spam passing filters |
Post Reply 
|
| Author | ||
2CNL 
Newbie 
Joined: 09 May 2005 Location: Netherlands Status: Offline Points: 6 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: spam passing filtersPosted: 04 November 2008 at 7:43am |
|
|
Still approx 6% of the spam is passing through the logsat filters.
Some of this spam is very obvious and the real pain is, even the outlook unwanted mail list is collecting them, but logsat is not. It seems all these mails are coming from the backup smtp server ( of our isp) i put on the greyrlistallowed . Any thougths what can be the cause of this passed spam. Remarkable, but not very creal what is the cause are the following figures. total inbound connections server: 540.000 emails forwarded 26000 emails blocked 82000 email attempts 15000 is this normal behaviour? |
||
 |
||
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 November 2008 at 3:18pm |
|
|
2CNL,
If you were to have Outlook's junk filter receive all of your emails rather than SpamFilter, you would see that much more than 6% of spam would slip thru. As SpamFilter will never be 100% accurate, some spam will go undetected. It is almost a certainty that another application can further stop some of this remaining spam. The main issue here is that you have another SMTP server which is receiving and processing your incoming emails in addition to SpamFilter. SpamFilter *must* see the original IP of the sender to stop spam effectively. All of our most efficient filters require to see that IP in order to do their job and stop the spam. If your secondary server processes emails first, and then passes them on to SpamFilter, the only filters that can then check emails for spam are the Bayesian filter, the SURBL filter and your keyword (if you specified any). These filters will only stop a very small percentage of emails, and thus will not be able to noticeably stop spam being forwarded by your secondary SMTP server. In regards to the numbers above, please do note that many connection attempts are just "probes" that don't result in emails to be sent. Furthermore, SpamFilter caches for a few minutes IPs that sent large amounts of spam in a certain timeframe, and further connection attempts from them are rejected without any emails being transferred. All these factors mean that the statistics are to be taken with a grain of salt, as the numbers will never add up, and in some cases there will be noticeable discrepancies. |
||
|
||
|
StevenJohns
Senior Member 
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 November 2008 at 7:51am |
|
|
Roberto,
As 2CNL have added the IP of their ISP's mail server to the greylistallowed, and they are using it as a backup MX, then I would have thought that SF could recieve the email, then check in the headers for the IP address which sent the email to the backup MX server....these IP's are inserted as the email passes every mail server, and I wouldn't have thought that their ISP would forge the headers.....
2CNL...
We have seen an increase in email slipping through SF (with no real answer as to why), but we pass our email through another two filter levels which normally pick up all of these emails. As a cheap method, you could pass emails from SF through SpamAssassin to see if it picks up the 6%, I bet it would as it checks the IP's in all the recieved headers which SF does not do (for some strange reason??).
|
||
|
www.internetmailservices.co.uk
|
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 November 2008 at 4:16pm |
|
|
StevenJohns,
There's two main issues. The first is ours, and is caused by how SpamFilter applies its filters. All the IP-based filters are checked before the email is actually received, and are thus applied super-fast. If we were to check the IP in the headers as well, we'd have to receive the email as well and then go back and re-apply the IP filters. That will involve quite a bit of work... but as I said that's an internal matter 
The second issue is that we've always made it a point since SpamFilter v1.0 six years ago of *not* checking the headers, as they can always be faked. For example, if SpamFilter were to check the IP in the last header, a spammer could add a fake header listing gmail's IP at the top of the email, and send it thru a host not yet IP-blacklisted. If the email is determined to be spam by the other filters, we risk blocking gmail's IP as well. There would have to be a lot of confusing if/then logic to determine what IPs are then reported as spammers and which not. An option would be to only check the last received header if the email has been received by a specific IP (the secondary MX server)... We're going to do some brainstorming to see what can be done, as this subject is appearing more and more often recently. |
||
|
||
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 November 2008 at 9:02am |
|
|
Roberto,
I understand your issues as you have explained them and I can understand the reasons for checking the IP filters at TCP connection time. However, only a fool and his dog would only have one email server, so it stands to reason that everyone should have a backup Mx server, and some people might want that to be hosted be their ISP. This in turn means that we MUST have a way of filtering the emails which come through the backup MX.
As I said, we send our emails through SpamAssassin after SF specifically because SF does not scan the headers (we turn off all other Spam Assassin filters).
Still a good product, but I feel you may be hitting brick walls soon due to design desicions made years ago.
Cheers.
|
||
|
www.internetmailservices.co.uk
|
||
|
||
|
Bart
Newbie
Joined: 20 August 2008 Location: Holland Status: Offline Points: 18 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 November 2008 at 10:40am |
|
|
I never realy read the license agreement but is it legal to install SpamFilterISP enterprise on a second machine to be used as fall-back server or do i have to purchase a second license for a server that is online there in case something goes wrong ?
I only have 1 server running now but have the same problem that fallback servers are a problem fighting spam
|
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 06 November 2008 at 5:49pm |
|
Most admins who have multiple SMTP servers either have SpamFilter (or another product) running on their backup MX server as well, or use network load-balancing (ex. Cisco CSS switches, Windows load balancing, etc) to balance two servers behind a single IP (their primary MX record). We do have a growing number or admins however as yourself, who rely on their ISP to serve as their backup MX record. If the ISP is not running SpamFiltering, then the issues you bring up are indeed issues. We do always listen to everyone's feedback, which is partly why SpamFilter has become so powerful/flexible, as many many times we do implement user's request. We're evaluating this one to see how to proceed.
SpamFilter requires a licens for every production server it is installed on. If the second server is used as a secondary MX record, or as a secondary server in a load-balance scenario, yes, a license is required on the 2nd server as well. If you have SpamFilter installed on a spare server, but the server does not process emails until you manually place it online, then in this case as it won't process emails until you manually intervene to replace your "down" server with this backup one, we will not require a second license. |
||
|
||
|
2CNL
Newbie
Joined: 09 May 2005 Location: Netherlands Status: Offline Points: 6 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2008 at 2:43am |
|
|
Robert,
Is it not possible to make a sort of doublecheckip entry in logsat ini file, combined with a filer, where the secondary SMTP server or other specific ip numbers are checked in the headerinfo.
I guess one of the reasons to not implement options like these is performance? If so, if it is only reserved for a sinlge or a few ip numbers the performance impactr would be less.
Just my 2c ;)
|
||
|
||
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2008 at 8:39am |
|
|
That is *exactly* what we had in mind as well
We'll keep this thread updated if this is something that can be implemented in a reasonable amount of time. |
||
|
||
|
StevenJohns
Senior Member
Joined: 03 August 2006 Status: Offline Points: 119 |
Post Options
Thanks(0)
Quote Reply
Posted: 07 November 2008 at 8:55am |
|
|
Sounds like a good solution to me, PLEASE do NOT limit it to one IP though.....
Cheers
|
||
|
www.internetmailservices.co.uk
|
||
|
||
Topic Options
StevenJohns wrote:|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.203 seconds.