Print Page | Close Window

Tag Spam ??

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6118
Printed Date: 22 February 2025 at 5:38pm


Topic: Tag Spam ??
Posted By: jerbo128
Subject: Tag Spam ??
Date Posted: 23 June 2007 at 9:18pm

Running SFE .679.  If all users are setup to quarantine, and 2 of them have the :tagsubject in the unfiltered emails list, what should happen to an incoming email with multiple recipients?

What is happening:
Users who are not on the unfiltered emails with :tagsubject list are getting emails with SPAM: XXX in the subject (our tag).  It appears that the filters are identifying the mail as spam correctly, but if the mail is addressed to multiple users, and one of them is on the unfiltered emails list with a :tagsubject, all users get the mail passed through with the modified subject.

Any idea's?


Replies:
Posted By: LogSat
Date Posted: 24 June 2007 at 3:06pm
Could you either post or email us a section of SpamFilter's activity logfile showing a couple of minutes prior to one of the emails in question, including entries for a couple of minutes after? In SpamFilter 3.5.3.679 we actually (should have) fixed an issue very similar to yours:

// New to VersionNumber = '3.5.3.679';
{TODO -cFix : The :tag and :tagsubject were incorrectly tagging emails with multiple recipients}
{TODO -cFix : Emails blocked by the attachment filter were stored in the quarantine DB with a rejectID of 13 instead of 23}
{TODO -cFix : Added 100ms delay when saving corpus database files to try avoiding error "corpus.db copy of files not exist - exiting"}
{TODO -cNew : Added customized response item for emails rejected by the Honeypot filters}

We'd like to see the logs so we can try to pinpoint what is happening and why the above fix did not work.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: jerbo128
Date Posted: 24 June 2007 at 7:35pm

Logs Sent.

Thanks Roberto.

Posted By: LogSat
Date Posted: 25 June 2007 at 10:14pm
jerbo128,

Your email sample involved a very particular set of circumstance. There is indeed a bug (actually two, including a logging inaccuracy), even though it occurs in a very specific scenario such as yours.
 
I'll try to explain.
 
Below I'm including the entire SMTP session for the email in question. You will see that in the same SMTP session, the spammer is sending multiple, separate emails, all to separate recipients.
 
 
06/22/07 02:09:39:078 -- (3924) Connection from: 211.138.9.114  -  Originating country : China
06/22/07 02:09:43:562 -- (3924) - IP address is from a blacklisted country...
The 1st email starts here...
06/22/07 02:09:43:562 -- (3924) 211.138.9.114 - Mail from: mailto:cglew@cablecomponents.com - To: mailto:adolphson@Your_Domain.net - will be rejected
06/22/07 02:09:44:609 -- (3924) Mail from: mailto:cglew@cablecomponents.com - 06/22/07 02:09:44:609 -- (3924) 211.138.9.114 - Mail from: mailto:cglew@cablecomponents.com - To: mailto:adreyer@Your_Domain.net - will be rejected
06/22/07 02:09:45:906 -- (3924) Mail from: mailto:cglew@cablecomponents.com - 06/22/07 02:09:45:906 -- (3924) 211.138.9.114 - Mail from: mailto:cglew@cablecomponents.com - To: mailto:aeitzen@Your_Domain.net - will be rejected
06/22/07 02:09:47:703 -- (3924) Mail from: mailto:cglew@cablecomponents.com - ..... omissis
06/22/07 02:10:00:812 -- (3924) Mail from: mailto:cglew@cablecomponents.com - 06/22/07 02:10:00:812 -- (3924) 211.138.9.114 - Mail from: mailto:cglew@cablecomponents.com - To: mailto:amyjo@Your_Domain.net - will be rejected
06/22/07 02:10:02:484 -- (3924) Start virus scan
06/22/07 02:10:02:484 -- (3924) Starting bayesian procedures
This is the end of the 1st email , all the rejections are as they should be.
 
The 2nd email starts here, the spammer uses a different MAIL FROM addres...
06/22/07 02:10:04:109 -- (3924) Mail from: mailto:crobbins@robbinsent.com - 06/22/07 02:10:04:109 -- (3924) 211.138.9.114 - Mail from: mailto:crobbins@robbinsent.com - To: mailto:andersonj@Your_Domain.net - will be rejected
06/22/07 02:10:04:781 -- (3924) Mail from: mailto:crobbins@robbinsent.com - 06/22/07 02:10:04:781 -- (3924) 211.138.9.114 - Mail from: mailto:crobbins@robbinsent.com - To: mailto:andy@Your_Domain.net - will be rejected
06/22/07 02:10:05:375 -- (3924) Mail from: mailto:crobbins@robbinsent.com - 06/22/07 02:10:05:375 -- (3924) 211.138.9.114 - Mail from: mailto:crobbins@robbinsent.com - To: mailto:andyfarmer@Your_Domain.net - will be rejected
...omissis
06/22/07 02:10:17:421 -- (3924) Start virus scan
06/22/07 02:10:17:437 -- (3924) Starting bayesian procedures
The 2nd email stops here
 
The spammer sends several other emails after these, all are being rejected. On the following email, however, your first recipient that is in the unfiltered list with a "tabsubject" is encountered, see entry in purple below. There is now a bug with the log entries, as all attempts so send emails to other recipients for this one single email appear as "spam-tagged", while in reality they are being rejected. In fact, see the entry in green after the email has been received by the spammer, showing that only your unfiltered recipient is being delivered the email.
 
