SPAM tagging issue in SFI v3.5..
Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6051
Printed Date: 27 December 2024 at 12:47pm
Topic: SPAM tagging issue in SFI v3.5..
Posted By: Thermo
Subject: SPAM tagging issue in SFI v3.5..
Date Posted: 27 April 2007 at 4:37pm
I have one email address in the "Unfiltered Emails" whitelist with the :tag option so the email header gets the SPAM tag. The way it worked in SFI v3.1.3.615, SPAM sent to the unfiltered email address got tagged as did all email addresses included in the email. In v3.5.. the unfiltered email address is the only one that gets the SPAM header tag, the other email addresses included in the email now bypass all filtering and end up in the users Inboxes.
I have had to remove the email address from the unfiltered emails whitelist.
Can you make the tagging in v3.5.. function the same as it did in v3.1.3?
Michael
|
Replies:
Posted By: Desperado
Date Posted: 28 April 2007 at 4:01am
The intended action in the new version is that the unfiltered message gets tagged and the rest quarantined. I say intended because there seems to be times when the messages are, in fact, delivered. I have not put this all together but it seems to depend on weather ot not the addresses are in the TO:, CC or BCC fields. I started to look at this be then got sidetracted. I think Thermo is on to something but as I stated, I am not clear on the exact issue yet.
------------- The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com
|
Posted By: Thermo
Date Posted: 28 April 2007 at 11:12am
This is a section of the log showing what happened, I changed our companies email addresses. It's thread 3992, jeff@company.com gets the message SPAM tagged as it should, but the email gets bypassed for frank, ed, carl and bob.
4/27/07 05:04:40:522 -- (3992) Connection from: 221.148.79.75 - Originating country : Korea, Republic of 04/27/07 05:04:43:163 -- (3992) - IP address is from a blacklisted country... 04/27/07 05:04:43:163 -- (3992) 221.148.79.75 - Mail from: ramsey@gfagrow.org To: jeff@company.com will be spam-tagged 04/27/07 05:04:44:725 -- (3992) EMail from ramsey@gfagrow.org to jeff@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:44:741 -- (2668) Sending email from ramsey@gfagrow.org to jeff@company.com -- 04/27/07 05:04:44:772 -- (2828) Time to add Msg to Bayes corpus:16 04/27/07 05:04:44:881 -- (2668) EMail from ramsey@gfagrow.org to jeff@company.com -- was forwarded to 127.0.0.1:26 04/27/07 05:04:46:069 -- (3992) Bypassed all rules for: frank@company.com from atiles@giciane.trix.net 04/27/07 05:04:47:631 -- (3992) EMail from atiles@giciane.trix.net to frank@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:47:631 -- (3092) Sending email from atiles@giciane.trix.net to frank@company.com -- 04/27/07 05:04:47:663 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:47:788 -- (3092) EMail from atiles@giciane.trix.net to frank@company.com -- was forwarded to 127.0.0.1:26 04/27/07 05:04:49:163 -- (3992) Bypassed all rules for: ed@company.com from goldstein@globalhomeproducts.com 04/27/07 05:04:50:725 -- (3992) EMail from goldstein@globalhomeproducts.com to ed@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:50:725 -- (2180) Sending email from goldstein@globalhomeproducts.com to ed@company.com -- 04/27/07 05:04:50:756 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:50:866 -- (2180) EMail from goldstein@globalhomeproducts.com to ed@company.com -- was forwarded to 127.0.0.1:26 04/27/07 05:04:52:069 -- (3992) Bypassed all rules for: carl@company.com from jsco@gintri.com 04/27/07 05:04:53:663 -- (3992) EMail from jsco@gintri.com to carl@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:53:663 -- (3204) Sending email from jsco@gintri.com to carl@company.com -- 04/27/07 05:04:53:678 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:53:803 -- (3204) EMail from jsco@gintri.com to carl@company.com -- was forwarded to 127.0.0.1:26 4/27/07 05:04:54:397 -- (1756) Connection from: 82.179.199.194 - Originating country : Russian Federation 04/27/07 05:04:54:944 -- (1756) - IP address is from a blacklisted country... 04/27/07 05:04:54:944 -- (1756) 82.179.199.194 - Mail from: barncaredsefexe@maine.rr.com To: peter@company.com will be rejected 04/27/07 05:04:55:225 -- (3992) Bypassed all rules for: bompane@company.com from sandra@gma-online.de 04/27/07 05:04:56:788 -- (3992) EMail from sandra@gma-online.de to bompane@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:56:788 -- (1732) Sending email from sandra@gma-online.de to bompane@company.com -- 04/27/07 05:04:56:819 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:56:913 -- (1732) EMail from sandra@gma-online.de to bompane@company.com -- was forwarded to 127.0.0.1:26 04/27/07 05:04:56:913 -- (1732) Some recipients do not exist, sending NDR bounce to sender 04/27/07 05:04:56:913 -- (1732) EMail from: sandra@gma-online.de to: bompane@company.com was returned to sender - The following recipients are unknown:
bompane@company.com 04/27/07 05:04:57:069 -- (1732) Error-email from sandra@gma-online.de to bompane@company.com was forwarded to 127.0.0.1 04/27/07 05:04:57:866 -- (1756) Created thread (2904) to add email to quarantine 04/27/07 05:04:57:897 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:57:913 -- (2904) EMail from barncaredsefexe@maine.rr.com to peter@company.com was received and quarantined. Size: 29 KB, 29696 bytes 04/27/07 05:04:58:147 -- (3992) Bypassed all rules for: bob@company.com from extrimum@greatsoundpros.com 04/27/07 05:04:58:272 -- (1756) Blacklist cache - Added 82.179.199.194 to limbo 04/27/07 05:04:58:506 -- (1756) SFDB - Added 82.179.199.194 - Response: Error=0 04/27/07 05:04:58:506 -- (1756) Disconnect 04/27/07 05:04:59:725 -- (3992) EMail from extrimum@greatsoundpros.com to bob@company.com was queued. Size: 2 KB, 2048 bytes 04/27/07 05:04:59:725 -- (2564) Sending email from extrimum@greatsoundpros.com to bob@company.com -- 04/27/07 05:04:59:741 -- (2828) Time to add Msg to Bayes corpus:0 04/27/07 05:04:59:866 -- (2564) EMail from extrimum@greatsoundpros.com to bob@company.com -- was forwarded to 127.0.0.1:26 04/27/07 05:05:00:413 -- (3992) Disconnect
|
Posted By: LogSat
Date Posted: 28 April 2007 at 11:20am
Thermo,
You posted the log just as were were typing in the forum requesting for it
What we see right away is that this is not a single email with multiple recipients, but rather several, separate emails sent in the same session.
