From: FS on
Hi everyone,

First of all, let me apologize in advance for the length of this post, but I
wanted to give as much detail as I could...

I have an intermittent issue with my Exchange 2007 server. Every Saturday
at 1am I have a scheduled task that runs a batch file to automatically
reboot my Exchange box. The reason we do so is to refresh the server and
services, which overall seems to make the system run smoother. At any rate,
occasionally, more so rarely, the server will come back up and our spam
software (GFI MailEssentials 14.0) begins falsely classifying many (not all)
legit emails as spam. When I realized what was happening, I manually
rebooted the server and things returned to normal. As I said, the issue
only occurs rarely, but when it does, you can imagine, it really can cause
havoc.

The GFI MailEssentials 14.0 Header Checking filter log indicated the
following regarding the false positives:

"06/05/10 20:02:53","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:04:29","AntiSpam Header
hecking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:07:47","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:07:47","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:07:48","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:09:24","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:17:23","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:17:23","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"
"06/05/10 20:17:23","AntiSpam Header
checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
Spam","From field empty"

Now I'm not 100% positive if this is an Exchange issue or a GFI issue, but I
was hoping to get a little feedback based on the header info I was able to
gather.

*** Before Automated Server Reboot *** (when everything was running fine...)

Received: from company.com (10.0.0.2) by exch2007.domain.company.com
(10.0.0.10)
with Microsoft SMTP Server id 8.1.436.0; Fri, 4 Jun 2010 21:15:55 -0700
Date: Fri, 4 Jun 2010 21:15:55 -0700
From: <admin(a)company.com>
To: <user(a)company.com>
Subject:
=?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Message-ID:
<adb6a01c-2708-422d-b541-c0145fd5dc89(a)exch2007.domain.company.com>
Return-Path: admin(a)company.com
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: company.com
X-GFI-SMTP-RemoteIP: 10.0.0.2

*** After Automated Server Reboot *** (when all hell broke loose...)

Microsoft Mail Internet Headers Version 2.0
Received: from company.com (10.0.0.2) by exch2007.domain.company.com
(10.0.0.10) with Microsoft
SMTP Server id 8.1.436.0; Sat, 5 Jun 2010 22:06:12 -0700
Date: Sat, 5 Jun 2010 22:06:12 -0700
From: <admin(a)company.com>
To: <user(a)company.com>
Subject:
=?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Message-ID:
<c24f70b6-f2c6-4e23-8469-ec6c74288f6a(a)exch2007.domain.company.com>
Return-Path: admin(a)company.com
X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094
(UTC)
X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: company.com
X-GFI-SMTP-RemoteIP: 10.0.0.2
X-MS-Exchange-Organization-OriginalSize: 31420
X-GFIME-MASPAM: SPAM

*** After Manual Server Reboot *** (things returned to normal...)

Received: from company.com (10.0.0.2) by exch2007.domain.company.com
(10.0.0.10)
with Microsoft SMTP Server id 8.1.436.0; Sun, 6 Jun 2010 22:00:34 -0700
Date: Sun, 6 Jun 2010 22:00:34 -0700
From: <admin(a)company.com>
To: <user(a)company.com>
Subject:
=?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
Content-Type: text/plain; charset="US-ASCII"
MIME-Version: 1.0
Message-ID:
<f459e2e6-f62a-4ba7-baab-3c5387db8308(a)exch2007.domain.company.com>
Return-Path: admin(a)company.com
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: company.com
X-GFI-SMTP-RemoteIP: 10.0.0.2

For whatever reason, when things weren't working, the following info was
included in the headers:

Microsoft Mail Internet Headers Version 2.0

X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094
(UTC)
X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com
X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Organization-OriginalSize: 31420
X-GFIME-MASPAM: SPAM

Any help would be greatly appreciated.

Thanks in advance,
Fraser

From: Ed Crowley [MVP] on
I wouldn't routinely reboot an Exchange server, especially in an unattended
mode. Exchange is designed to run and run like the Energizer bunny.

