Kaspersky Security for Microsoft Exchange Servers пропало письмо

[Игорь Ченцов]

Добрый день !

 

Неожиданно пропало письмо. В логах Exchange - вижу что заблокировал антивирус -

Но письма в карантине нет, хотя настроено сохранять все письма.

В логах AntiSpamEngine есть упоминание об письме - но разобрать в логе, куда оно подевалось, я не смог. (даю лог с пропусками)

2024-07-30 09:44:18.976    ECXT458684025    26140    Verbose    AntispamEngine    method AntispamScannerProblemsEmulatingWrapper.Scan (IAntispamScannerWorkingSet, IAntispamScanner, IKasSessionPoolResetter, IMimeParser)  enter: fcdf9b06-023b-40b6-a612-53ce52273f78, {ClientAddress: 31.31.196.41; ClientName: ; HeloName: sm15.hosting.reg.ru; MailFrom: xxx; Recipients: {xxx}}, {Config: {UseProfiles: True; UseGsg: True; UseContentFiltration: True; UseSpf: True; UseDns: True; UseSpamUrlRealtimeBlocklists: False; UseSpamUrlRealtimeBlocklistsDefault: False; UseDnsBlacklist: False; UseDnsBlacklistDefault: False; UseCloud: True; UseMoebius: True; UseMassMail: True; ParsePlainText: True; ParseHtml: True; ParsePdf: False; ParseMsoffice: True; ParseRtf: True; DnsTimeout: 5; UrgentDetectionSystemTimeout: 10; CloudTimeout: 5; ReceivedHeadersLimit: 4; IpsOffset: 0; AppId: 1168; AppVersionMajor: 9; AppVersionMinor: 6; AppVersionBuild: 0}, FiltrationOptions: {DNS_HOST_IN_DNS: 1}; {HEADERS_SUBJECT_DIGIT_OR_TIME_ID: 1}; {HEADERS_FROM_OR_TO_DIGITS: 1}; {HEADERS_FROM_OR_TO_NO_DOMAIN: 1}; {HEADERS_SUBJECT_TOO_LONG: 1}; {HEADERS_TO_UNDISCLOSED: 1}; {HEADERS_SUBJECT_WS_OR_DOTS: 1}; {LANG_CHINESE: 1}; {LANG_JAPANESE: 1}; {LANG_KOREAN: 1}; {LANG_THAI: 1}; {DKIM_ENABLED: 1}; {DNS_DYNAMIC_RESOLVED_FROM: 0}; {PROBABLE_SPAM_ON: 1}; {SPAM_RATE_LIMIT: 3}; {CF_SIZE_LIMIT: 2146435072}; {MTA_IS_ON_EDGE: 0}; {UNICODE_SPOOF: 0}; {OUTBOUND: 0}, Timeout: 00:01:00, ExtractUrlsForAntiphishing: True, ExtractMimePartsForAntiphishing: False,StoreObjectIdForMimeParts: 00000000-0000-0000-0000-000000000000, Re: смарт тест

2024-07-30 09:44:18.976    ECXT458684025    26140    Information    AntispamEngine    Reactive event MessageProcessorEvents::MessageScanningStarted; message:
2024-07-30 09:44:18.976    ECXT458684025    26140    Verbose    AntispamEngine    StoreObjectOpen
2024-07-30 09:44:18.976    ECXT458684025    26140    Verbose    AntispamEngine    Information KASGetDBInfo: error 0
2024-07-30 09:44:19.005    ECXT458684025    26140    Verbose    AntispamEngine    Debug moebius::UpdaterProxyImpl::GetNewOnlineDb: compWhiteTs=12082042, compBlackTs=0, provWhiteTs=50719493, provBlackTs=0

2024-07-30 09:44:19.193    ECXT458684025    26140    Verbose    AntispamEngine    Debug Reputation : self_test 127.0.0.200
2024-07-30 09:44:19.194    ECXT458684025    26140    Verbose    AntispamEngine    Paranoic Service name='network_services.AdvancedHttpClientFactoryForUpdater', serviceKey=0x4a83ea56 is trying to get interface iface=0x528c461e, serviceKey=0x00000000
2024-07-30 09:44:19.194    ECXT458684025    26140    Verbose    AntispamEngine    Information esm    Can't provide interface requested iface=0x528c461e, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor={unknown}. result=0xa6440003 (Can't find service specified)
2024-07-30 09:44:19.194    ECXT458684025    26140    Verbose    AntispamEngine    Paranoic Service name='network_services.AdvancedHttpClientFactoryForUpdater', serviceKey=0x4a83ea56 is trying to get interface iface=0x009eafab, serviceKey=0x00000000
2024-07-30 09:44:19.194    ECXT458684025    26140    Verbose    AntispamEngine    Debug httpcli    Using IMemoryCryptor
2024-07-30 09:44:19.194    ECXT458684025    26140    Verbose    AntispamEngine    Important httpcli    AddThreadPoolTask 0x25937e77150

 

В логах MessageProcessing -

"07/30/2024 09:43:12","0","<d1739b0e0eec497a8a924b85734c01ba@xxx>","xxx","xxx","","смарт тест","13727","","","","7/30/2024 9:43:12 AM","7/30/2024 9:43:12 AM","SmtpAntispam","BusinessRules.Antispam.PreprocessFilters.CommonSclAndOutboundFilter","Skipped","Body","","","","","","",""
"07/30/2024 09:43:12","0","<d1739b0e0eec497a8a924b85734c01ba@xxx>","xxx","xxx","","смарт тест","14364","","","","7/30/2024 9:43:12 AM","7/30/2024 9:43:12 AM","RoutingAntivirus","BusinessRules.Antivirus.PreprocessFilters.AttachmentFilteringSwitchBasedFilter","Skipped","Body","","","","","","",""
"07/30/2024 09:43:12","33","<d1739b0e0eec497a8a924b85734c01ba@xxx>","xxx","xxx","","смарт тест","14364","Clean","","","7/30/2024 9:43:12 AM","7/30/2024 9:43:12 AM","RoutingAntivirus","AntivirusTransportAgent","Pass","Email","7/30/2024 8:00:00 AM","","Antivirus","Internal","","","Clean"
"07/30/2024 09:43:12","0","<d1739b0e0eec497a8a924b85734c01ba@xxx>","xxx","xxx","","смарт тест","14364","","","","7/30/2024 9:43:12 AM","7/30/2024 9:43:12 AM","RoutingAntivirus","BusinessRules.Antivirus.PreprocessFilters.BulkMessagesFilteringSwitchBasedFilter","Skipped","Body","","","","","","",""
"07/30/2024 09:43:12","0","<d1739b0e0eec497a8a924b85734c01ba@xxx>","xxx","xxx","","смарт тест","13329","","","","7/30/2024 9:43:12 AM","7/30/2024 9:43:12 AM","RoutingAntispam","BusinessRules.Antispam.PreprocessFilters.CommonSclAndOutboundFilter","Skipped","Body","","","","","","",""

 

Отсюда вопрос - есть более-менее вменяемый лог где можно узнать, что произошло с письмом (хотя бы почему оно не попало в карантин) ?

С уважением -

Игорь Ченцов

 

 

[Игорь Ченцов]

Интересное кино ... Где-то побродивщи письма всё же достигли получателей.

Так что вопросы немножко другие -

1. Где было письмо ?
2. Как отследить это в логах ?

С уважением -

Игорь Ченцов