rules <- this shows that there are 14 rules and 1 matched
Wed 2010-09-22 10:47:31: End of Content Filter results
Keep in mind this does NOT show up in the MDaemon GUI, you have to find the log on the machine and examine it….