[nSLUG] smtp relay through eastlink and ESET Nod32 tagline = disappearing email

D G Teed donald.teed at gmail.com
Tue Nov 3 10:33:01 AST 2009


On Fri, Oct 30, 2009 at 7:51 AM, D G Teed <donald.teed at gmail.com> wrote:

>
> What I found when testing emails from Thunderbird
> on two different windows PCs, sending to work and to Gmail,
> is that if the integration set up has the default of adding a tag
> line:
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database
> 4556 (20091029) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> and we are relaying through the local Linux as SMTP, then mail
> is disappearing.  Linux server shows it is handed off to
> Eastlink's SMTP OK.
>
> If I either turn off the ESET message tagging, or use smtp.eastlink.ca
> directly from Thunderbird, then the message will be delivered.
>
> I would guess that something on Eastlink's side thinks this is indication
> of a virus.  Otherwise I would expect a bounce.
> They use Ironport Senderbase and Sophos by the looks of the headers.
> With local mail delivery I don't see any headers added by ESET.
>
> I'm hoping to talk to Eastlink about this when I have a chance.
>
>
I phoned Eastlink support about this.  They report Cisco's
Ironport had quarantined the email.  The tech first said this is
a standard practice they have with spam filtering, as they couldn't
return all outbound emails flagged as spam.  I asked if the logs showed
any link that would further breakdown what rule had been triggered by
my email.  He said there was nothing like it.  I then asked if there
is any mechanism whereby they can pass on to Cisco, their
product catches a false positive.  He inquired about this and
reported I could report the nature of the false positive to:

notspam-submit =at-symbol= corp.eastlink.ca

He also sent the parts of the Ironport log so we could have a reference
point
(that was nice).

Part of my concern is the false positive depended on being relayed
out via my Debian server.  There is possibly something in the
amavisd or postfix lines appearing in the header which Ironport doesn't
like.
It is hard to know whether the Linux relay weighs on their scoring to
such a degree that possibly many sorts of text appearing in the email
body could result in lost (not bounced) email.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20091103/d36507ce/attachment.html>


More information about the nSLUG mailing list