spam are getting through |
Post Reply 
|
| Author | |
Stupid 
Senior Member 
Joined: 28 November 2005 Status: Offline Points: 127 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: spam are getting throughPosted: 01 September 2009 at 5:43pm |
|
Could anybody shine some light on this. how can I stop this spam? have seen a lot like this lately.
--- 09/01/09 10:02:27:819 -- (5424) Connection from: 69.28.57.201 - Originating country : United States 09/01/09 10:02:28:194 -- (5424) Received MAIL FROM: <KimBeaver@photopath.net> 09/01/09 10:02:28:381 -- (5424) Received RCPT TO: joe.rochester@mycompany.com 09/01/09 10:02:28:412 -- (5424) Resolving 69.28.57.201 - web201.lightningjetdns.com 09/01/09 10:02:28:850 -- (5424) - SPF analysis for photopath.net done: - none 09/01/09 10:02:28:850 -- (5424) Mail from: KimBeaver@photopath.net 09/01/09 10:02:34:756 -- (5424) DNS Error:TimedOut 09/01/09 10:02:35:115 -- (5424) - MAPS search done... 09/01/09 10:02:35:115 -- (5424) RCPT TO: joe.rochester@mycompany.com accepted 09/01/09 10:02:35:506 -- (5424) Checking SFDC 09/01/09 10:02:35:694 -- (5424) Hash cache - Added OK 09/01/09 10:02:36:647 -- (5424) EMail from KimBeaver@photopath.net to joe.rochester@mycompany.com passes Bayesian filter - 0% spam (16ms) 09/01/09 10:02:36:647 -- (5424) Checking SURBL 09/01/09 10:02:36:756 -- (5424) Starting queueing procedures 09/01/09 10:02:36:756 -- (5424) EMail from KimBeaver@photopath.net to joe.rochester@mycompany.com was queued. Size: 1 KB, 1024 bytes 09/01/09 10:02:36:756 -- (5424) Starting bayesian procedures 09/01/09 10:02:37:006 -- (5424) Disconnect |
|
 |
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 01 September 2009 at 5:44pm |
|
this is version 4.0.0.772
|
|
|
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 01 September 2009 at 8:37pm |
|
From the log entries we see that at least a couple of filters are not being applied. Please see the following sample entry showing the filters being applied (to a clean email):
09/01/09 20:26:25:881 -- (1844) Connection from: 192.168.167.131 - Originating country : N/A 09/01/09 20:26:26:006 -- (1844) Received MAIL FROM: <spam@test.logsat.com> 09/01/09 20:26:26:006 -- (1844) Received RCPT TO: test@logsat.com 09/01/09 20:26:26:241 -- (1844) - SPF analysis for test.logsat.com done: - none 09/01/09 20:26:26:241 -- (1844) Mail from: spam@test.logsat.com 09/01/09 20:26:26:662 -- (1844) - MAPS search done... 09/01/09 20:26:26:662 -- (1844) RCPT TO: test@logsat.com accepted 09/01/09 20:26:26:741 -- (1844) Checking SFDC 09/01/09 20:26:27:100 -- (1844) SFDC - Added 192.168.167.131 - Response: Error=0 09/01/09 20:26:27:100 -- (1844) EMail from spam@test.logsat.com to test@logsat.com passes Bayesian filter - 0% spam (0ms) 09/01/09 20:26:27:100 -- (1844) Checking SURBL 09/01/09 20:26:27:100 -- (1844) Checking URLs in emails against MAPS 09/01/09 20:26:27:100 -- (1844) - URLs In MAPS search done... 09/01/09 20:26:27:100 -- (1844) Start virus scan 09/01/09 20:26:27:131 -- (1844) Starting queueing procedures 09/01/09 20:26:27:256 -- (1844) Disconnect The entry in red above shows the MAPS filter being tested. This filter is the one that on average catches the most spam. Judging from your logs, it seems that the DNS error: 09/01/09 10:02:34:756 -- (5424) DNS Error:TimedOut 09/01/09 10:02:35:115 -- (5424) - MAPS search done... Occurred while querying your DNS server for the MAPS RBL filter requests. The DNS timeout from the dns server likely means that none of the MAPS tests were performed, thus skipping one of the most important filter tests. If the DNS errors are common/frequent, you are likely receiving tons of spam as again, the MAPS filter, along with the SFDB and the reverse DNS filter, are the most effective filters SpamFilter uses. The entry in blue above is a new feature in the latest SpamFilter 4.1, which allows SpamFilter to resolve URLs embedded in emails to IP addresses, which are then in turn checked agains the MAPS RBL servers to see if they are used for spam-related purposes (this again requires a functioning DNS server). |
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 02 September 2009 at 9:23am |
|
What MAPS RBL servers do you suggest me to use? I have these but it seems the first one does not return any IP address while the rest do.
sbl-xbl.spamhaus.org, true bl.spamcop.net, true xbl.spamhaus.org, true sbl.spamhaus.org, true dnsbl.njabl.org, true sbl.spamhaus.org, true vox.schpider.com, true relays.mail-abuse.org, true dialups.mail-abuse.org, true blackholes.easynet.nl, true blackholes.wirehub.net, true |
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 02 September 2009 at 10:19am |
|
I looked up zen.spamhaus.org on www.network-tools.com and it does not return any IP address either, nor does nslookup on the spamfilter server.