The new SpamFilter 3.5 is able to "split" emails with multiple recipients, so that the email is delivered for the allowed recipients, but is blocked for the others.
As this is not apparently the case here, we'll need to look into it further, as you may indeed have found a bug, since this is not an issue of splitting the email, but rather of handling multiple emails in the same session.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: LogSat
Date Posted: 28 April 2007 at 4:34pm
Bug confirmed.
Nice catch Thermo, thanks a lot for reporting this. We'll have it fixed shortly, and will make the patch available within 24/48 hours.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
Posted By: mikek
Date Posted: 02 May 2007 at 9:00am
Updated to 3.5.3.665 but am still seeing mails not split up correctly. This mail was sent to 111@xxx.com with cc: to 222@xxx.com, 333@xxx.com, 444@xxx.com and 555@xxx.com. 555@xxx.com has the :SPAM tag in unfiltered E-Mails, 222@xxx.com and 444@xxx.com do not exist (and therefore are not listed in the "Authorized E-Mails" list).
05.01.07 20:42:36:296 -- (1480) Connection from: 210.245.125.227 - Originating country : Vietnam 05.01.07 20:42:38:437 -- (1480) Resolving 210.245.125.227 - digipower.vn 05.01.07 20:42:39:000 -- (1480) - SFDB filter match - relevance:85 05.01.07 20:42:39:000 -- (1480) 210.245.125.227 - Mail from: uaaihmjbeq@digipower.vn To: 111@xxx.com will be rejected 05.01.07 20:42:39:750 -- (1480) - EmailTO is not in AuthorizedTOEmail list... 05.01.07 20:42:39:750 -- (1480) 210.245.125.227 - Mail from: uaaihmjbeq@digipower.vn To: 222@xxx.com will be rejected 05.01.07 20:42:40:250 -- (1480) Mail from: uaaihmjbeq@digipower.vn 05.01.07 20:42:40:250 -- (1480) 210.245.125.227 - Mail from: uaaihmjbeq@digipower.vn To: 333@xxx.com will be rejected 05.01.07 20:42:40:765 -- (1480) - EmailTO is not in AuthorizedTOEmail list... 05.01.07 20:42:40:765 -- (1480) 210.245.125.227 - Mail from: uaaihmjbeq@digipower.vn To: 444@xxx.com will be rejected 05.01.07 20:42:41:265 -- (1480) 210.245.125.227 - Mail from: uaaihmjbeq@digipower.vn To: 555@xxx.com will be spam-tagged 05.01.07 20:42:41:265 -- (1480) Mail from: uaaihmjbeq@digipower.vn 05.01.07 20:42:54:812 -- (1480) EMail from uaaihmjbeq@digipower.vn to "111@xxx.com, 222@xxx.com, 333@xxx.com, 444@xxx.com, 555@xxx.com" was queued. Size: 28 KB, 28672 bytes 05.01.07 20:42:54:812 -- (7812) Sending email from uaaihmjbeq@digipower.vn to 111@xxx.com, 222@xxx.com, 333@xxx.com, 444@xxx.com, 555@xxx.com -- 05.01.07 20:42:55:500 -- (7812) EMail from uaaihmjbeq@digipower.vn to 111@xxx.com, 222@xxx.com, 333@xxx.com, 444@xxx.com, 555@xxx.com -- was forwarded to xxx.xxx.xxx.xxx:25 05.01.07 20:42:55:500 -- (7812) EMail from: uaaihmjbeq@digipower.vn to: 222@xxx.com, 444@xxx.com was returned to sender - The following recipients are unknown: 222@xxx.com, 444@xxx.com 05.01.07 20:42:55:500 -- (7812) Some recipients do not exist, sending NDR bounce to sender
|
Posted By: LogSat
Date Posted: 02 May 2007 at 8:12pm
I'm afraid at first glance we only patched the problem that occurred when the same SMTP session sent multiple separate emails, and did not address the problem with the tagging. We thought they fell under the same category, but judging from your log this appears not to be the same. We'll post an update here after looking into this further.
------------- Roberto Franceschetti
http://www.logsat.com" rel="nofollow - LogSat Software
http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP
|
|