Advanced configuration |
Post Reply 
|
| Author | |
sirrar 
Groupie 
Joined: 26 January 2005 Location: Denmark Status: Offline Points: 44 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Advanced configurationPosted: 21 April 2009 at 4:30am |
|
Hi
I need to receive some mail which has been scanned by another spamfilter before entering spamfilter.
I have configured the filter before spamfilter to tag subject and deliver. I have then in Spamfilter configured it to look for the keywords i use in the tag so that spamfilter can quarantine the mail (so that I only have one end user quarantine.) Here comes the problem. When the filter before spamfilter have tagged the subejct and delivered it, spamfilter finds the keyword and qurantines it - as it should. But the IP from the filter then gets listed in the SFDB even though I have deselected SFDB for that domain in spamfilter...
And the IP of the filter in front of spamfilter also gets listed in a limbo.
How to whitelist the ip from the filter in front of spamfilter - and still be able to quarantine tagged mails from the filter?
From the log:
04-21-09 10:11:34:393 -- (15344) Found Keywords: [Subject:SPAM:_]
04-21-09 10:11:34:393 -- (15344) EMail from xxx@xxx.xx to yyy@yyy.yy matches content filter rules - rejected. 04-21-09 10:11:34:409 -- (15344) Starting quarantine procedures
04-21-09 10:11:34:440 -- (15344) Created thread (16144) to add email to quarantine 04-21-09 10:11:34:440 -- (15344) Starting bayesian procedures 04-21-09 10:11:34:471 -- (15344) Blacklist cache - Updated limbo counter for xxx.xxx.xxx.xxx
04-21-09 10:11:34:502 -- (16144) EMail from xxx@xxx.xx to yyy@yyy.yy was received and quarantined. Size: 18 KB, 18432 bytes 04-21-09 10:11:34:909 -- (15344) SFDB - Added xxx.xxx.xxx.xxx - Response: Error=0 Edited by sirrar - 21 April 2009 at 5:03am |
|
|
Best regards...
Torsten Egebirk MCTIP: EA/SA - MCSE - MCSA - CCA - CCNA |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 21 April 2009 at 7:23pm |
|
sirrar,
From the log entries above, we see that the possible issue is that your first spamfilter (xxx.xxx.xxx.xxx) is being added to the blacklist cache (which will eventually cause that IP to be blocked by your 2nd SpamFilter). We do have a solution for this - please see the following option in the SpamFilter.ini file: ;Add any IPs (separated by commas - no wildcards) that you do not wish to be automatically added to the Honeypot IP blacklist. This setting also prevents those IPs to be added to the IP cache blacklist DoNotAddIPToHoneypot= Even with the setting above the IP xxx.xxx.xxx.xxx will still be added to our SFDB. However please note that a single SpamFilter server reporting an IP address will never casue an IP to be actually blacklisted in the SFDB. So even though you're reporting your 1st SpamFilter's IP to the SFDB, this is only a small contribution to the SFDB and is very, very unlikely that this will blacklist it, as you would really have to be spamming as to receive reports from other SpamFilter users as well. |
|
|
|
|
sirrar
Groupie
Joined: 26 January 2005 Location: Denmark Status: Offline Points: 44 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 April 2009 at 7:02am |
|
Thankyour very much for the solution. Added the 1st spamfilter ip to spamfilter.ini section
DoNotAddIPToHoneypot. And the first spamfilter is now able to deliver messages. I was beginning to be unable because the ip was blocked. see below attached log:
04-22-09 12:53:06:339 -- (14272) Connection from: xxx.xxx.xxx.xxx - Originating country : Denmark
04-22-09 12:53:06:339 -- (14272) IP is in local blacklist cache. Disconnecting: xxx.xxx.xxx.xxx 04-22-09 12:53:06:402 -- (14272) No Data Received 04-22-09 12:53:06:402 -- (14272) Disconnect So again. Thankyo very much. You are always the best.
|
|
|
Best regards...
Torsten Egebirk MCTIP: EA/SA - MCSE - MCSA - CCA - CCNA |
|
|
|
|
sirrar
Groupie
Joined: 26 January 2005 Location: Denmark Status: Offline Points: 44 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 April 2009 at 7:08am |
|
Here is another question.
The next problem is the SPF. I'm of course able to disable SPF for the domains. But ex. in Exchange you are able to define perimeter IP's which then should not be used to check against SPF. So exchange will not look at the first ip it receives the mail from, but the ip the perimter server received the mail from. Can spamfilter in anyway support something like this?