I put bl.spamcop.net on the first, but still getting DNS error. I upgraded to 4.1.2.815 version, but still getting DNS error. What could be the cause? I really don't anything wrong with my DNS server as all of us are using it to browse Internet, send emails and perform Active Directory tasks. would you shine some light on this? 09/02/09 09:49:48:014 -- (7012) Detected TCP Connection: 72.32.66.29 09/02/09 09:49:48:030 -- (7012) Connection from: 72.32.66.29 - Originating country : United States 09/02/09 09:49:48:186 -- (7012) Received MAIL FROM: <bounces@sm.b2bportales.com> 09/02/09 09:49:48:374 -- (7012) Received RCPT TO: contact@mycompany.com 09/02/09 09:49:48:608 -- (7012) Resolving 72.32.66.29 - sm.b2bportales.com 09/02/09 09:49:49:061 -- (7012) found SPF record for sm.b2bportales.com: v=spf1 ip4:72.32.66.29 -all 09/02/09 09:49:49:061 -- (7012) SPF query result: pass 09/02/09 09:49:49:061 -- (7012) - SPF analysis for sm.b2bportales.com done: - pass 09/02/09 09:49:49:061 -- (7012) Mail from: bounces@sm.b2bportales.com 09/02/09 09:49:54:202 -- (7012) DNS Error:TimedOut 09/02/09 09:49:54:639 -- (7012) - MAPS search done... 09/02/09 09:49:54:639 -- (7012) RCPT TO: contact@mycompany.com accepted 09/02/09 09:49:54:733 -- (7012) Checking SFDC 09/02/09 09:49:54:921 -- (7012) Hash cache - Added OK 09/02/09 09:49:59:296 -- (7012) EMail from bounces@sm.b2bportales.com to contact@mycompany.com passes Bayesian filter - 0% spam (46ms) 09/02/09 09:49:59:296 -- (7012) Checking SURBL 09/02/09 09:49:59:577 -- (7012) Checking URLs in emails against MAPS 09/02/09 09:49:59:577 -- (7012) Resolving for URLsInMAPS: sm.b2bportales.com 09/02/09 09:50:04:592 -- (7012) DNS Error:TimedOut 09/02/09 09:50:04:592 -- (7012) Resolving for URLsInMAPS: www.b2bportales.com 09/02/09 09:50:09:827 -- (7012) DNS Error:TimedOut 09/02/09 09:50:10:249 -- (7012) Resolving for URLsInMAPS: www.plastico.com 09/02/09 09:50:15:530 -- (7012) DNS Error:TimedOut 09/02/09 09:50:15:921 -- (7012) Resolving for URLsInMAPS: sm.b2bportales= 09/02/09 09:50:15:952 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error 09/02/09 09:50:15:952 -- (7012) Resolving for URLsInMAPS: www.pla= 09/02/09 09:50:15:999 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error 09/02/09 09:50:15:999 -- (7012) Resolving for URLsInMAPS: sm.b2bpo= 09/02/09 09:50:16:046 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error 09/02/09 09:50:16:046 -- (7012) - URLs In MAPS search done... 09/02/09 09:50:16:061 -- (7012) Starting queueing procedures 09/02/09 09:50:16:077 -- (7012) EMail from bounces@sm.b2bportales.com to contact@mycompany.com was queued. Size: 5 KB, 5120 bytes 09/02/09 09:50:16:077 -- (7012) Starting bayesian procedures 09/02/09 09:50:18:717 -- (7012) Disconnect Edited by Stupid - 02 September 2009 at 10:57am |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 02 September 2009 at 4:19pm |
|
Unfortunately the DNS timeouts are usually indeed caused by the DNS servers that SpamFilter was configured to use.
You can verify this by opening an MSDOS prompt on the server running SpamFilter, and issuing the following commands in bold (replacing 192.168.2.1 with the IP address of your DNS server). Repeat the command in red 4-5 times. If you receive the 127.0.0.2 result in blue for each time, the DNS server is responding correctly at that time. If you instead receive timeouts, they are likely indicating issues with the DNS server. c:\>nslookup > server 192.168.2.1 Default server: 192.168.2.1 Address: 192.168.2.1#53 > 53.208.32.80.bl.spamcop.net Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: 53.208.32.80.bl.spamcop.net Address: 127.0.0.2 > |
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 02 September 2009 at 5:53pm |
|
Done that already. Didn't see anything wrong. here's mine:
Default Server: renlive.mycompany.com Address: 192.168.3.84 > bl.spamcop.net Server: renlive.mycompany.com Address: 192.168.3.84 Name: bl.spamcop.net Address: 204.15.82.19 > zen.spamhaus.org Server: renlive.mycompany.com Address: 192.168.3.84 Name: zen.spamhaus.org > 53.208.32.80.bl.spamcop.net Server: renlive.mycompany.com Address: 192.168.3.84 Non-authoritative answer: Name: 53.208.32.80.bl.spamcop.net Address: 127.0.0.2 Edited by Stupid - 02 September 2009 at 5:57pm |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 02 September 2009 at 7:24pm |
|
Could you please zip and email us your:
SpamFilter.ini file SpamFilter's activity logfile for about 1 hour worth of emails The text file that contains the list of your MAPS servers So we can take a better look?
