The Delivery Manager, Connection Manager, and Spool Manager all have traffic patterns that trigger events. An event is the time and date associated with a significant service reaction to mail server or traffic conditions (ranging from servers being unavailable to network-based attacks).
Events can trigger proactive responses that include sending out alerts, blocking attacks, enabling a failover server, or engaging spooling. See Administrator Alerts for more information on configuring alerts.
What are the different events and what do they mean? Following is the list of events, the components they are associated with, and the actions to take for each event. For more information on the events, see the chapters on Connection Manager, Delivery Manager, and Spool Manager.
Administrators can receive alerts (through email, text message, or pager) when these events occur. We strongly recommend that you set alerts for critical Delivery Manager events. See Setting Up Alerts for more information. Here are definitions of all Event types:
|
A Directory Harvest Attack is a series of delivery attempts by one IP that results in 550 errors. Your email server responds to each request, issuing potentially thousands of 550 errors.
Action: Connection Manager can temporarily block the source IP. Alerts can be sent. No action is required.
|
|
|
A Spam Attack is a barrage of spam messages from one IP address detected by users with spam filtering enabled.
Action: Connection Manager can temporarily block the source IP. Alerts can be sent. No action is required.
|
|
|
Virus Outbreak
|
A Virus Outbreak is a large quantity of virus-laden messages from one IP address detected by users with virus filtering enabled.
Action: Connection Manager can temporarily block the source IP. Alerts can be sent. No action is required.
|
|
A mail bomb is a denial of service attack where many 500kb+ messages are sent from a single IP to your server(s)
Action: Connection Manager can temporarily block the source IP. Alerts can be sent. No action is required.
|
|
|
Email Host Down
|
One mail server is unreachable or not responding. Other primary or failover servers are responding.
Action: Delivery Manager attempts delivery for each new connection. If the connection fails, connections are attempted to other primary servers and then to failover servers. Alerts can be sent. You should investigate this issue; see the Delivery Manager troubleshooting section for details.
|
|
Action: Spool Manager delay timer starts. If prolonged, spooling triggers. Alerts can be sent. You should investigate the issue; see the Delivery Manager troubleshooting section for details.
|
|
|
Action: No new connections are attempted to servers until spool is full or until you have suspended spooling. Alerts can be sent. You should investigate and unspool as appropriate.
|
Email administrators who take advantage of automated Connection Manager interventions and other Inbound Servers events require insight into the intervention and effectiveness of the actions taken by the email protection service.
|
3.
|
Select the Manager associated with the event (Connection Manager, Delivery Manager or Spool Manager) or click the Events link for access to all types of events.
|
|
4.
|
The list of events can even be sorted by type, date, source IP or impact. Click any of the column headers to sort the list by that category. To sort or search for events that had the greatest impact, select messages Over 100, 500, or 1000 and search. This eliminates all the “low-impact” events and leaves only the ones over the value that you selected.
|
Note: It is not uncommon for an organization, especially an Internet Service Provider, to receive a high number of Directory Harvest Attacks—thousands a day. Up to 500 events are displayed, and searches and sorts are run against the entire population of events.
Events are composed of the following fields:
|
The EID is the easiest way to differentiate different events when there are multiples of the same type, or that apply to the same IP within the same Event time period.
|
|
|
The type of event, which can be Spam Attack, Virus Outbreak, Directory Harvest Attack, Mailbomb, Mail Server Down, Org Down.
See the chapters on Connection Manager, Delivery Manager, and Spool Manager for details on the different Events associated
|
|
|
This is listed only after the event has ended and is verified. For example, in the case where there is an Org Down Event and the email protection service is spooling, Spooling stores incoming traffic in a spool file and does not attempt server delivery. Since the email protection service does not mark the event complete until after a successful delivery to the server, it does not complete until after the spool is full or has been otherwise disabled.
|
|
|
For attacks, this is the IP address of the offending attacker. For an Email Host Down event, the associated IP is the down mail server.
|
|
|
For an attack, the number of messages blocked by the automatic attack block.
The block prevents new connections from the attacker from being established. Since this happens before receiving details about specific messages, this statistic is generally very low; it only applies to messages within the connection that triggered the attack response.
|
|
|
The actions taken by the email protection service when the event was detected.
The possible actions include emailing alerts to administrators, triggering an automatic attack block, and enabling spooling.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|