Whitelist not working?
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6080
Printed Date: 27 December 2024 at 1:50pm
Topic: Whitelist not working?
Posted By: algilson
Subject: Whitelist not working?
Date Posted: 23 May 2007 at 11:10am
|
Running registered 3.5.3.674, and had an email come in from a customer that gets stuck in the quarantine, even though their domain is whitelisted. Logs: 05/23/07 09:37:35:773 -- (3560) Connection from: 216.171.105.99 - Originating country : Canada 05/23/07 09:37:35:903 -- (3560) Resolving 216.171.105.99 - Not found 05/23/07 09:37:35:903 -- (3560) - Reverse DNS not found - 05/23/07 09:37:35:903 -- (3560) 216.171.105.99 - Mail from: ljanisse@wcwood.com To: guelph@mtprint.com will be rejected 05/23/07 09:37:35:953 -- (3560) Start virus scan 05/23/07 09:37:35:963 -- (3560) Starting quarantine procedures 05/23/07 09:37:35:963 -- (3560) Created thread (3172) to add email to quarantine 05/23/07 09:37:35:963 -- (3560) Starting bayesian procedures 05/23/07 09:37:36:023 -- (3540) Time to add Msg to Bayes corpus:0 05/23/07 09:37:36:053 -- (3172) EMail from ljanisse@wcwood.com to guelph@mtprint.com was received and quarantined. Size: 2 KB, 2048 bytes 05/23/07 09:37:36:083 -- (3560) Blacklist cache - Added 216.171.105.99 to limbo 05/23/07 09:37:36:273 -- (3560) SFDB - Added 216.171.105.99 - Response: Error=0 05/23/07 09:37:36:273 -- (3560) Disconnect Reject if no reverse DNS is enabled wcwood.com is in the whitelist Now an hour and 20 minutes later, without changing any settings, I came back to find: 05/23/07 10:51:19:784 -- (1292) Connection from: 216.171.105.99 - Originating country : Canada 05/23/07 10:51:20:785 -- (1292) Bypassed all rules for: guelph@mtprint.com from ljanisse@wcwood.com ( Whitelisted Email From Domain) 05/23/07 10:51:20:845 -- (1292) Start virus scan 05/23/07 10:51:20:855 -- (1292) Starting queueing procedures 05/23/07 10:51:20:865 -- (1292) EMail from ljanisse@wcwood.com to guelph@mtprint.com was queued. Size: 1 KB, 1024 bytes 05/23/07 10:51:20:865 -- (1292) Starting bayesian procedures 05/23/07 10:51:20:875 -- (2296) Sending email from ljanisse@wcwood.com to guelph@mtprint.com -- 05/23/07 10:51:20:906 -- (1772) Time to add Msg to Bayes corpus:0 05/23/07 10:51:21:066 -- (2296) EMail from ljanisse@wcwood.com to guelph@mtprint.com -- was forwarded to 192.168.1.4:25 I checked the autowhitelistForceDelivery.txt file and the sender is NOT in the list. Help? |
Replies:
Posted By: sgeorge
Date Posted: 23 May 2007 at 3:06pm
|
Interesting indeed. Are you running SFI or SFE? (I'm only familiar with SFI) I would search my log file from today for "tblWL_DomainsIPs", or the file name for my whitelisted domains/ips. See if the file had been reloaded or inaccessible due to someone/something changing or updating it. Also see if logs indicate changes to or trouble accessing Filters.ini. Aside: unless you've force-delivered the 1st, quarantined email, you wouldn't expect the sender's email address in autowhitelistForceDelivery.txt. Let us know if the search ends up with something, particularly between the time of these two messages. Good luck! Stephen |
Posted By: algilson
Date Posted: 23 May 2007 at 3:20pm
|
We're running SFE. Interesting enough, I have this in my logfiles between when the whitelist failed, and when it worked. 05/23/07 09:46:42:749 -- Shutting down all threads. Please wait up to 15-20 seconds.... 05/23/07 09:46:51:081 -- SpamFilter ISP v3.5.3.674 Listening on 209.183.146.39:25, 05/23/07 09:46:51:081 -- Exporting DB data for tbl_FilterSettings: temp\domains\ ALL DOMAINS\Filters.ini 05/23/07 09:46:51:081 -- Reloading filter.ini: temp\domains\ ALL DOMAINS\Filters.ini 05/23/07 09:46:51:081 -- Exporting DB data for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt 05/23/07 09:46:51:081 -- Reloading file for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt 05/23/07 09:46:51:081 -- Exporting DB data for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt 05/23/07 09:46:51:081 -- Reloading file for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt 05/23/07 09:46:51:081 -- Exporting DB data for tblWL_Keywords: temp\domains\ ALL DOMAINS\WL_Keywords.txt [snip] And it continues to list all the files it reloaded. Looks like it worked after that. Now the million dollar question: why did it restart at 9:46? The event viewer helped me figure this one out -- my assistant restarted it to access it in his terminal session. I always run it locally. Back to the original question: why didn't it work at 9:39, but it worked when the tables were reloaded at 9:46? |
Posted By: sgeorge
Date Posted: 23 May 2007 at 3:43pm
|
...Indeed, that is the million dollar question. To answer a question with a question... Why is SpamFilter loading these files from its temp\domains\ALL DOMAINS\ folder? On my (SFI) installation, SpamFilter attempts to load from domains\SFI\. I'm speculating that the temp\domains\ folder is there as a backup/fail-safety for your domain lists, and I wonder if the domain lists in SpamFilter root\domains\ had been missing or inaccessible upon restarting. On a separate note, your assistant may already be aware, but on Win 2K+ servers, there is a way to see the SpamFilter service without restarting it. You have to connect to the existing "console session" to see SpamFilter gui. Important note: If you connect using the console session on a server, NEVER choose the Log Off option. This will log out the Administrator, closing down important services and applications (including SpamFilter). Instead click the "X" to disconnect from the session, leaving it running. Stephen |
Posted By: LogSat
Date Posted: 23 May 2007 at 4:35pm
|
If it didn't work the first time, but worked the second, the most logical explanation would be that data in the "Whitelisted Email From Domain" list was changed. Can you look thru the logs for today for the text: Reloading file for tblWL_DomainsIPs This will tell you if/when SpamFilter has reloaded that whitelist, which is the one that apparently caused the correct whitelisting the second time. Please note that this event will be logged every time SpamFilter is started, and does not necessarily indicate a change. As far as the path "temp\domains\ALL DOMAINS", please ignore it, as we use it internally to temporarily stage some of the filter files. ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |
Posted By: algilson
Date Posted: 24 May 2007 at 2:21pm
|
After a few hours of painful torture, my assistant finally broke down and admitted that he whitelisted the wcwood.com domain at ~9:50 due to complaints from a customer service rep. I humbly apologize for any confusion that this thread may have caused, and we won't allow this mistake to happen again. Please accept my assistant's head as a token of my goodwill.  |
Posted By: LogSat
Date Posted: 24 May 2007 at 7:40pm
|
... well... I actually have to thank your assistant, as if it wasn't for his confession, we probably would have spent long hours tonight looking over your logs! So we respectfully will decline your generous token, and sincerely hope your assistant will be able to cover for some of our programing bugs in the future... ------------- Roberto Franceschetti http://www.logsat.com" rel="nofollow - LogSat Software http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP |