Byteplant Forum

Home » CleanMail Support » CleanMail Server Talk » unexpected client disconnect
unexpected client disconnect [message #936] Fri, 10 December 2004 11:01
Hervé Salvat
Messages: 8
Registered: December 2004
Junior Member
What does mean "Delete (unexpected client disconnect)" in the Daily Spam Filtering Report ? What is the correlation with the log ( timed out ?).

Best regards.

Re: unexpected client disconnect [message #937 is a reply to message #936] Fri, 10 December 2004 15:11 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member

> What does mean "Delete (unexpected client disconnect)" in the
> Daily Spam Filtering Report ? What is the correlation with the
> log ( timed out ?).

It means that a client (=sending SMTP agent) disconnected without waiting for your
SMTP server's reply to the "DATA" command. As spammers often do so, this is usually
a strong indication for a spam mail.



Customer Support
Byteplant GmbH
Re: unexpected client disconnect [message #938 is a reply to message #937] Mon, 13 December 2004 10:03 Go to previous message
Hervé Salvat
Messages: 8
Registered: December 2004
Junior Member
All my mail comes from en SMTP relay run by my ISP. Spammers cannot connect directly on my server. So this is probably a problem with my ISP. Is it possible to disable this feature and accept the mail ?
Re: unexpected client disconnect [message #939 is a reply to message #938] Mon, 13 December 2004 11:55 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
> All my mail comes from en SMTP relay run by my ISP. Spammers
> cannot connect directly on my server. So this is probably a
> problem with my ISP. Is it possible to disable this feature and
> accept the mail ?

There is nothing NoSpamToday! can do, because the client (in this case your ISP) is disconnecting.

Your ISP probably uses a batch mailer, and the SMTP timeout is too short, so that it disconnects while the mail filters like SpamAssassin are still running.

This can happen occasionally if a SpamAssassin Bayes database auto-expire is due, which may take a few minutes to complete. If this is what's happening, you will find "bayes.expire" (or similar) files in the db subdirectory of your installation.

In this case, run the batch file expire.bat from a command line window. You can use the Windows task scheduler to run this regularly.



Customer Support
Byteplant GmbH
Re: unexpected client disconnect [message #940 is a reply to message #936] Wed, 15 December 2004 20:06 Go to previous message
maverick
Messages: 2
Registered: December 2004
Junior Member
I am getting the same problem, however, I do not believe that it is happening during the Auto-Expire scenario presented above.

Here is a Log-File excerpt:

Dec 15, 2004, 13:52:01 Session 0: (SpamAssassin) Filter result is reject/deliver
Dec 15, 2004, 13:52:01 Session 0: (SpamAssassin) Spam score: 18.3
Dec 15, 2004, 13:52:01 Session 0: Incoming mail action: reject/deliver
Dec 15, 2004, 13:52:03 Session 0: Connection reset by client (recv failed)
Dec 15, 2004, 13:53:31 Session 0: Received end of data, mail size 3kB
Dec 15, 2004, 13:53:46 Session 0: (SpamAssassin) Filter result is reject/deliver
Dec 15, 2004, 13:53:46 Session 0: (SpamAssassin) Spam score: 6.0
Dec 15, 2004, 13:53:46 Session 0: Incoming mail action: reject/deliver
Dec 15, 2004, 13:53:48 Session 0: Received end of data, mail size 4kB

My set-up is similar to Hervs set-up with the ISP SMTP server acting as my "Smart Host" to forward my mail. This seems to be occuring with only 1 e-mail address AND ONLY when there is an Excel attachement.

help!

Regards,

dan

Re: unexpected client disconnect [message #941 is a reply to message #940] Thu, 16 December 2004 18:16 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
> My set-up is similar to Hervs set-up with the ISP SMTP
> server acting as my "Smart Host" to forward my mail. This
> seems to be occuring with only 1 e-mail address AND ONLY when
> there is an Excel attachement.