|
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 September 2009 at 9:17am |
|
emails sent, Roberto.
|
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 September 2009 at 5:06pm |
|
Got it. Here's what we see.
From your logs, the SPF queries are working just fine, which confirms what you say in that the DNS server is working correctly. We moved then onto the MAPS RBL list, and we see some issues there. This is your current list: bl.spamcop.net, true xbl.spamhaus.org, true sbl.spamhaus.org, true dnsbl.njabl.org, true sbl.spamhaus.org, true vox.schpider.com, true relays.mail-abuse.org, true dialups.mail-abuse.org, true blackholes.easynet.nl, true blackholes.wirehub.net, true sbl-xbl.spamhaus.org, true sbl-xbl.spamhaus.org, true I crossed out lists that are currently not responding to queries, and are thus causing dns timeouts when trying to reach them. In addition, I've marked in red lists that can be combined into a single list: zen.spamhaus.org that combines the databases of the individual lists specified by the individual MAPS RBL servers in red. I'd thus recommend you modify your list as follows: bl.spamcop.net, true zen.spamhaus.org, true dnsbl.njabl.org, true relays.mail-abuse.org, true dialups.mail-abuse.org, true blackholes.easynet.nl, true blackholes.wirehub.net, true and see if that helps in reducing the dns timeouts.
Edited by LogSat - 03 September 2009 at 5:07pm |
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 03 September 2009 at 11:09pm |
|
Thank you Roberto. I'll try that and will let you know next week.
|
|
|
|
|
Stupid
Senior Member
Joined: 28 November 2005 Status: Offline Points: 127 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 September 2009 at 3:55pm |
|
Does it look like it's working? This actually is a spam email and somehow it passed everything. 09/09/09 04:33:10:710 -- (7720) Detected TCP Connection: 204.110.14.48 09/09/09 04:33:10:710 -- (7720) Connection from: 204.110.14.48 - Originating country : United States 09/09/09 04:33:10:835 -- (7720) Received MAIL FROM: <JuniorGallo@stylerank.info> 09/09/09 04:33:10:913 -- (7720) Received RCPT TO: jose.rochester@mycompany.com 09/09/09 04:33:11:022 -- (7720) Resolving 204.110.14.48 - smtp-verifiedoptin48.godsheros.com 09/09/09 04:33:11:397 -- (7720) - SPF analysis for stylerank.info done: - none 09/09/09 04:33:11:397 -- (7720) Mail from: JuniorGallo@stylerank.info 09/09/09 04:33:12:053 -- (7720) - MAPS search done... 09/09/09 04:33:12:053 -- (7720) RCPT TO: jose.rochester@mycompany.com accepted 09/09/09 04:33:12:194 -- (7720) Checking SFDC 09/09/09 04:33:12:381 -- (7720) Hash cache - Added OK 09/09/09 04:33:13:350 -- (7720) EMail from JuniorGallo@stylerank.info to jose.rochester@mycompany.com passes Bayesian filter - 0% spam (0ms) 09/09/09 04:33:13:350 -- (7720) Checking SURBL 09/09/09 04:33:13:397 -- (7720) Checking URLs in emails against MAPS 09/09/09 04:33:13:397 -- (7720) Resolving for URLsInMAPS: www.tagopia.net 09/09/09 04:33:14:131 -- (7720) - URLs In MAPS search done... 09/09/09 04:33:14:131 -- (7720) Starting queueing procedures 09/09/09 04:33:14:131 -- (7720) EMail from JuniorGallo@stylerank.info to jose.rochester@mycompany.com was queued. Size: 1 KB, 1024 bytes 09/09/09 04:33:14:147 -- (7720) Starting bayesian procedures 09/09/09 04:33:14:147 -- (7172) Sending email from JuniorGallo@stylerank.info to jose.rochester@mycompany.com -- 09/09/09 04:33:14:272 -- (7720) Disconnect |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 09 September 2009 at 11:13pm |
|
SpamFilter will not be able to stop 100% of the incoming spam. This unfortunately looks like one of the cases where the spam will be missed. The remote IP 204.110.14.48 is not currently blacklisted, the reverse DNS on it is present, there are no major issue with the sender's IP, and the content did not raise any flags.
|
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.211 seconds.