Print Page | Close Window

Image filter blocking white listed mail

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6485
Printed Date: 19 April 2025 at 3:38pm


Topic: Image filter blocking white listed mail
Posted By: jemmie
Subject: Image filter blocking white listed mail
Date Posted: 15 May 2008 at 1:37pm

A day ago ISP blocked a mail, Detected spam signature in embedded image, when the from address was white listed.

I disabled the image filter so it should not happen again, but does anyone no if this behavior is by design, image filter take precedence over white list. Or is it some bug in the program.
 
I use version 4.0.0.772 standard.
 


Replies:
Posted By: LogSat
Date Posted: 15 May 2008 at 3:50pm
jemmie,

The whitelists have precedence over the image filters (and most other filters). Without looking at the logs we can't be certain, but the most common scenario is when the "from" that was whitelisted is not the "real" sender's email address, but rather the one specified in the "From:" email header.

SpamFilter acts upon the "real" email address specified in the email. This is often referred to as the "Envelope" address, or the "Return-Path" address. It is the email address that is provided by the sender's server in the "MAIL FROM" SMTP command. SpamFilter logs this address in the following header:

X-SF-RX-Return-Path: <user@some.domain>

And it also should appear in the "standard" header:
Return-Path: <user@some.domain>



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: jemmie
Date Posted: 16 May 2008 at 1:12am
Thanks for the respons.
This is the part of the log.
 
 05/15/08 03:30:09:561 -- (80816) Connection from: 194.109.24.31  -  Originating country : Netherlands
05/15/08 03:30:09:721 -- (80816) Received MAIL FROM: <user mailto:userf@xs4all.nl - f@xs4all.nl >
05/15/08 03:30:09:751 -- (80816) Received RCPT TO: mailto:user@mine.net - user mailto:user@m - @m ine.net
05/15/08 03:30:09:782 -- (80816) Resolving 194.109.24.31 - smtp-vbr11.xs4all.nl
05/15/08 03:30:10:022 -- (80816) Mail from: user mailto:user@xs4all.nl - @xs4all.nl
05/15/08 03:30:10:232 -- (80816) - MAPS search done...
05/15/08 03:30:10:232 -- (80816) RCPT TO: user mailto:user@mine.net - @mine.net accepted
05/15/08 03:30:10:262 -- (80816) Received RCPT TO: user2 mailto:user2@mine.net - @mine.net
05/15/08 03:30:10:262 -- (80816) Mail from: user mailto:user@xs4all.nl - @xs4all.nl
05/15/08 03:30:10:262 -- (80816) RCPT TO: user2 mailto:user2@mine.net - @mine.net accepted
05/15/08 03:30:10:422 -- (80816) Checking SFDC
05/15/08 03:30:10:713 -- (80816) Hash cache - Added OK
05/15/08 03:30:10:783 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?i)(v . a g r a)) : TRegExpr(comp): ParseReg Unmatched () (pos 16)
05/15/08 03:30:10:823 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?i)"\#fffff[^f]") [1]) : TRegExpr(comp): ParseReg Unmatched () (pos 17)
05/15/08 03:30:10:833 -- (80816) String matching error for (received: from 194.109.24.31 by mail.mine.net (logsat software smtp server - rc); thu, 15 may 2008 03:30:10 +0200 -- received: from s8f60db (a80-101-66-150.adsl.xs4all.nl [80.101.66.150]) --  by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with esmtp id m4f1vc0u05 --and-- ((?s)\<(font|span)[^>]+style[^>]+float[^>]*:[^>]*right) [3]) : TRegExpr(comp): ParseReg Unmatched () (pos 53)
05/15/08 03:30:10:953 -- (80816) Scanning image for spam:image001.jpg
05/15/08 03:30:10:953 -- (80816) Detected spam signature in embedded image
05/15/08 03:30:10:963 -- (80816) Starting quarantine procedures
05/15/08 03:30:10:983 -- (80816) Created thread (80304) to add email to quarantine
05/15/08 03:30:10:983 -- (80816) Starting bayesian procedures
05/15/08 03:30:10:983 -- (80304) Adding to Quarantine file:Qrt7D7A.tmp
05/15/08 03:30:11:173 -- (80304) EMail from user mailto:user@xs4all.nl - @xs4all.nl to user mailto:user@mine.net - @mine.net , mailto:user2@mine.net - user2@mine.net was received and quarantined. Size: 17 KB, 17408 bytes
05/15/08 03:30:28:326 -- (80816) Blacklist cache - Added 194.109.24.31 to limbo
05/15/08 03:30:28:556 -- (80816) SFDB - Added 194.109.24.31 - Response: Error=0
05/15/08 03:30:28:556 -- (80816) Disconnect
 
Where mine.net is my domain and mailto:user@xs4all.nl - user@xs4all.nl is the sender and that address is whitelisted.
 
If I look into the header of the mail I found the -SF-RX-Return-Path and that is the same addres.
 X - S F - R X - R e t u r n - P a t h :   < u s e r @ x s 4 a l l . n l >
 
Names are changed in the log.
 
jemmie

Posted By: jemmie
Date Posted: 25 May 2008 at 4:15am
Problem still exist.

Posted By: LogSat
Date Posted: 25 May 2008 at 8:32pm
jemmie,

I'm sorry, we missed the previous post and did not reply to it. We'll need a zipped copy of your activity logfile (or the *exact* section you pasted above), along with your SpamFilter.ini file, and your SpamFilter\domains directory tree. If your email whitelist file is located outside of the "domains" directory, please include that too.

From the log entries above, it seems that the address u s e r @ x s 4 a l l . n l is *not* being whitelisted, otherwise this would have been logged. The most likely cause are typos in the address, and/or leading and trailing spaces on the line containing the address.

As a side-note, there are also entries being logged that show you're missing a parenthesis in the keywords:

((?i)(v . a g r a))
((?s)\<(font|span)[^>]+style[^>]+float[^>]*:[^>]*right) [3])
((?i)"\#fffff[^f]") [1])


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: jemmie
Date Posted: 26 May 2008 at 3:11am
Where can I send it

Posted By: LogSat
Date Posted: 26 May 2008 at 9:10am
support at logsat dot com

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: jemmie
Date Posted: 28 May 2008 at 3:14am
Found the problem myself. There was a trailing spaces at the address in the white list,
 
Sorry for the trouble.
 
jemmie


Print Page | Close Window