Please turn on detailed logging (File->Global Settings) and try to find the log file excerpt of such a mail transmission, let's see what was going on exactly.

Here's some more background info:

Your ISP's server implements a timeout, when it does not hear from NoSpamToday! within a certain time, it disconnects. (5 minutes is the recommended timeout value.) NoSpamToday! logs this as an uexpected client disconnect.

When the last byte of the mail has been transmitted, NoSpamToday! runs the mail filters, and forwards the mail to your mail server. Your mail server has to acknowledge it has received the mail. Only then NoSpamToday! gives an answer to your ISP's server.

If the whole process takes longer than 5 minutes, it is likely that the ISP's server will timeout. But this can happen only for the following reasons:

- if the mail filters take more than a few seconds to execute
- or if the outbound transmission to your mail server is very slow (modem connection?)
- or if your mail server takes a very long time to reply.

In short, it should not happen. Some ISP's use batch mailers with very short timeouts for outgoing mail (e.g. 30s), in this case, try to convince them to reconfigure their software.



Customer Support
Byteplant GmbH
Re: unexpected client disconnect [message #942 is a reply to message #941] Fri, 17 December 2004 16:28 Go to previous message
maverick
Messages: 2
Registered: December 2004
Junior Member
Detailed logging has been activated, I will let you know when it happens again.

Thank-you for your help in trying to resolve this problem.

Regards,
Daniel Lazaratos
Re: unexpected client disconnect [message #943 is a reply to message #936] Fri, 24 December 2004 22:01 Go to previous message
delbert
Messages: 2
Registered: December 2004
Junior Member
I am getting the unexpected client disconnect on a large amount of messages. Our system processes some 25,000 messages a day. Can you have a setting or option to accept and continue processing the message as opposed to deleting it. I believe there is posibility of many mail sender systems that send the message and do not wait for a reply. We fear the amount of messages that are being deleted because of this condition.

Delete (unexpected client disconnect) 10475 (41.8%)

thanks,
Delbert Aud
Active Web Hosting
Re: unexpected client disconnect [message #944 is a reply to message #943] Mon, 27 December 2004 14:47 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
> I am getting the unexpected client disconnect on a large
> amount of messages. Our system processes some 25,000 messages a
> day. Can you have a setting or option to accept and continue
> processing the message as opposed to deleting it. I believe
> there is posibility of many mail sender systems that send the
> message and do not wait for a reply. We fear the amount of
> messages that are being deleted because of this condition.

If we would simply forward these mails, you might receive the same message many times, because the sender will try to deliver the mail again and again and again, until your server acknowledges receiving it. (This is assuming that the mails have been already completely transmitted, and that the sender is not a spammer, but a server trying to deliver legitimate email.)

It might be that the same happened even without NoSpamToday! involved, and your mail server just did not bother to write this condition to the log.

> Delete (unexpected client disconnect) 10475 (41.8%)

About 1-5% of unexpected disconnects is perfectly normal, but more than 40% is surprising. Are you having a similar configuration as the other users in this thread, with your ISP's server relaying the mail for you?

In any case, it will help to look at the log file of your NoSpamToday! installation. Please enable detailed logging, and send the log file "nospamtoday.log" (in the installation directory) to nstsupport@byteplant.com.



Customer Support
Byteplant GmbH
Re: unexpected client disconnect [message #945 is a reply to message #944] Mon, 27 December 2004 18:53 Go to previous message
delbert
Messages: 2
Registered: December 2004
Junior Member
When I remove all filters that occurrence is greatly reduced. If I add a virus filter the number goes up greatly. I am not suggesting that you eliminate the feature, I am just suggesting that you provide an option as what to do with the messages upon that condition. Of course if you have not received an end of data signal then you must delete the message. If you do receive an end of data signal then it would be nice to have the option of accepting the message anyway. This way if the host sending the message does not care about the confirmation then at least the message is on its' way. I completely understand that the message might be sent over and over by a poorly configured mail sender but then we can contact the admin of that server and alert them to the problem. Because of our volume detailed logging is not an option. I have turned it on but it slows down our receipt of messages and causes this problem to grow. I have reviewed the logs after a short session and noticed that most of the occurrences happen after the completion of the message while checking is happening. btw: after a few days the occurrence has dropped to about 8% but we are still concerned about those messages.
Re: unexpected client disconnect [message #946 is a reply to message #945] Tue, 28 December 2004 05:52 Go to previous message
bks2
Messages: 6
Registered: December 2004
Junior Member
I have also noticed this error while running No Spam Today!

