LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Running SFE .679.  If all users are setup to quarantine, and 2 of them have the :tagsubject in the unfiltered emails list, what should happen to an incoming email with multiple recipients?
What is happening:
Users who are not on the unfiltered emails with :tagsubject list are getting emails with SPAM: XXX in the subject (our tag).  It appears that the filters are identifying the mail as spam correctly, but if the mail is addressed to multiple users, and one of them is on the unfiltered emails list with a :tagsubject, all users get the mail passed through with the modified subject.
Any idea's?

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Topic: Tag Spam ?? Posted: 23 June 2007 at 9:18pm
	Running SFE .679. If all users are setup to quarantine, and 2 of them have the :tagsubject in the unfiltered emails list, what should happen to an incoming email with multiple recipients? What is happening: Users who are not on the unfiltered emails with :tagsubject list are getting emails with SPAM: XXX in the subject (our tag). It appears that the filters are identifying the mail as spam correctly, but if the mail is addressed to multiple users, and one of them is on the unfiltered emails list with a :tagsubject, all users get the mail passed through with the modified subject. Any idea's?

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 24 June 2007 at 3:06pm
	Could you either post or email us a section of SpamFilter's activity logfile showing a couple of minutes prior to one of the emails in question, including entries for a couple of minutes after? In SpamFilter 3.5.3.679 we actually (should have) fixed an issue very similar to yours: // New to VersionNumber = '3.5.3.679'; {TODO -cFix : The :tag and :tagsubject were incorrectly tagging emails with multiple recipients} {TODO -cFix : Emails blocked by the attachment filter were stored in the quarantine DB with a rejectID of 13 instead of 23} {TODO -cFix : Added 100ms delay when saving corpus database files to try avoiding error "corpus.db copy of files not exist - exiting"} {TODO -cNew : Added customized response item for emails rejected by the Honeypot filters} We'd like to see the logs so we can try to pinpoint what is happening and why the above fix did not work.
	Roberto Franceschetti LogSat Software Spam Filter ISP

jerbo128 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 March 2006 Status: Offline Points: 178	Post Options Post Reply Quote jerbo128 Report Post Thanks(0) Quote Reply Posted: 24 June 2007 at 7:35pm
	Logs Sent. Thanks Roberto.