If I were investigating the problem you're having, I would start with GFI.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

"FS" <fshortt(a)msn.com> wrote in message
news:TtkPn.96405$304.35494(a)newsfe12.iad...
> Hi everyone,
>
> First of all, let me apologize in advance for the length of this post, but
> I wanted to give as much detail as I could...
>
> I have an intermittent issue with my Exchange 2007 server. Every Saturday
> at 1am I have a scheduled task that runs a batch file to automatically
> reboot my Exchange box. The reason we do so is to refresh the server and
> services, which overall seems to make the system run smoother. At any
> rate, occasionally, more so rarely, the server will come back up and our
> spam software (GFI MailEssentials 14.0) begins falsely classifying many
> (not all) legit emails as spam. When I realized what was happening, I
> manually rebooted the server and things returned to normal. As I said,
> the issue only occurs rarely, but when it does, you can imagine, it really
> can cause havoc.
>
> The GFI MailEssentials 14.0 Header Checking filter log indicated the
> following regarding the false positives:
>
> "06/05/10 20:02:53","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:04:29","AntiSpam Header
> hecking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:07:47","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:07:47","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:07:48","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:09:24","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:17:23","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:17:23","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
> "06/05/10 20:17:23","AntiSpam Header
> checking","n/a","user(a)company.com","n/a","Moved to Exchange folder
> Spam","From field empty"
>
> Now I'm not 100% positive if this is an Exchange issue or a GFI issue, but
> I was hoping to get a little feedback based on the header info I was able
> to gather.
>
> *** Before Automated Server Reboot *** (when everything was running
> fine...)
>
> Received: from company.com (10.0.0.2) by exch2007.domain.company.com
> (10.0.0.10)
> with Microsoft SMTP Server id 8.1.436.0; Fri, 4 Jun 2010 21:15:55 -0700
> Date: Fri, 4 Jun 2010 21:15:55 -0700
> From: <admin(a)company.com>
> To: <user(a)company.com>
> Subject:
> =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
> Content-Type: text/plain; charset="US-ASCII"
> MIME-Version: 1.0
> Message-ID:
> <adb6a01c-2708-422d-b541-c0145fd5dc89(a)exch2007.domain.company.com>
> Return-Path: admin(a)company.com
> X-GFI-SMTP-Submission: 1
> X-GFI-SMTP-HelloDomain: company.com
> X-GFI-SMTP-RemoteIP: 10.0.0.2
>
> *** After Automated Server Reboot *** (when all hell broke loose...)
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from company.com (10.0.0.2) by exch2007.domain.company.com
> (10.0.0.10) with Microsoft
> SMTP Server id 8.1.436.0; Sat, 5 Jun 2010 22:06:12 -0700
> Date: Sat, 5 Jun 2010 22:06:12 -0700
> From: <admin(a)company.com>
> To: <user(a)company.com>
> Subject:
> =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
> Content-Type: text/plain; charset="US-ASCII"
> MIME-Version: 1.0
> Message-ID:
> <c24f70b6-f2c6-4e23-8469-ec6c74288f6a(a)exch2007.domain.company.com>
> Return-Path: admin(a)company.com
> X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094
> (UTC)
> X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com
> X-MS-Exchange-Organization-AuthAs: Anonymous
> X-GFI-SMTP-Submission: 1
> X-GFI-SMTP-HelloDomain: company.com
> X-GFI-SMTP-RemoteIP: 10.0.0.2
> X-MS-Exchange-Organization-OriginalSize: 31420
> X-GFIME-MASPAM: SPAM
>
> *** After Manual Server Reboot *** (things returned to normal...)
>
> Received: from company.com (10.0.0.2) by exch2007.domain.company.com
> (10.0.0.10)
> with Microsoft SMTP Server id 8.1.436.0; Sun, 6 Jun 2010 22:00:34 -0700
> Date: Sun, 6 Jun 2010 22:00:34 -0700
> From: <admin(a)company.com>
> To: <user(a)company.com>
> Subject:
> =?US-ASCII?Q?Log=20file=20from=20SonicWALL=20[HeadOffice]=20=20Part=201.?=
> Content-Type: text/plain; charset="US-ASCII"
> MIME-Version: 1.0
> Message-ID:
> <f459e2e6-f62a-4ba7-baab-3c5387db8308(a)exch2007.domain.company.com>
> Return-Path: admin(a)company.com
> X-GFI-SMTP-Submission: 1
> X-GFI-SMTP-HelloDomain: company.com
> X-GFI-SMTP-RemoteIP: 10.0.0.2
>
> For whatever reason, when things weren't working, the following info was
> included in the headers:
>
> Microsoft Mail Internet Headers Version 2.0
>
> X-MS-Exchange-Organization-OriginalArrivalTime: 06 Jun 2010 05:06:12.8094
> (UTC)
> X-MS-Exchange-Organization-AuthSource: exch2007.domain.company.com
> X-MS-Exchange-Organization-AuthAs: Anonymous
>
> X-MS-Exchange-Organization-OriginalSize: 31420
> X-GFIME-MASPAM: SPAM
>
> Any help would be greatly appreciated.
>
> Thanks in advance,
> Fraser

 | 
Pages: 1
Prev: SASL query
Next: Block send in a mailbox