I have two e-mail servers. One server is used as the backup and any mail it receives, it will then forward to my main server.

When I check the logs of my backup e-mail server, I find many attempts by the IIS SMTP Service having trouble connecting indicating that there was a server disconnection.

When I remove the No Spam Today! filter (I change the port from 26 to 25 on my firewall), all the mail from the backup server is sent without any error messages on the first attempt. It somtimes takes 3-4 attempts from the backup server to the main server when I have the SMTP Proxy intercepting the messages before the server.



Brian S.
A+, Network+, 2000 MCSA, CCNT
Re: unexpected client disconnect [message #947 is a reply to message #944] Tue, 28 December 2004 07:14 Go to previous message
Dave Camenisch
Messages: 30
Registered: December 2004
Member
> > Delete (unexpected client disconnect) 10475 (41.8%)
>
> About 1-5% of unexpected disconnects is perfectly normal, but
> more than 40% is surprising. Are you having a similar
> configuration as the other users in this thread, with your
> ISP's server relaying the mail for you?

FYI: I'm running NST2 since 1 week and I have 10-20% of unexpected disconnects (one time 33%). No Proxy-ISP setup = Mails are coming from all over the world.

My NST config: Honeypot-, F-Prot- and SpamAssassin-Filter running.

-- Dave



Post Edited (12-28-04 07:16)
Re: unexpected client disconnect [message #948 is a reply to message #946] Tue, 28 December 2004 15:03 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
> I have two e-mail servers. One server is used as the backup
> and any mail it receives, it will then forward to my main
> server.
>
> When I check the logs of my backup e-mail server, I find many
> attempts by the IIS SMTP Service having trouble connecting
> indicating that there was a server disconnection.

This is probably something else. As you describe it, NoSpamToday! disconnects, and not the client trying to forward the mail. Maybe this is caused by the traffic limiting settings of NoSpamToday!, whenever IIS tries to forward lots of messages at the same time.
>
> When I remove the No Spam Today! filter (I change the port
> from 26 to 25 on my firewall), all the mail from the backup
> server is sent without any error messages on the first attempt.
> It somtimes takes 3-4 attempts from the backup server to the
> main server when I have the SMTP Proxy intercepting the
> messages before the server.



Customer Support
Byteplant GmbH
Re: unexpected client disconnect [message #949 is a reply to message #945] Tue, 28 December 2004 15:22 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
delbert wrote:

[...]

> This way if the host sending
> the message does not care about the confirmation then at least
> the message is on its' way.

If the host does not wait for the confirmation, you can be 100% sure that the message is spam.

A legitimate mail sender always waits for the confirmation, if the confirmation does not arrive, the transmission is rescheduled.

The fact that spammers do not wait can be used for spam filtering purposes. We were already considering delaying the confirmation a few seconds, to get rid of spam messages this way.

BTW, this is related to the way "greylisting" (http://projects.puremagic.com/greylisting/) works. In this filtering technique, all incoming messages are discarded with a temporary error, and only accepted if the sender tries to transmit again within a given timeframe.



Customer Support
Byteplant GmbH
Previous Topic: No Spam Today! Daily Spam Filtering Report
Next Topic: Attachment filter
Goto Forum:
  


Current Time: Wed Dec 07 13:25:40 CET 2016