Determining why the New Senders Module blocked or allowed a message

Overview

The New Senders module identifies emails that have been received from senders to whom emails have never been sent before.

In this article, you will learn how to determine why the New Senders module blocked or allowed a message as part of the troubleshooting process involving this Anti-Spam module.

Introduction

The New Senders module is the last module that processes a message when the email is processed by the inbound sink. Only emails in which no spam is detected and where the sender is not present in any Whitelist are triggered by the New Senders filter.

The NewSenders module checks if the message is either whitelisted, or classified as SPAM. If it does not find any classification, it will block the message and action it accordingly. Therefore, to efficiently use this module, it is important that the client has the Autowhitelist enabled.

There will be scenarios where customers open support requests wanting to understand why the New Senders module blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this filter.

Description

If you are questioning why an email was blocked or allowed by the New Senders module and would like more information, the best place to start the troubleshooting process is to examine the debug logs.

Follow the below procedure to find the log file and information regarding the email message under review, and thereafter use the examples provided to interpret and determine why the message was either blocked or allowed:

Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message-ID.
Navigate to ..\GFI\MailEssentials\AntiSpam\DebugLogs and locate the log file for the New Senders module. The debug log filename is NewSenders.gfi_log.txt
- This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > New Senders on the configuration UI as well as the newsenders_mimeexceptionlist table in the config.mdb database.
Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
Refer to the scenarios below to determine the reasons behind the action taken by the New Senders module. Pay close attention to the lines in bold to understand what happened and why.

The debug log file will indicate whether the New Senders module is enabled and any actions taken by the filter while scanning emails. If the module is disabled the log file will show:

"NewSenders","----------------------------------------------------------------"
"NewSenders",">> Message Initialization"
"NewSenders","Context Refreshed: Yes"
"NewSenders","AntiSpam - Status: [Enabled]"
"NewSenders","Licensing check: Licensed"
"NewSenders","Unique MessageID: [<08635c099c9a4ccb4dcb11a91486aa26@ec2edqdcp>]"
"NewSenders","<< Message Initialization"
"NewSenders",">> Message Processing Block"
"NewSenders","<< Message Processing Block"
"NewSenders",">> Message Uninitialization"
"NewSenders","<< Message Uninitialization"
"NewSenders","---------------------------------------------------------------"

Note: There is no disabled message, simply no checks are done if the module is disabled.

Below log entries confirm that the New Senders module has successfully initialized and is actively processing messages to detect spam:

"NewSenders","-------------------------------------------------------------------"
"NewSenders",">> Message Initialization"
"NewSenders","Context Refreshed: Yes"
"NewSenders","AntiSpam - Status: [Enabled]"
"NewSenders","Licensing check: Licensed"
"NewSenders","Unique MessageID: [<60629d85a41acdad09637055bd00f129@ec2edqdcp>]"
"NewSenders","<< Message Initialization"
"NewSenders",">> Message Processing Block"
"NewSenders","Both properties set to false, ie Newsender"
"NewSenders","Setting actions data ..."
"NewSenders","Informing ASE [128]..."
"NewSenders","Setting block report to: 'Message is from an unknown sender'"
"NewSenders","<< Message Processing Block"
"NewSenders",">> Message Uninitialization"
"NewSenders","<< Message Uninitialization"
"NewSenders","-------------------------------------------------------------------"

Note: For the New Senders module to work, there has to be at least one whitelist enabled from the Whitelist configuration node.

Scenario 1: Email was allowed by the module

"NewSenders","------------------------------------------------------------------"
"NewSenders",">> Message Initialization"
"NewSenders","Context Refreshed: Yes"
"NewSenders","Licensing check: Licensed"
"NewSenders","Unique MessageID: [<a3565959fac9bf063acb93623e45@ec2amaz-tedqdcp>]"
"NewSenders","<< Message Initialization"
"NewSenders",">> Message Processing Block"
"NewSenders","GFI_ASEMSGPROPS_WHITELISTED present & set to true"
"NewSenders","<< Message Processing Block"
"NewSenders",">> Message Uninitialization"
"NewSenders","<< Message Uninitialization"
"NewSenders","------------------------------------------------------------------"

Note: Recipient was found in a Whitelist therefore the email was allowed through. Outbound emails are skipped as shown in the below log excerpt:

"NewSenders","--------------------------------------------------------------------------"
"NewSenders",">> Message Initialization"
"NewSenders","Context Refreshed: No"
"NewSenders","Licensing check: Licensed"
"NewSenders","Unique MessageID: [<32108829e1f2c791fe5f3ee83d6891bc@EC2AMAZ-TEDQDCP>]"
"NewSenders","<< Message Initialization"
"NewSenders",">> Message Processing Block"
"NewSenders","Message recipients are remote - skipping processing; GFI_MTASMTP_MC_Recipients - [2]"
"NewSenders","<< Message Processing Block"
"NewSenders",">> Message Uninitialization"
"NewSenders","<< Message Uninitialization"
"NewSenders","--------------------------------------------------------------------------"

Scenario 2: Email was blocked by the module

"NewSenders","------------------------------------------------------------------"
"NewSenders",">> Message Initialization"
"NewSenders","Context Refreshed: Yes"
"NewSenders","AntiSpam - Status: [Enabled]"
"NewSenders","Licensing check: Licensed"
"NewSenders","Unique MessageID: [<60629d85a41aad0963705bd0f129@ec2amaz-tedqdcp>]"
"NewSenders","<< Message Initialization"
"NewSenders",">> Message Processing Block"
"NewSenders","Both properties set to false, ie Newsender"
"NewSenders","Setting actions data ..."
"NewSenders","Informing ASE [128]..."
"NewSenders","Setting block report to: 'Message is from an unknown sender'"
"NewSenders","<< Message Processing Block"
"NewSenders",">> Message Uninitialization"
"NewSenders","<< Message Uninitialization"
"NewSenders","------------------------------------------------------------------"

Note:

The NewSenders module checks the property bag that is built by the Anti-Spam Engine (ASE) for the email message to identify the following two flags:

GFI_ASEMSGPROPS_WHITELISTED – Email has been whitelisted
GFI_ASEMSGPROPS_SPAM – Email is SPAM

If both of these flags are not set, then the email is considered as NewSender, and the configured action from the Actions tab is taken.

New Senders & Whitelist

For the New Senders module to work, there has to be at least one whitelist enabled from the Whitelist configuration node. The following scenarios may be encountered in the logs depending on whether the sender or recipient is Whitelisted or not:

A new sender. Not detected as spam and user is not in whitelist – marked as spam

[::ProcessMessage] GFI_ASEMSGPROPS_WHITELISTED && GFI_ASEMSGPROPS_SPAM present but false; newsender

Previously detected as spam or is in whitelist – not marked as spam

[::ProcessMessage] GFI_ASEMSGPROPS_WHITELISTED && GFI_ASEMSGPROPS_SPAM present but one/both of them are true; skipping

Previously detected as spam, skipping check – not marked as spam

[::ProcessMessage] Checking for NDR Spam
[::ProcessMessage] GFI_ASEMSGPROPS_SPAM is set to true; skipping

Determining why an email was Whitelisted by MailEssentials

Back to top

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment