Comprehensive Anti-Spam Services (CASS) Troubleshooting Guide

03/26/2020 60 12048

DESCRIPTION:

This article covers troubleshooting steps for Comprehensive Anti-Spam Services (CASS).

RESOLUTION:

1. Check the SonicOS firmware customer is running. This will help determine the CASS version.

2. Check the Anti-Spam | Status page and ensure that the status of SonicWall Anti-Spam Service, SonicWall Junk Store and Destination Mail Server are Operational.

3. If the SonicWall Anti-Spam Service status is not Operational:

• Check the Anti-Spam licenses and the IP address it is pointing to. If it points to an internal IP then use a public DNS server for the UTM device, so that the anti-spam service can resolve to the correct IP address of the COLO server.
• Make sure that ISP is not blocking port 25 and 10025.
• If the issue persists collect a packet capture on destination port 25 and 10025 for at least 5 minutes.

4. If the SonicWall Junk Store status is not Operational:

• Try to access http://localhost:10080 on the server where the Junk Store is installed.
• If the Junk Store is running properly the browser should open http://localhost:10080/index.htmlpage. If it fails this indicates the Tomcat service is not running and further troubleshooting requires to be done. The most common reason could be a port conflict with another application using Tomcat.
• If the page is accessible then ensure that Windows or any other personal firewall software (eg. TrendMicro) is not blocking port 10080, 10443 and 10025.

5. If the Destination Mail Server is not Operational:

• Test whether the mail server is accepting connections on port TCP 25 from the UTM LAN IP address and the Junk Store IP address.

6. Not able to receive emails and all 3 services of CASS, viz., SonicWall Anti-Spam Service, SonicWall Junk Store and Destination Mail Server, are Operational:

• Ensure that Disable SYN Flood Protection for Anti-Spam-related connections is checked in the diag page.
• If using MS Exchange Server then the option Anonymous User should be checked in the Exchange Server.
• If the issue persists collect MlfAsgSMTP logs in Log Level 2 under Anti-Spam > Advanced page.

7. Check to see if Junk Summary is configured under the Anti-Spam | Junk Summary page. Junk Summary is important if the admin wants the users to be able to un-junk or delete their own emails from CASS Junk Box. Junk Summary is an email sent to users notifying them about the emails detected by CASS as junk. By clicking on the Junk Summary links, users can manage their Junk Box. If the Junk Summary is not being received by the users, then collect the commonlogs:junknotification logs in log level 2 for that date from the Anti-Spam | Advance page.

8. CASS 2.0 supports user based (per user) Allowed/Blocked list only if LDAP is configured under the Anti-Spam | LDAP Configuration page. Admin can use Corporate Allowed/Blocked list irrespective of LDAP if they are running CASS 2.0. This helps in addressing effectiveness issues like spam coming in or good emails being judged as spam. If allowed/blocked list is not enough to address the issues related to effectiveness then collect mail samples in .msg or .eml format, so that the same can be submitted to our Back-end Effectiveness Team for analysis.

9. Logs under the Anti-Spam | Advance page are useful for troubleshooting CASS related issues. Listed below are some logs that are useful in troubleshooting CASS related issues:

• Users not able to un-junk - commonlogs:webui (based on date)
• Not receiving junk summary - commonlogs:junknotifications (based on date)
• All emails processed by junk store - mfe:hostname (hourly logs)

10. The following should be kept in mind when troubleshooting CASS related issues:

• CASS works only for SMTP traffic on port 25. Custom ports are not supported.
• CASS won't work if the customer is using a hosted mail server on the WAN side of the SonicWall and uses POP to receive emails.
• The SonicWall should be running in NAT mode.
• CASS is NOT supported when the SonicWall is running in Layer 2 Bridged Mode or Transparent Mode.