04-22-09 13:03:06:351 -- (9124) Connection from: xxx.xxx.xxx.xxx - Originating country : Denmark
04-22-09 13:03:06:554 -- (9124) Received MAIL FROM: <yyy@yyy.yy> SIZE=2963 04-22-09 13:03:06:585 -- (9124) Received RCPT TO: xxx@xxx.xx 04-22-09 13:03:06:585 -- (9124) found SPF record for shaw.ca: v=spf1 mx ip4:64.59.134.0/25 ip4:24.71.223.0/25 ip4:204.209.208.40 ip4:204.209.208.41 ~all 04-22-09 13:03:06:601 -- (9124) SPF query result: softfail 04-22-09 13:03:06:617 -- (9124) - SPF analysis for shaw.ca done: - softfail 04-22-09 13:03:06:617 -- (9124) failed SPF test (softfail) - Disconnecting xxx.xxx.xxx.xxx 04-22-09 13:03:06:632 -- (9124) xxx.xxx.xxx.xxx - Mail from: yyy@yyy.yy To: xxx@xxx.xx will be rejected Edited by sirrar - 22 April 2009 at 7:08am |
|
|
Best regards...
Torsten Egebirk MCTIP: EA/SA - MCSE - MCSA - CCA - CCNA |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 22 April 2009 at 3:47pm |
|
SpamFilter is designed to be placed at your network's gateway, and requires to "see" the original IP address of the sender. This is because a large part of SpamFilter's test act upon the sender's IP, like our SFDB filter, the MAPS RBL, SPF, etc. If SpamFilter is unable to see that IP address, all of the IP-based tests will either fail to detect spam, or worse, will block legitimate emails.
If SpamFilter is unable to see the original IP address, then all IP-based tests, not just the SPF filter, should be disabled to avoid issues. SpamFilter will not support the definition of a "perimeter" IP as in Exchange due to the following. Suppose you do have another server accepting emails before SpamFilter. If the email received and forwarded by your perimeter server is spam, and is then forwarded to SpamFilter, SpamFilter will reject it as it usually happens during the SMTP session from your server. Since SpamFilter will reject the email with an SMTP error code, your perimeter SMTP server will need to send an NDR undeliverable email back to the sender (unless your perimeter server is acting as a proxy/gateway, maintaing on open connection to the "real" sender while forwarding the email to SpamFilter...). If however your perimeter SMTP server sends an actual NDR email back out to the internet for every spam email that SpamFilter rejects, you yourself will effectively become a spammer, as you'll likely be sending huge amounts of NDR emails back to often innocent users who had their emails spoofed by spammers, or filling postmater's mailboxes with NDR notifications... One of SpamFilter's strengths compared to most of our competitors is the very fact that no NDRs are usually ever sent from your network for spam emails, yet the senders, if they are legitimate, still do receive an NDR email as SpamFilter rejects spam during the open SMTP session, thus forcing the ***remote server*** to send an NDR email back to the sender. We are very hesitant to alter this behavior. |
|
|
|
|
sirrar
Groupie
Joined: 26 January 2005 Location: Denmark Status: Offline Points: 44 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 April 2009 at 5:49am |
|
Thankyou for yoru reply.
I have a possible bug to report.
As you know, when my first filter finds a possible spam, it tags the subject with: SPAM:_ and passes it on to spamfilter in which I have configured to look for keyword SPAM:_ so that the e-mail gets in the user quarantine. But I have just received a e-mail in my inbox (not spamfilter user quarantine) with subject: SPAM:_ (so tagged from the first filter) I looked in the log and noticed that the e-mail was with multiple recipients. Does the keyword filter not work with multiple recipients?
I have just reproduced the "bug". Both recipients should be in the same domain (ex: ddd@xxx.xx and eee@xxx.xx). Then scanning for keywords doesent work.
Please write me back if you want my log. I will not post it here because I would have to replace a lot.
I would also be able to forward the mail to you...
BTW: Running Spamfilter v.4.1.2.808 Edited by sirrar - 23 April 2009 at 6:48am |
|
|
Best regards...
Torsten Egebirk MCTIP: EA/SA - MCSE - MCSA - CCA - CCNA |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 April 2009 at 10:30pm |
|
sirrar,
YEs, please zip and forward us the logfile, also including the from/to addresses in the email so we may locate it in the log. IF the zip is over 5MB in size, I'll provide you a PM with the FTP login for our FTP site. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.254 seconds.