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 25 June 2007 at 10:14pm
	jerbo128, Your email sample involved a very particular set of circumstance. There is indeed a bug (actually two, including a logging inaccuracy), even though it occurs in a very specific scenario such as yours. I'll try to explain. Below I'm including the entire SMTP session for the email in question. You will see that in the same SMTP session, the spammer is sending multiple, separate emails, all to separate recipients. 06/22/07 02:09:39:078 -- (3924) Connection from: 211.138.9.114 - Originating country : China 06/22/07 02:09:43:562 -- (3924) - IP address is from a blacklisted country... The 1st email starts here... 06/22/07 02:09:43:562 -- (3924) 211.138.9.114 - Mail from: cglew@cablecomponents.com To: adolphson@Your_Domain.net will be rejected 06/22/07 02:09:44:609 -- (3924) Mail from: cglew@cablecomponents.com 06/22/07 02:09:44:609 -- (3924) 211.138.9.114 - Mail from: cglew@cablecomponents.com To: adreyer@Your_Domain.net will be rejected 06/22/07 02:09:45:906 -- (3924) Mail from: cglew@cablecomponents.com 06/22/07 02:09:45:906 -- (3924) 211.138.9.114 - Mail from: cglew@cablecomponents.com To: aeitzen@Your_Domain.net will be rejected 06/22/07 02:09:47:703 -- (3924) Mail from: cglew@cablecomponents.com ..... omissis 06/22/07 02:10:00:812 -- (3924) Mail from: cglew@cablecomponents.com 06/22/07 02:10:00:812 -- (3924) 211.138.9.114 - Mail from: cglew@cablecomponents.com To: amyjo@Your_Domain.net will be rejected 06/22/07 02:10:02:484 -- (3924) Start virus scan 06/22/07 02:10:02:484 -- (3924) Starting bayesian procedures This is the end of the 1st email , all the rejections are as they should be. The 2nd email starts here, the spammer uses a different MAIL FROM addres... 06/22/07 02:10:04:109 -- (3924) Mail from: crobbins@robbinsent.com 06/22/07 02:10:04:109 -- (3924) 211.138.9.114 - Mail from: crobbins@robbinsent.com To: andersonj@Your_Domain.net will be rejected 06/22/07 02:10:04:781 -- (3924) Mail from: crobbins@robbinsent.com 06/22/07 02:10:04:781 -- (3924) 211.138.9.114 - Mail from: crobbins@robbinsent.com To: andy@Your_Domain.net will be rejected 06/22/07 02:10:05:375 -- (3924) Mail from: crobbins@robbinsent.com 06/22/07 02:10:05:375 -- (3924) 211.138.9.114 - Mail from: crobbins@robbinsent.com To: andyfarmer@Your_Domain.net will be rejected ...omissis 06/22/07 02:10:17:421 -- (3924) Start virus scan 06/22/07 02:10:17:437 -- (3924) Starting bayesian procedures The 2nd email stops here The spammer sends several other emails after these, all are being rejected. On the following email, however, your first recipient that is in the unfiltered list with a "tabsubject" is encountered, see entry in purple below. There is now a bug with the log entries, as all attempts so send emails to other recipients for this one single email appear as "spam-tagged", while in reality they are being rejected. In fact, see the entry in green after the email has been received by the spammer, showing that only your unfiltered recipient is being delivered the email. 06/22/07 02:12:38:703 -- (3924) - EmailTO is not in AuthorizedTOEmail list... 06/22/07 02:12:38:703 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: dennisg@Your_Domain.net will be rejected 06/22/07 02:12:40:140 -- (3924) Exceeded maximum number of RCPT TO (182) - Disconnecting 211.138.9.114 06/22/07 02:12:40:140 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: dennisl@Your_Domain.net will be rejected 06/22/07 02:12:41:140 -- (3924) Exceeded maximum number of RCPT TO (183) - Disconnecting 211.138.9.114 06/22/07 02:12:41:140 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: dennys@Your_Domain.net will be rejected 06/22/07 02:12:42:031 -- (3924) Exceeded maximum number of RCPT TO (184) - Disconnecting 211.138.9.114 06/22/07 02:12:42:031 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: depothill@Your_Domain.net will be spam-tagged 06/22/07 02:12:43:296 -- (3924) Exceeded maximum number of RCPT TO (185) - Disconnecting 211.138.9.114 06/22/07 02:12:43:296 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: destef@Your_Domain.net will be spam-tagged 06/22/07 02:12:44:125 -- (3924) Exceeded maximum number of RCPT TO (186) - Disconnecting 211.138.9.114 06/22/07 02:12:44:125 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: developiowa@Your_Domain.net will be spam-tagged 06/22/07 02:12:44:781 -- (3924) Exceeded maximum number of RCPT TO (187) - Disconnecting 211.138.9.114 06/22/07 02:12:44:781 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: devriesfarms@Your_Domain.net will be spam-tagged ...omissis 06/22/07 02:13:01:578 -- (3924) - EmailTO is not in AuthorizedTOEmail list... 06/22/07 02:13:01:578 -- (3924) 211.138.9.114 - Mail from: crougeau@thebodyshop.ca To: dianek@Your_Domain.net will be spam-tagged 06/22/07 02:13:03:515 -- (3924) Start virus scan 06/22/07 02:13:03:531 -- (3924) Starting queueing procedures 06/22/07 02:13:03:531 -- (3924) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not 06/22/07 02:13:03:531 -- (3924) EMail from crougeau@thebodyshop.ca to depothill@Your_Domain.net was queued. Size: 1 KB, 1024 bytes Now a bug in SpamFilter kicks in. The spammer sends yet other emails within this same SMTP session. Even though the recipients are not unfiltered, the bug is causing the spam-tagged recipient in the previous email to be carry over the "spam-tagged" flag to all subsequent emails as well. Unlike the above case, this is not a bug in logging, it's actually a bug that causes the delivery of such emails to all subsequent recipients. We're woking on a fix... 06/22/07 02:13:05:812 -- (3924) Exceeded maximum number of RCPT TO (201) - Disconnecting 211.138.9.114 06/22/07 02:13:05:812 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: dickelduit@Your_Domain.net will be spam-tagged 06/22/07 02:13:06:796 -- (3924) Exceeded maximum number of RCPT TO (202) - Disconnecting 211.138.9.114 06/22/07 02:13:06:796 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: dieseldoc@Your_Domain.net will be spam-tagged 06/22/07 02:13:07:843 -- (3924) Exceeded maximum number of RCPT TO (203) - Disconnecting 211.138.9.114 06/22/07 02:13:07:843 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: dingus@Your_Domain.net will be spam-tagged 06/22/07 02:13:08:796 -- (3924) Exceeded maximum number of RCPT TO (204) - Disconnecting 211.138.9.114 06/22/07 02:13:08:796 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: dirvin@Your_Domain.net will be spam-tagged 06/22/07 02:13:09:812 -- (3924) Exceeded maximum number of RCPT TO (205) - Disconnecting 211.138.9.114 06/22/07 02:13:09:812 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: dixie@Your_Domain.net will be spam-tagged 06/22/07 02:13:10:796 -- (3924) Exceeded maximum number of RCPT TO (206) - Disconnecting 211.138.9.114 06/22/07 02:13:10:796 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: djdalbey@Your_Domain.net will be spam-tagged 06/22/07 02:13:11:640 -- (3924) Exceeded maximum number of RCPT TO (207) - Disconnecting 211.138.9.114 06/22/07 02:13:11:640 -- (3924) 211.138.9.114 - Mail from: contacto@particuladigital.com To: djdavis@Your_Domain.net will be spam-tagged ....omissis 06/22/07 02:13:23:750 -- (3924) Start virus scan 06/22/07 02:13:23:765 -- (3924) Starting queueing procedures 06/22/07 02:13:23:765 -- (3924) EMail from contacto@particuladigital.com to "dickelduit@Your_Domain.net, dieseldoc@Your_Domain.net, dingus@Your_Domain.net, dirvin@Your_Domain.net, dixie@Your_Domain.net, djdalbey@Your_Domain.net, djdavis@Your_Domain.net, djharms@Your_Domain.net, djmars@Your_Domain.net, djminor@Your_Domain.net, djshepherd@Your_Domain.net, djthorn@Your_Domain.net, djwhitetiger@Your_Domain.net, dkmarlee@Your_Domain.net, dknoch@Your_Domain.net, dkresh@Your_Domain.net, dlantz@Your_Domain.net, dllauer@Your_Domain.net, dlmcbride@Your_Domain.net, dlmurdock@Your_Domain.net" was queued. Size: 1 KB, 1024 bytes
	Roberto Franceschetti LogSat Software Spam Filter ISP

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Tag Spam ??