06/22/07 02:12:38:703 -- (3924) - EmailTO is not in AuthorizedTOEmail list...
06/22/07 02:12:38:703 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:dennisg@Your_Domain.net - will be rejected
06/22/07 02:12:40:140 -- (3924) Exceeded maximum number of RCPT TO (182) - Disconnecting 211.138.9.114
06/22/07 02:12:40:140 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:dennisl@Your_Domain.net - will be rejected
06/22/07 02:12:41:140 -- (3924) Exceeded maximum number of RCPT TO (183) - Disconnecting 211.138.9.114
06/22/07 02:12:41:140 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:dennys@Your_Domain.net - will be rejected
06/22/07 02:12:42:031 -- (3924) Exceeded maximum number of RCPT TO (184) - Disconnecting 211.138.9.114
06/22/07 02:12:42:031 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:depothill@Your_Domain.net - will be spam-tagged
06/22/07 02:12:43:296 -- (3924) Exceeded maximum number of RCPT TO (185) - Disconnecting 211.138.9.114
06/22/07 02:12:43:296 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:destef@Your_Domain.net - will be spam-tagged
06/22/07 02:12:44:125 -- (3924) Exceeded maximum number of RCPT TO (186) - Disconnecting 211.138.9.114
06/22/07 02:12:44:125 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:developiowa@Your_Domain.net - will be spam-tagged
06/22/07 02:12:44:781 -- (3924) Exceeded maximum number of RCPT TO (187) - Disconnecting 211.138.9.114
06/22/07 02:12:44:781 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:devriesfarms@Your_Domain.net - will be spam-tagged
...omissis
06/22/07 02:13:01:578 -- (3924) - EmailTO is not in AuthorizedTOEmail list...
06/22/07 02:13:01:578 -- (3924) 211.138.9.114 - Mail from: mailto:crougeau@thebodyshop.ca - To: mailto:dianek@Your_Domain.net - will be spam-tagged
06/22/07 02:13:03:515 -- (3924) Start virus scan
06/22/07 02:13:03:531 -- (3924) Starting queueing procedures
 
 
06/22/07 02:13:03:531 -- (3924) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not
06/22/07 02:13:03:531 -- (3924) EMail from mailto:crougeau@thebodyshop.ca - to mailto:depothill@Your_Domain.net - was queued. Size: 1 KB, 1024 bytes
 
Now a bug in SpamFilter kicks in. The spammer sends yet other emails within this same SMTP session. Even though the recipients are not unfiltered, the bug is causing the spam-tagged recipient in the previous email to be carry over the "spam-tagged" flag to all subsequent emails as well. Unlike the above case, this is not a bug in logging, it's actually a bug that causes the delivery of such emails to all subsequent recipients. We're woking on a fix...
 
 
06/22/07 02:13:05:812 -- (3924) Exceeded maximum number of RCPT TO (201) - Disconnecting 211.138.9.114
06/22/07 02:13:05:812 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:dickelduit@Your_Domain.net - will be spam-tagged
06/22/07 02:13:06:796 -- (3924) Exceeded maximum number of RCPT TO (202) - Disconnecting 211.138.9.114
06/22/07 02:13:06:796 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:dieseldoc@Your_Domain.net - will be spam-tagged
06/22/07 02:13:07:843 -- (3924) Exceeded maximum number of RCPT TO (203) - Disconnecting 211.138.9.114
06/22/07 02:13:07:843 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:dingus@Your_Domain.net - will be spam-tagged
06/22/07 02:13:08:796 -- (3924) Exceeded maximum number of RCPT TO (204) - Disconnecting 211.138.9.114
06/22/07 02:13:08:796 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:dirvin@Your_Domain.net - will be spam-tagged
06/22/07 02:13:09:812 -- (3924) Exceeded maximum number of RCPT TO (205) - Disconnecting 211.138.9.114
06/22/07 02:13:09:812 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:dixie@Your_Domain.net - will be spam-tagged
06/22/07 02:13:10:796 -- (3924) Exceeded maximum number of RCPT TO (206) - Disconnecting 211.138.9.114
06/22/07 02:13:10:796 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:djdalbey@Your_Domain.net - will be spam-tagged
06/22/07 02:13:11:640 -- (3924) Exceeded maximum number of RCPT TO (207) - Disconnecting 211.138.9.114
06/22/07 02:13:11:640 -- (3924) 211.138.9.114 - Mail from: mailto:contacto@particuladigital.com - To: mailto:djdavis@Your_Domain.net - will be spam-tagged
....omissis
06/22/07 02:13:23:750 -- (3924) Start virus scan
06/22/07 02:13:23:765 -- (3924) Starting queueing procedures
06/22/07 02:13:23:765 -- (3924) EMail from mailto:contacto@particuladigital.com - to " mailto:dickelduit@Your_Domain.net - , mailto:dieseldoc@Your_Domain.net - , mailto:dingus@Your_Domain.net - , mailto:dirvin@Your_Domain.net - , mailto:dixie@Your_Domain.net - , mailto:djdalbey@Your_Domain.net - , mailto:djdavis@Your_Domain.net - , mailto:djharms@Your_Domain.net - , mailto:djmars@Your_Domain.net - , mailto:djminor@Your_Domain.net - , mailto:djshepherd@Your_Domain.net - , mailto:djthorn@Your_Domain.net - , mailto:djwhitetiger@Your_Domain.net - , mailto:dkmarlee@Your_Domain.net - , mailto:dknoch@Your_Domain.net - , mailto:dkresh@Your_Domain.net - , mailto:dlantz@Your_Domain.net - , mailto:dllauer@Your_Domain.net - , mailto:dlmcbride@Your_Domain.net - , mailto:dlmurdock@Your_Domain.net - " was queued. Size: 1 KB, 1024 bytes



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Print Page | Close Window