Print Page | Close Window

Single user getting lots of spam

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6996
Printed Date: 28 December 2024 at 5:32pm


Topic: Single user getting lots of spam
Posted By: brian.chlamers
Subject: Single user getting lots of spam
Date Posted: 20 December 2011 at 2:29pm
I am new to my current company and have inherited the Spam Filter, so I don't know much about it.  I have one user, who happens to be the owner of the company, that is has been getting lots of spam.  For example, I have put keywords in the keyword filter, but they don't seem to be blocked.  He is getting email from .ru domains, and email from Russia seems to be set to be blocked.  He is also getting e-mail from .info domains, even though we have set that up on the domain block list.  We are on version 4.2.4.834 Stand alone.
 
Brian


Replies:
Posted By: LogSat
Date Posted: 20 December 2011 at 10:10pm

Brian,


If you can zip and email us (at support at logsat dot com) the following,  we'll take a look to see if anything is wrong:

  • SpamFilter's activity logfile for a day
  • The to/from email addresses for some of the spam emails being let thru
  • Your SpamFilter.ini file
  • The \SpamFilter\Domains directory structure (if the files containing any of your blacklists/whitelists are outside that directory tree, please include those as well.

If the zipped file is over 8MB in size, please try to upload the file to our ftp server, for which I'll send you the login credentials in a separate PM




-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: brian.chlamers
Date Posted: 04 January 2012 at 11:32am
I tried to send you a private message, but your inbound folder is full.  The file is only 1.15MB, but by rule, we block e-mail in and out of .zip files.  I cannot access the ftp page you sent me via pm.  Is it still available?  We might be blocking it in our firewall if it is, so can I send you my zip file from a private e-mail address?
 
Brian

Posted By: LogSat
Date Posted: 04 January 2012 at 6:57pm
For the FTP - the site is always available. You may want to try switching between the Active/Passive modes in your FTP client to see if that can get around the firewall.

If you're still having issues, feel free to rename the .zip file to another extension, or to send it from another email address. If you'd like for us to download the file from any website you can upload it to (or a DropBox account), we'll be glad to do that as well.

PS - sorry for the PM mailbox, someone bombed us with messages and I did not clear it in time.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: brian.chlamers
Date Posted: 05 January 2012 at 1:05pm

I have renamed the file .bak and sent it out today. 

Thanks,
 
Brian Chalmers

Posted By: LogSat
Date Posted: 05 January 2012 at 5:38pm
We finished debugging your logfile, but everything seems to be working pretty much correctly. Let me give you an example. The logfile you forwarded us shows 4,179 connection attempts. Of those connections, SpamFilter accepted and delivered only 1,177  emails. 418 of these emails were whitelisted, so SpamFilter identified as clean 759 emails out of 4,179. This means that SpamFilter only allowed 18% of your total email traffic thru. Not counting the whitelisted emails, SpamFilter thus identified as spam and blocked about 82% of your total SMTP traffic. That is a bit better than the average 70%-80% we usually see.

Now, assuming that one out of two emails you receive in your mailbox is spam (thus 50%), this still means that SpamFilter incorrectly allowed thru 50% x 759 = 380 emails. So SpamFilter would have incorrectly identified as clean only 380 emails out of 4,179. This is an accuracy of 91%, which is instead a bit lower than what we'd normally see (95%-99%). This may be caused by the relatively large number of whitelisted emails, but looking thru them they do appear to be mostly legitimate emails - no spam was incorrectly whitelisted.

If you'd like for us to check some specific emails that were allowed thru, regardless of keywords and blocked domains, if you can please zip us some samples that were received on Jan 3rd (the day of the logs you sent us), I'll be glad to look into that as well. Please ensure to send us the actual, original email (headers and source). Simply forwarding an email "inline" will completely alter the content making it impossible to obtain the original format.

Please do note that SpamFilter uses the "envelope" sender email address when performing checks against the sender's domain/email. This "envelope" email address is what is specified in the "MAIL FROM" SMTP command, and usually appears as the "Return-Path" address in the email's headers. SpamFilter does not use the email specified in the "From:" header, as that is only used to display a name/email in the "From" field in email clients, and is not the actual address used by mail servers to route emails.

Also to notice is that, for keywords, SpamFilter checks for them in the source of an email. Spammers could write an HTML email with words that "look" in a certain way to the human eye, but when looking at their actual HTML code, they will be much different. So when creating keywords to block content, you'll need to check the actual source of the emails to ensure the keywords match the source.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: LogSat
Date Posted: 07 January 2012 at 10:57am
Brian,

We received your 4 spam samples, but I'm a bit confused. Let me pre-say that the samples were in a Outlook .msg format, and thus that completely altered the original email's format, headers included. It is thus possible that the headers we received were not the original ones. 

This said, assuming the headers were actually semi-correct, none of the 4 spam emails had SpamFilter's headers in them. These headers should be as follows for example:

Received: from 117.26.121.8 by mail.netwide.net (LogSat Software SMTP Server); Sat, 07 Jun 2012 09:04:59 -0500
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <test@test.logsat.comt>
X-SF-HELO-Domain: test.somedomain.com
X-SF-Originating-IP: 117.26.121.8

The fact that these headers are not present in an email indicates that the email was not processed by SpamFilter.
I then checked the MX records for one of your domains (your main one - the one I will use to send you a copy of this forum reply via email). That domain has to MX records:
mail01.pro-----------ng.com
mail02.pro-----------ng.com

When I connected via telnet on port 25 and established an SMTP session on those two hosts, in neither case I was connected to a SpamFilter server. There are two different mail servers listening for SMTP traffic on those two IPs, not SpamFilter. This confirms what I noticed in the headers - SpamFilter did not process those 4 spam email samples.

However, when looking at you SpamFilter activity logfile you forwarded us, I do indeed see internet emails being processed by SpamFilter, and that emails originated from a multitude of different internet IPs, indicating that somehow internet emails are reaching SpamFilter even though the MX records do not point to SpamFilter servers.

This is why I'm a bit confused... A possible explanation is that you *may* have another application/proxy processing inbound emails from the internet, and that this other application/proxy is masking its IP when forwarding some of the emails to SpamFilter. However as you are receiving emails not processed by SpamFilter, this application/proxy may not be forwarding all of its emails to SpamFilter. Unfortunately I can't be sure without knowing more about your network.

I hope all this will help you anyways to see what is happening as you are getting more familiar with the setup you inherited.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Print Page | Close Window