Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Image filter blocking white listed mail
  FAQ FAQ  Forum Search   Register Register  Login Login

Image filter blocking white listed mail
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
jemmie View Drop Down
Newbie
Newbie
Avatar

Joined: 27 May 2006
Location: Netherlands
Status: Offline
Points: 18 		Post Options Post Options   Thanks (0) Thanks(0)   Quote jemmie Quote  Post ReplyReply Direct Link To This Post Topic: Image filter blocking white listed mail
    Posted: 15 May 2008 at 1:37pm

A day ago ISP blocked a mail, Detected spam signature in embedded image, when the from address was white listed.

I disabled the image filter so it should not happen again, but does anyone no if this behavior is by design, image filter take precedence over white list. Or is it some bug in the program.
 
I use version 4.0.0.772 standard.
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 15 May 2008 at 3:50pm
jemmie,

The whitelists have precedence over the image filters (and most other filters). Without looking at the logs we can't be certain, but the most common scenario is when the "from" that was whitelisted is not the "real" sender's email address, but rather the one specified in the "From:" email header.

SpamFilter acts upon the "real" email address specified in the email. This is often referred to as the "Envelope" address, or the "Return-Path" address. It is the email address that is provided by the sender's server in the "MAIL FROM" SMTP command. SpamFilter logs this address in the following header:

X-SF-RX-Return-Path: <user@some.domain>

And it also should appear in the "standard" header:
Return-Path: <user@some.domain>

Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jemmie View Drop Down
Newbie
Newbie
Avatar

Joined: 27 May 2006
Location: Netherlands
Status: Offline
Points: 18 		Post Options Post Options   Thanks (0) Thanks(0)   Quote jemmie Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2008 at 1:12am
Thanks for the respons.
This is the part of the log.
 
 05/15/08 03:30:09:561 -- (80816) Connection from: 194.109.24.31  -  Originating country : Netherlands
05/15/08 03:30:09:721 -- (80816) Received MAIL FROM: <userf@xs4all.nl>
05/15/08 03:30:09:751 -- (80816) Received RCPT TO: user@mine.net
05/15/08 03:30:09:782 -- (80816) Resolving 194.109.24.31 - smtp-vbr11.xs4all.nl
05/15/08 03:30:10:022 -- (80816) Mail from: user@xs4all.nl
05/15/08 03:30:10:232 -- (80816) - MAPS search done...
05/15/08 03:30:10:232 -- (80816) RCPT TO: user@mine.net accepted
05/15/08 03:30:10:262 -- (80816) Received RCPT TO: user2@mine.net
05/15/08 03:30:10:262 -- (80816) Mail from: user@xs4all.nl
05/15/08 03:30:10:262 -- (80816) RCPT TO: user2@mine.net accepted
05/15/08 03:30:10:422 -- (80816) Checking SFDC
05/15/08 03:30:10:713 -- (80816) Hash cache - Added OK
05/15/08 03:30:10:783 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?i)(v . a g r a)) : TRegExpr(comp): ParseReg Unmatched () (pos 16)
05/15/08 03:30:10:823 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?i)"\#fffff[^f]") [1]) : TRegExpr(comp): ParseReg Unmatched () (pos 17)
05/15/08 03:30:10:833 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?s)\<(font|span)[^>]+style[^>]+float[^>]*:[^>]*right) [3]) : TRegExpr(comp): ParseReg Unmatched () (pos 53)
05/15/08 03:30:10:953 -- (80816) Scanning image for spam:image001.jpg
05/15/08 03:30:10:953 -- (80816) Detected spam signature in embedded image
05/15/08 03:30:10:963 -- (80816) Starting quarantine procedures
05/15/08 03:30:10:983 -- (80816) Created thread (80304) to add email to quarantine
05/15/08 03:30:10:983 -- (80816) Starting bayesian procedures
05/15/08 03:30:10:983 -- (80304) Adding to Quarantine file:Qrt7D7A.tmp
05/15/08 03:30:11:173 -- (80304) EMail from user@xs4all.nl to user@mine.net, user2@mine.net was received and quarantined. Size: 17 KB, 17408 bytes
05/15/08 03:30:28:326 -- (80816) Blacklist cache - Added 194.109.24.31 to limbo
05/15/08 03:30:28:556 -- (80816) SFDB - Added 194.109.24.31 - Response: Error=0
05/15/08 03:30:28:556 -- (80816) Disconnect
 
Where mine.net is my domain and user@xs4all.nl is the sender and that address is whitelisted.
 
If I look into the header of the mail I found the -SF-RX-Return-Path and that is the same addres.
 X - S F - R X - R e t u r n - P a t h :   < u s e r @ x s 4 a l l . n l >
 
Names are changed in the log.
 
jemmie
Back to Top
jemmie View Drop Down
Newbie
Newbie
Avatar

Joined: 27 May 2006
Location: Netherlands
Status: Offline
Points: 18 		Post Options Post Options   Thanks (0) Thanks(0)   Quote jemmie Quote  Post ReplyReply Direct Link To This Post Posted: 25 May 2008 at 4:15am
Problem still exist.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 25 May 2008 at 8:32pm
jemmie,

I'm sorry, we missed the previous post and did not reply to it. We'll need a zipped copy of your activity logfile (or the *exact* section you pasted above), along with your SpamFilter.ini file, and your SpamFilter\domains directory tree. If your email whitelist file is located outside of the "domains" directory, please include that too.

From the log entries above, it seems that the address u s e r @ x s 4 a l l . n l is *not* being whitelisted, otherwise this would have been logged. The most likely cause are typos in the address, and/or leading and trailing spaces on the line containing the address.

As a side-note, there are also entries being logged that show you're missing a parenthesis in the keywords:

((?i)(v . a g r a))
((?s)\<(font|span)[^>]+style[^>]+float[^>]*:[^>]*right) [3])
((?i)"\#fffff[^f]") [1])
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jemmie View Drop Down
Newbie
Newbie
Avatar

Joined: 27 May 2006
Location: Netherlands
Status: Offline
Points: 18 		Post Options Post Options   Thanks (0) Thanks(0)   Quote jemmie Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2008 at 3:11am
Where can I send it
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2008 at 9:10am
support at logsat dot com
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jemmie View Drop Down
Newbie
Newbie
Avatar

Joined: 27 May 2006
Location: Netherlands
Status: Offline
Points: 18 		Post Options Post Options   Thanks (0) Thanks(0)   Quote jemmie Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2008 at 3:14am
Found the problem myself. There was a trailing spaces at the address in the white list,
 
Sorry for the trouble.
 
jemmie
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.188 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us