Jump to content


Photo

Message both quarantined and delivered

Quarantine

  • Please log in to reply
2 replies to this topic

#1 Justin Brown

Justin Brown
  • Barracuda Guru
  • 65 posts
  • LocationCalifornia, USA

Posted 02 March 2013 - 12:36 AM

Hi folks,

I seem to have a strange one on my hands. This message came through having scored high on the Bayesian Analysis side and then Quarantined, but was also automatically delivered. It never seems to have made it to the Quarantine Inbox. There are many other examples, and they seem to come from a small contingent of senders who are not white listed.

What I wonder is how can a message be both quarantined and delivered?

The entire header, sanitized, is in the quote below. The string appended to the subject line matches the string configured in our device's Basic -> Quarantine -> Quarantine Subject Text field.


X-ASG-Debug-ID: 1362071915-055c9e717a1a030001-gQuxb2
Received: from xxxxx.xxxxx.com (xxxxx.xxxxx.com [xx.73.26.111]) by xxxxx.xxxxx.org with ESMTP id miBzrOOqzSKnOtye for <xxxxx@xxxxx.org>; Thu, 28 Feb 2013 09:18:35 -0800 (PST)
X-Barracuda-Envelope-From: dfs_C3414227175F3FDBB429357282803CD655D4898BCCC40632@email.xxxxx.com
X-Barracuda-Apparent-Source-IP: xx.73.26.111
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=xxxxx.com;
h=From:To:Subject:Date:Reply-To:Message-ID:MIME-version:Content-type; i=Editor@xxxxx.com;
bh=+thwxaYnWyddkYOPlPrHV2M6WOs=;
b=LmugRmzgLJxlEBnmkZIm8Q3z/keGVtynyWIigogfayvcyL4fckrMsB+OHB0BlucFXTdvt0yMSyAM
J+OC5ZuD+5ACGkNdjciMfOoEcLA86vhK5cIOG7sOWMFkT9SeiBpGTFkhC3SASDG81BK6t81gXSR4
hXG2zs2WMyT9/5ZPTXU=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=xxxxx.com;
b=e2mswHBZxEzPYTibMLx1v/x2TwzH+kgxq2Rt0E87nmYBryyO6k4Wo5ozaYxkacN29+J4sFJNI/bv
EQchWYCOKMAgIbo1SHuXyScQfcQ+KaV/b4Iw2uol7SFt7TKWC1ntYJae/0VRZaxnZ7YgiiHAG5R9
KaDInachuNOYZXEgF8A=;
Received: from broadcaster01.xxxxx.com (127.0.0.1) by xxxxx.xxxxx.com (PowerMTA™ v3.5r17) id h5u8mm0lr5kt for <xxxxx@xxxxx.org>; Thu, 28 Feb 2013 08:08:53 -0600 (envelope-from <dfs_C3414227175F3FDBB429357282803CD655D4898BCCC40632@email.xxxxx.com>)
From: "Drs. Foster and Smith" <Editor@xxxxx.com>
To: xxxxx@xxxxx.org
Subject: [BARRACUDA QUARANTINE E-MAIL] 33% OFF Elevated Slow Down Feeder for Dogs
Date: 28 Feb 2013 08:08:53 -0600
X-ASG-Orig-Subj: 33% OFF Elevated Slow Down Feeder for Dogs
Reply-To: "Drs. Foster and Smith" <dfs_C3414227175F3FDBB429357282803CD655D4898BCCC40632@email.xxxxx.com>
ENVID: WC-1362060533751-1500A
Message-ID: <C3414227175F3FDBB429357282803CD655D4898BCCC40632@email.xxxxx.com>
X-TokenInfo-NoToken:
MIME-version: 1.0
Content-type: multipart/alternative; boundary="======1362060513611======"
X-Mailer: WhatCounts
X-Barracuda-Connect: xxxxx.xxxxx.com[xx.73.26.111]
X-Barracuda-Start-Time: 1362071915
X-Barracuda-URL: http://xxxxx.xxxxx.org:510/cgi-mod/mark.cgi
X-Barracuda-Orig-Rcpt: xxxxx@xxxxx.org
Received-SPF: pass (xxxxx.org: domain of dfs_c3414227175f3fdbb429357282803cd655d4898bccc40632@email.xxxxx.com designates xx.73.26.111 as permitted sender)
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at xxxxx.org
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0284 1.0000 -1.8370
X-Barracuda-Envelope-From: dfs_C3414227175F3FDBB429357282803CD655D4898BCCC40632@email.xxxxx.com
X-Barracuda-Quarantine-Per-User: PER_USER
X-Barracuda-Spam-Score: 4.91
X-Barracuda-Spam-Status: Yes, SCORE=4.91 using global scores of TAG_LEVEL=2.1 QUARANTINE_LEVEL=4.0 KILL_LEVEL=5.0 tests=BANG_GUAR, CN_BODY_332, DATE_IN_PAST_03_06, DATE_IN_PAST_03_06_2, DKIM_SIGNED, DKIM_VERIFIED, HTML_IMAGE_RATIO_04, HTML_MESSAGE, LOW_PRICE, NO_PRESCRIPTION, SH_BIG5_05413_BODY_104
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.123866
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
1.24 BANG_GUAR BODY: Something is emphatically guaranteed
1.16 LOW_PRICE BODY: Lowest Price
2.76 NO_PRESCRIPTION BODY: No prescription needed
0.01 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
-0.00 DKIM_VERIFIED Domain Keys Identified Mail: signature passes
verification
0.00 DKIM_SIGNED Domain Keys Identified Mail: message has a signature
0.12 CN_BODY_332 BODY: CN_BODY_332
0.21 SH_BIG5_05413_BODY_104 BODY: Body: contain "UNSUBSCRIBE"
0.17 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.00 HTML_MESSAGE BODY: HTML included in message
1.08 DATE_IN_PAST_03_06_2 DATE_IN_PAST_03_06_2
X-Priority: 5 (Lowest)
X-MSMail-Priority: Low
Importance: Low

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--======1362060513611======
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable

Attached Files



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 04 March 2013 - 10:10 AM

Hey justin,

If it was quarantined yet delivered, there is one of 3 possibilities occurring:
  • The end user or administrator ended up delivering this message out of the quarantine inbox
  • The quarantine scoring being disabled yet a quarantine item came in, so it would've been marked as quarantined, but delivered to the inbox.
  • There was a problem with the end users quarantine directory where it couldn't place the messages, so instead they get delivered.
We'd recommend you contacting support so we may review what occurred with this.

Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 Justin Brown

Justin Brown
  • Barracuda Guru
  • 65 posts
  • LocationCalifornia, USA

Posted 04 March 2013 - 02:10 PM

Rodger. If I think about it the it's definitely not user or admin delivered, since the Delivery Time matches the Time. I'll get the details ferreted out with the help of Support.

Thanks for the prompt reply, as always Matthew.