New SpamFilter ISP v2.7.1.511 released
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5421
Printed Date: 23 February 2025 at 1:39am
Topic: New SpamFilter ISP v2.7.1.511 released
Posted By: LogSat
Subject: New SpamFilter ISP v2.7.1.511 released
Date Posted: 20 December 2005 at 10:43am
We have officially released the new SpamFilter ISP v2.7.1.511, it is available for download in the registered user area of our website.
This version contains a number of fixes and enhancements from the previous versions. One of the major additions is an IP caching feature/filter. If an IP address sends a number of spam emails in a certain timeframe, that IP will be cached in SpamFilter and will be temporarily prohibited from making further connections. This should greatly reduce the load on the SpamFilter server in cases where certain senders flood your server with spam and/or viruses, as they won't even be allowed to connect to the server.
The full list of additions/changes from the previous version is as follows:
// New to VersionNumber = '2.7.1.511';
{TODO -cNew : Changed the priority of the IP blacklist filter, it is now placed before the local domains blacklist}
{TODO -cNew : Changed the logfile entry if the IP address is blacklisted to: "IP is in local blacklist file..."}
{TODO -cNew : Performing reverse DNS queries only if the ReverseDNS filter is enabled, thus improving performance when it's off}
// New to VersionNumber = '2.7.1.510';
{TODO -cFix : Improved the forced disconnects of the cache filter to prevent the current connections to add up}
{TODO -cFix : Regression error in v2.6.3.495 cause the MX record test to not detect all errors}
// New to VersionNumber = '2.7.1.508';
{TODO -cNew : Implemented an IP cache to temporarily deny further connections to IPs that sent multiple spams recently. This can greatly reduce the load on the server}
{TODO -cNew : Improved "Connections" tab, showing in real-time what commands the remote IPs are sending}
{TODO -cFix : Sometimes the "Current Connections" counter could not decrease when a remote connection is dropped, thus displaying a number higher than reality}
// New to VersionNumber = '2.6.3.502';
{TODO -cFix : Duplicate entries were being created in the logfiles}
{TODO -cFix : Bug introduced in v2.6.3.491. When forwarding emails to the destination SMTP server, sometimes the leading "<" and trailing ">" where missing in the MAIL FROM}
// New to VersionNumber = '2.6.3.495';
{TODO -cNew : Added options to not quarantine or send to NULL virus-infected emails}
// New to VersionNumber = '2.6.3.493';
{TODO -cNew : Added DNSTimeout option in SpamFilter.ini to customize the DNS timeout for all of SpamFilter's DNS queries}
{TODO -cNew : Added EnableDbgLogs SpamFilter.ini option to enable separate detailed logging for troubleshooting purposes}
{TODO -cNew : Added to SpamFilter.ini several of the optional entries with their default values for users to see}
{TODO -cFix : Clicking on "Check if IP in ORBS" button in GUI could result in Access Violations being logged}
// New to VersionNumber = '2.6.3.491';
{TODO -cNew : Added support for maximum message size in reply to EHLO and MAIL FROM, as per RFC1870}
// New to VersionNumber = '2.6.3.490';
{TODO -cNew : Changed the control used to display logging in the GUI}
{TODO -cFix : Added *lots* of exception handling code to prevent sporadic problems with the GUI locking up at random}
{TODO -cNew : Added optional EnableDBGLogs ini option for additional debugging}
{TODO -cNew : Greatly improved startup and "Save Settings" response's time for installs with thousands of local domains}
// New to VersionNumber = '2.6.3.488';
{TODO -cFix : Improved error trapping for the way the quarantine grid is displayed on screen}
{TODO -cNew : Increased the amount of information being logged in case of crashes in the quarantine grid refresh}
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Replies:
Posted By: Guests
Date Posted: 21 December 2005 at 10:37am
|
On th e new 2.7.1.511 build the filter order has been changed, now messages that come from blocked IP's are sent to quarantine, even if there is no associated AuthorizedTo email address. The quarantine database fillup very quickly with dictionary attack addresses.
AuthorizedTo lists are going to be smaller and faster to process than blocked IP or HoneyPot lists.
We feel the AuthorizedTo filter should be the first filter object. If the recipient is not on the AuthorizedTo list it should be rejected 1st. No need to quarantine messages rejected from this filter.
Second, if a message is sent from an IP address listed in the honeypot list to an AuthorizedTo address it should be blocked.
Third, The IP address filter, this is where I block Class "B" and "C" ranges.
Using the new build, phishers are getting messages through even thoud the IP address is on the honeypot list.
|
Posted By: LogSat
Date Posted: 21 December 2005 at 5:17pm
Scubajim,
I'm not sure I follow with the questions. Please note my comments below, and see if they explain the new features available:
now messages that come from blocked IP's are sent to quarantine, even if there is no associated AuthorizedTo email address.
