Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Why did this not get quarantined?
  FAQ FAQ  Forum Search   Register Register  Login Login

Why did this not get quarantined?
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Straker View Drop Down
Newbie
Newbie


Joined: 04 December 2007
Status: Offline
Points: 4 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Straker Quote  Post ReplyReply Direct Link To This Post Topic: Why did this not get quarantined?
    Posted: 20 March 2009 at 1:31pm
Here's the issue.  This message's header was clearly labeled spam (via DNSBL zen.spamhaus) by logsat, but it was forwarded to the email address anyway, and the log file shows no problem.  It should have been quarantined.

Header:
Quote
X-DN-ReceivedFileId: 1201fdba6cf_9KTF_9-0.eml
X-DN-Spam-Blacklisted-By-DNSBL: sbl-xbl.spamhaus.org (blacklisted sender IP was 87.30.11.157)
X-Spam-Flag: YES
Delivered-To: aaa@xxxxxx.org
Return-Path: <linguistics@mauthausen.nl>
Received: from 74.78.42.51 ([74.78.42.51])          by yyy.xxxxxx.com (DeskNow) with SMTP ID 899          for <aaa@xxxxxx.org>;            Fri, 20 Mar 2009 04:06:59 -0700 (PDT) Received: from 87.30.11.157 by mail2.xxxxxx.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Fri, 20 Mar 2009 03:06:21 -0800 Message-ID: <49C36AA2.9874878@mauthausen.nl>
Date: Fri, 20 Mar 2009 10:06:18 +0000
From: Riles Dewolf <linguistics@mauthausen.nl>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0 To: aaa@xxxxxx.org
Subject: Better wang parameters!!
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <linguistics@mauthausen.nl>
X-SF-HELO-Domain: lifi.telecomitalia.it
Content-Type: multipart/alternative; 
  boundary="------------727860257652027228952426"


Log File:
Quote
03/20/09 03:06:19:428 -- (2560) Connection from: 87.30.11.157  -  Originating country : Italy
03/20/09 03:06:20:590 -- (2560) RCPT TO: aaa@xxxxxx.org accepted
03/20/09 03:06:21:391 -- (2560) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org passes Bayesian filter - 0% spam  (19ms)
03/20/09 03:06:21:761 -- (2560) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org was queued. Size: 1 KB, 1024 bytes
03/20/09 03:06:21:781 -- (2592) Sending email from linguistics@mauthausen.nl to aaa@xxxxxx.org
03/20/09 03:06:21:801 -- (1808) Time to add Msg to Bayes corpus:0
03/20/09 03:06:22:142 -- (2560) Disconnect
03/20/09 03:06:22:382 -- (2592) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org  was forwarded to mail.xxxxxx.org:25


Thanks.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 20 March 2009 at 10:50pm
Staker,

Actually SpamFilter did not label the email as spam in the headers due to spamhaus. If that had happened, you would have seen an entry like the following:

X-Rejection-Reason: 12 - 521 The IP 87.30.11.157 is Blacklisted by sbl-xbl.spamhaus.org. http://www.spamhaus.org/query/bl?ip= 87.30.11.157 --

The entry you see in the headers:

X-DN-Spam-Blacklisted-By-DNSBL: sbl-xbl.spamhaus.org (blacklisted sender IP was 87.30.11.157)

was *not* added by SpamFilter.

The question is thus "why didn't SpamFilter check the spamhaus RBL blacklist? Could you then please check the "MAPS Servers" blacklist to ensure you have a list of valid MAPS RBL servers, with the correct trailing suffix (usually ",true") at the end? The list should look similar to the screenshot at:

http://www.logsat.com/sfi-spam-filter-screenshots/sfi-more-filtering-options.asp

If you are running SpamFilter ISP "standard" instead of Enterprise, the tab should also contain a valid path+filename to store the list of servers.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Straker View Drop Down
Newbie
Newbie


Joined: 04 December 2007
Status: Offline
Points: 4 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Straker Quote  Post ReplyReply Direct Link To This Post Posted: 21 March 2009 at 5:09pm
The only MAPS Server I have listed is:

zen.spamhaus.org, true

and the checkbox for "Do not quarantine rejected emails from this blacklist" is UNCHECKED.

Spamhaus is detecting that IP address as blacklisted.  but for some reason, it appears that SpamFilter did not check spamhaus even though its listed in my MAPS server list.

My email server (where SpamFilter forwarded the message to) must have flagged the header, after it checked spamhaus (notice the "sbl-xbl" subdomain instead of the now recommended "zen"). hmmm.....

I am running SpamFilter standard
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2009 at 11:02pm
Could you please zip and email us (at support at logsat.com) the section of SpamFilter's activity logfile for the 20th, from 2AM to 4AM, so we can take a look? Please also include your SpamFilter.ini file and the entire \SpamFilter\Domains directory structure. We don't see other test being performed either, the most likely cause at this point indicating an issue with your DNS server(s). With this data we should be able to find out more info on what is happening.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.266 seconds.

Copyright (c)2002-2021 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us