Just FYI,

It appears spacific condition(s) causes Spam filter 2.5.1.441 to freez and pause in "RCPT TO" state. I have seen this case many times in logfile. Program doesnot crash, however incoing call never closes past ideal time limit or read timeout limit.

Log states % found in FROM, but there is no %.

Recepient exists in Auth_TO list and no other recepient is listed in TO statement of incoming email.

Log says that call will be disconnected, however it is not, and incoming email is actually delivered to recepient.

Local host is untrusted by using the untrust flag in ini file as well.

i don't have specification for incoming email, but will try to find and report later..

reducing the ideal time or read timeout in ini file doesnot change anything and connection remains open past ideal time. Message body is very short so delay in Baysain test is not the cause. no other checks such as keyword or MAPS or SPF are performed.

Condition occurs usually when receiving email from mailing lists. I don't know if this is because there is problems in "Reply TO" statement?

in my configuration Email from "Empty From" is accepted as well.

log says:

06/07/05 11:37:28:874 -- (984) Resolving 127.0.0.1 - localhost
06/07/05 11:37:28:874 -- (984) Mail from:  To: weekly_news-request@fsmmag.com - rejected - no relay allowed or % found in FROM address
06/07/05 11:37:28:874 -- (984) 127.0.0.1 - Mail from:  To: weekly_news-request@fsmmag.com will be disconnected
06/07/05 11:37:28:874 -- (984) Disconnect

Thanks for attention

Regards,

Thanks for quick response.

 

fsmmag.com listed in NOT the "Local Domains" white list

 

I am testing spamfilter and I am currently not interested in testing ALL DNS or IP-based tests (reverse-DNS, country, SPF, MAPS-RBL, IP blacklists, MX checks etc.)

I have installed two instances of spamfilter 2.5.2 on same server.

1) First spamfilter is bound to NIC’s IP and used to capture and quarantine sample data. I redirect SMTP traffic from firewall to capture test data. I release items from quarantine and feed it to second spamfilter (which is under test here)

2) Second spamfilter is bounded to 127.0.0.1. That instance is under test.

I am only testing I/O and keyword tests… 127.0.0.1 untrust flag is setup in ini file as well.  Log entries I posted are from s econd filter.

 

I find many instances (almost all are related to emails generated by mailing lists) where I can make spamfilter freeze.

I find Output SMTP conversation specifications of spamfilter are incompatible with its input. Perhaps the way program treats “RCPT TO” and “FROM” address is the hazard.

 

Here is an example of one scenario.

External email is received by first spamfilter.  “RCPT TO” person is in Auth_TO white list. Email is received correctly and then sent to second spamfilter. In conversation to Second spamfilter “RCPT TO” is reported correctly again and “rcpt to” person is listed in AUTH-TO white list as well. Second spamfilter accepts email, halfway then rejects it because it finds “TO” field populated with “Reply to” address of list. I also see in logs that “FROM” is reported empty. Obviously since second spamfilter finds items in “TO” that is not in auth domain white list it invokes that “rejected - no relay allowed or % found in FROM address” error. In mean time connection status column in activity log remain frozen reporting “RCPT TO” status. Connection remains open past defined timers in ini file.

 

If you look at log file items I posted, you see “From” is empty and “TO” is populated by list’s emails address instead of the targeted recipient. IS this correct behavior? I think there is something wrong…

 

 

You can reproduce this problem fairly easily.  Two instances can be on two different servers and result is same.

 

Scenario shows that spamfilter perhaps cannot be daisy changed in v2.5.2?

 

The first reason I was interested in running multiple instances in series is because spamfilter white list is so weak. If I white list one user to disable rev-DNS check I give up keyword file attachment tests and all other tests.  Spamfilter needs to be able to white list users and administrator have ability to check box filters to which a white listed person applies. 

Thanks

Mr Sam

Samsung,

Your description is pretty accurate, but we're not able to reproduce the problem. Two SpamFilters, one listening on the NIC's IP, the other listening on 127.0.0.1. The first receives the email and forwards it to the one on 127.0.0.1, but on our tests, the from and to on the second SpamFilter are reported correctly, even if the "Reply-To" is different.

Could you please zip and email us the relevant section of the logs for *both* SpamFilters that show the entries for the email causing the problem on both servers, along with the full email's headers, so we can try to reproduce this?

Samsung,

The scenario is a bit more complex than you described. It *may* have to do in how you configured your firewall or SpamFilter.

From your logs, when sending the email from thread 628, the 1st SpamFilter experienced a "Connection Refused" error when forwarding the email to the destination SMTP server at 18:05:30:067 (from your logs on the 2nd SpamFilter, we can't tell if the error occurred because the 2nd SpamFilter rejected it, or the email was forwarded to a different SMTP server).

Later, in thread 1716 on the 1st SpamFilter, an NDR (non-delivery) error email is being sent to "abcd@xyz.com" because when SpamFilter attempted to deliver it to your forwarding SMTP server, an error occurred ("Read Timeout"). The NDR email is an email sent to the sender, using an empty MAIL FROM per RFC, which is then forwarded to your destinatino SMTP server for delivery. This NDR is probably the email you see on the 2nd SpamFilter's logs, with an empty "Mail From", not the original one with a valid "mail from". The NDR is apparently then rejected by the 2nd SpamFilter, probably because of one of the settings.

Without having the configurations for both SpamFilters, it's hard to pinpoint the problem. If you can email them to us we'll try to look into it even further.