Keyword blacklist not working
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6693
Printed Date: 05 February 2025 at 1:08pm
Topic: Keyword blacklist not working
Posted By: hartsockt
Subject: Keyword blacklist not working
Date Posted: 23 June 2009 at 10:56am
A group of text (non-html) messages are not being blocked by the blacklist keyword filter. I have "ttys cutie" in the Blacklist Keyword Filter list and the following is the headers of one of the messages that are getting through:
Received: from CL210-201-220-199.static.apol.com.tw ([210.201.220.199]) by micronettechnicalservices.net with MailEnable ESMTP; Mon, 22 Jun 2009 19:51:21 -0700
Message-ID: <4A40431D.1025126@webtv.net>
Date: Tue, 23 Jun 2009 02:51:09 GMT
From: Wilma <WilmaStarnes38@webtv.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: <tomh@micronetservices.com>
Subject: oh wow. ur really REALLY cute
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Received-SPF: fail (micronettechnicalservices.net: domain of webtv.net does not designate 210.201.220.199 as permitted sender)
client-ip=210.201.220.199
X-ME-Bayesian: 21.814562
NoMEFiltering: NoMEFiltering
Return-Path: <WilmaStarnes38@webtv.net>
X-Antivirus: AVG for E-mail 8.5.372 [270.12.88/2196]
The text (as displayed by Outlook 2007) is as follows:
< ="-" ="text/; =utf-8">< name="ProgId" ="Word.">< name="Generator" ="Microsoft Word 12">< name="Originator" ="Microsoft Word 12"> file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml - file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx - file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml - <>
-
- hai there, my friend think ur REALLY REALLY cute ok. im
just trying to hook yall up. ADD her on MSN messenger and talk to her!! her
name is
-
- my MSN name is mailto:sheldenmalleingerin98@live.com - sheldenmalleingerin98@live.com
ttys cutie :-*
Three things I'm confused about.
First, I've searched 20090622.log for the originating ip address "210.201.220.199"and it's not found. Why? I thought mail might be going to our mail server first and then getting to the spam filter server. But the mx record for micronetservices.com is pointed to the spam filter server.
Second, why does the header:
"Received-SPF: fail (micronettechnicalservices.net: domain of webtv.net does not designate 210.201.220.199 as permitted sender) client-ip=210.201.220.199"
indicate that micronettechnicalservices.net (which is the primary domain on our mail server) is a domain of webtv.net? Perhaps that's the whole reason this is spam.
And Third, why aren't these (text) messages being blocked when "ttys cutie" is in the blacklist keyword filter list?
Thank you,
Tom
|
Replies:
Posted By: LogSat
Date Posted: 23 June 2009 at 7:59pm
hartsockt,
It appears that SpamFilter did not process this email, as all the headers that SpamFilter would normally add to the email are missing. SpamFilter will always add a “Received” header in the email to indicate that it has processed it. In addition, it adds several “X-SF-” headers like the following:
Received: from 62.2.138.178 by mail2.netwide.net (LogSat Software SMTP Server); Wed, 14 Nov 2007 09:52:21 -0500
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <some_user@gmail.com>
X-SF-HELO-Domain: gmail.com
X-SF-Originating-IP: 62.24.133.278
If these headers are not present in the email, the email was not processed by SpamFilter (which is confirmed by the fact you did not find it in the logs).
Please also note that while your MX record is indeed pointing to 98.190.128.61 (running SpamFilter), the A record for your domain points to 98.190.128.60, which I see is running MailEnable and is listening for SMTP traffic. Spammers *will* send emails directly to your A server as well, and if it running an unprotected SMTP server, as you've seen, you will receive spam sent directly to that IP as well.
The SPF filter in SpamFilter would have blocked this email (if you had enabled). However as it was processed by your MailEnable, I'm not sure what kind of settings you have configured for it.
As a side-note, please note that Outlook will completely change the source of the email. So even if SpamFilter had processed that specific spam, it's possible the keyword would not have triggered as the email's source was very possibly different as rendered by Outlook (even Outlook's "show source" is useless here, it will only show the html source, which is *not* the same as the email source).
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: hartsockt
Date Posted: 23 June 2009 at 8:07pm
So, would a typical configuration of a mail server be to only accept mail (for this particular domain) from the server running SpamFilter? Would this solve this issue?
Thanks
|
Posted By: LogSat
Date Posted: 24 June 2009 at 10:13pm
When implementing a spam filtering solution, usually the "real" mail server(s) are not accessible from the internet (or at least they are not accepting SMTP traffic on port 25). All inbound emails from the internet are processed by the spam filtering software, which then forwards them to the real SMTP server.
In some installations (ISPs are the typical example) there is the need to allow users the ability to send their emails from home or while traveling. In these cases, users are usually instructed to configure SMTP authentication in their email client settings for their "Outgoing SMTP Server", as authenticated users can then be allowed to use a mail server for relay. In these cases, if the existing SMTP server does not support SMTP Authentication (most mail servers nowdays do), SpamFilter can also help as we do support SMTP AUTH via Active Directory, LDAP, or via Unix-style password files.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
|