There is a "Do not quarantine" option for the "IPs" blacklist that you can use. If you refer to the new IP cache, the connections from those IPs are rejected from the start, nothing is being quarantined.
The quarantine database fillup very quickly with dictionary attack addresses.
Actually with the new blacklist IP cache, is a spammer tries a dictionary attack, and they are blocked 3 times within 10 minutes, from then on the IP address will be banned from connecting, so they will have a shot for very few attempts. Your quarantine DB will be less impacted, as when they are banned, they are not allowed to even connect, thus nothing is quarantined.
If the recipient is not on the AuthorizedTo list it should be rejected
1st. No need to quarantine messages rejected from this filter.
We agree... In fact, if a message is rejected because the recipient is not in the AuthorizedTO whitelist, the email is discarded, and is *not* stored in the quarantine.
Using the new build, phishers are getting messages through even thoud the IP address is on the honeypot list.
We may change this in the future, however the presence of the cached IP blacklist grestly reduces this risk now.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Guests
Date Posted: 22 December 2005 at 2:34pm
|
Roberto,
We use the IP blacklist to block Class "C" and "B" ranges for example we block 72.11.128.0/19. However we send all messages from these IP addresses to quarantine in the remote possibility that OC3 networks has a legit domain hosted.
With the new build, as soon as a IP from the IP blacklist tried to connect, the message was sent directly to the quarantine. Completely bypassing the authorizedto white list.
Does that make sense? Maybe we were using the IP address block diferently than intended. We use the HoneyPot IP address list to block single IP addresses... Seems to me that IF you use the IP blacklist to reject single IPs you may be duplicating many of the HoneyPot IP's.
I would rather use honeypot addresses and keyword features to build my blocked single IP list and use the IP blacklist to blacklist spammer friendly ISP's like Comcast, RR, OC3 and so on...
|
Posted By: LogSat
Date Posted: 22 December 2005 at 5:27pm
We moved the IP blacklist up in the priority due to several (very reasonable) requests, as if an IP is to be blocked there is no sense in performing any of the DNS-based test before rejecting it. For this reason a connection is rejected before all DNS and recipient/sender tests, as the IP is known even before the sender sends a single packet of mail data.
We're *almost* suplicating the honeypot IP blacklist functionality, but are keeping the lists separate even though they perform the same function, to make them easier to manage. This allows admins to know that all IPs in the honeypot list were caused by the honeypot, and all IPs in the blacklist IPs are instead added separately.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Guests
Date Posted: 22 December 2005 at 7:18pm
|
I am running v.2.7.1.511 and I experienced the blocking of null emails with the reject empty “Mail From” unchecked. Here is the scenario:
I set up out-of-office auto responders for a client on our public mail server. Our auto responder sends from a null address to prevent loops. I sent a test email from our private exchange server to the auto responder and never got a response? It was trapped in the spam filter as it had to pass from one mail server to another. It even blocked with our class C IP range white listed. I tested the spamfilter without keywords, MAPS, from emails and IP blacklists and the auto responses were still blocked.
To confirm the spamfilter was the issue I forced email from our client mail server directly to our private exchange server (bypassed the spam filter) and the auto response arrived. Can you test this feature? This is a new issue – our auto response email arrived as expected on the Thanksgiving holiday.
Otherwise I like v.2.7.1.511.
Here is one feature request. Allow us to start up the service to the window of our choice or a window other than the activity log. When we are under a spam load, the GUI locks up and the desktop interface lags something awful. I can forget remote with pc-anywhere and remote desktop is bad as well as the direct desktop. When under a load I can't always get the spamfilter GUI to switch to the settings tab in a resonable time period because of the lag.
Thanks and Merry Christmas!
I refuse to be politically correct!
|
Posted By: LogSat
Date Posted: 22 December 2005 at 9:06pm
Dwight,
Can you please zip us SpamFilter's logfile for the day this happened, along with the recipient's email address and the time, so we can find it in the logs? The email may have been stopped by more than a dozen filters... :-) so we need to see which one was guilty.
Unfortunately your second request can't currently be accomodated, due to the way the SpamFilter service is programmed. We may have a web-enabled version in the future, but if so that will be several months away.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: Guests
Date Posted: 23 December 2005 at 10:40am
|
I just emailed you some logs and information. Merry Christmas!
|
Posted By: LogSat
Date Posted: 23 December 2005 at 4:21pm
|
Dwight,
Thanks to your MailMax logs we found the problem. You are
correct, there is definetly a bug here, and it's caused by the SIZE command that
MailMax sends along with the NULL address. Here's FYI how we reproduced
it:
220 mail2.netwide.net Welcome to SpamFilterISP SMTP Server
v2.7.1.512
helo test.logsat.com
250 Hello zzzz
MAIL FROM:
<> SIZE=692
500 Address Error
A patched build (2.7.1513) is available in the registered user area.
-------------
Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
|