Cisco Cisco Email Security Appliance X1050 Guía De Información
How can I identify and address a mail loop
situation on the ESA?
situation on the ESA?
Document ID: 118522
Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.
Oct 09, 2014
Contents
Introduction
Background Information
Solution
How can you prevent mail loops from occurring?
Background Information
Solution
How can you prevent mail loops from occurring?
Introduction
This document describes how to identify a mail loop on the Email Security Appliance (ESA).
Background Information
Mail Loops can be indicated by messages with the same Message−ID that were injected more than 3 times.
Mail Loops can cause symptoms of High CPU, slow delivery and overall performance issues. Normally
message IDs injected more than once would indicate looping, but sometimes they are injected more than once
because of problems, or it could be a sloppy spammer who keeps injecting the same spam message with the
same Message−ID.
Mail Loops can cause symptoms of High CPU, slow delivery and overall performance issues. Normally
message IDs injected more than once would indicate looping, but sometimes they are injected more than once
because of problems, or it could be a sloppy spammer who keeps injecting the same spam message with the
same Message−ID.
More typically a mail loop is caused by an email infrastructure problem which sends the same message or set
of messages racing around your network from mail server to mail server endlessly. While these messages can
keep themselves entertained in this way for a very long time, it's not a good thing for either your network
bandwidth or the ESA processing cost incurred.
of messages racing around your network from mail server to mail server endlessly. While these messages can
keep themselves entertained in this way for a very long time, it's not a good thing for either your network
bandwidth or the ESA processing cost incurred.
Solution
Identifying a mail loop, if you suspect that this may be the problem, is usually pretty easy though you'll need
to eye−ball it.
Log into the command−line interface (CLI) of the system and issue one of these commands, or both as you
find best benefits you:
to eye−ball it.
Log into the command−line interface (CLI) of the system and issue one of these commands, or both as you
find best benefits you:
grep "Subject" mail_logs
grep "Message−ID" mail_logs
Particularly for the search on Message−ID, if you see recurring instances of exactly the same ID then you will
know that you have a mail loop. However sometimes this is not enough, because one of the mail servers
rallying back the same message might be helpfully changing or removing the Message−ID header. So if you
don't get anything identifiable with the Message−ID check go ahead and try the Subject check.
know that you have a mail loop. However sometimes this is not enough, because one of the mail servers
rallying back the same message might be helpfully changing or removing the Message−ID header. So if you
don't get anything identifiable with the Message−ID check go ahead and try the Subject check.
Assuming that you managed to find the looping message by the Message−ID you will also want to find out
other information about the message and its parent connection (ICID). Given the Message−ID and a MID in
other information about the message and its parent connection (ICID). Given the Message−ID and a MID in