Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Duplicate Internet email entries showing in Audit Log

Updated: 22 May 2010 | 9 comments
dnslammers's picture
dnslammers
0 0 Votes
Login to vote

We are running SBG 8.02. In the Audit log, when I search for inbound internet emails such as gmail.com or hotmail.com I notice that the audit logs show 2 entries for 1 email. And it shows 2 actions that the appliance applied. I redacted our domain address, hence the  ------.com. The result is the emails do get delivered which is fine but whats up with the second entry that says "Message rejected by MTA"?

Here's a couple exampes:

Tuesday, Aug 11, 2009 09:45:56 AM EDT msdavis.06@gmail.com mdavis@---------.com re: hey Known language Deliver message normally Tuesday, Aug 11, 2009 09:45:56 AM EDT msdavis.06@gmail.com None re: hey   Message rejected by MTA Tuesday, Aug 11, 2009 09:43:45 AM EDT gary.sonterpat@gmail.com hcollins@---------.com atlantis sale status Unscannable Deliver message normally Tuesday, Aug 11, 2009 09:43:45 AM EDT gary.sonterpat@gmail.com None atlantis sale status   Message rejected by MTA 

 

Discussion Filed Under:
,

Comments

TomC 2's picture
11
Aug
2009
0 Votes 0
Login to vote
TomC 2
Symantec Employee

So I found this document that

So I found this document that discusses Aliasing, 

 
Title: 'Message rejected by MTA due to alias transformation'
Document ID: 2009042211325354
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009042211325354?Open&seg=ent

However, the odd thing is that the mail is showing "None" for the address on the second line. I can't say as I know what is happening there, but are you doing any aliasing that might be the culprit?

Let me know.
Thanks! 

dnslammers's picture
13
Aug
2009
0 Votes 0
Login to vote
dnslammers

I checked Aliasing and it is not turned on...

 

Marco Bicca's picture
13
Aug
2009
0 Votes 0
Login to vote
Marco Bicca
Symantec Employee
Accredited

Hi there, What's your

Hi there,

What's your environment setup? Is the SBG Appliance at the gateway ? Are you using LDAP ?

Thank you,
Marco Bicca

dnslammers's picture
14
Aug
2009
0 Votes 0
Login to vote
dnslammers

 The Scanner appliance sits

 The Scanner appliance sits in the DMZ as the gateway and the Control Center sits in our lan. We are using LDAP. No issues with LDAP in our logs...

Mikee..'s picture
29
Aug
2009
0 Votes 0
Login to vote
Mikee..

Hi There.. Did you checked in

Hi There..

Did you checked in the audit logs for both same mail coming from same  source address ?

Did your brightmail is enable with IP Reputation service ?

awaiting for reply !!

Marco Bicca's picture
02
Oct
2009
0 Votes 0
Login to vote
Marco Bicca
Symantec Employee
Accredited

You said you are using

You said you are using LDAP Right? Are you seeing recipients being rewritten in the Audit Log? Can you actually post a screenshot of exactly what you see in the Message Audit Log screen results?

dnslammers's picture
21
Oct
2009
0 Votes 0
Login to vote
dnslammers

Here's a pic of our audit logs.

10-21-2009 10-37-26 AM.png 

dnslammers's picture
21
Oct
2009
0 Votes 0
Login to vote
dnslammers

so you can see with the pic

so you can see with the pic above, the appliance thinks its getting 2 emails and behaves differently on the second one...Never saw this before we upgraded to ver 8.

Need help! :)
Stephen 

fferaboli's picture
21
Oct
2009
0 Votes 0
Login to vote
fferaboli
Symantec Employee

Hi, I've seen a similar issue

Hi,

I've seen a similar issue in the past and is documented in the following KB article:
service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009101313280854
I remember there was an upstream device blocking the inbound SMTPO EHLO command forcing the remote MTA to fail back to HELO (apologies if this is too technical).
Hope it helps. Let me know.

Regards,

Federico

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
270,008