Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SpamFilter rejecting store & forward mail
  FAQ FAQ  Forum Search   Register Register  Login Login

SpamFilter rejecting store & forward mail

 Post Reply Post Reply
Author
jacksun View Drop Down
Newbie
Newbie


Joined: 24 February 2005
Status: Offline
Points: 31
Post Options Post Options   Thanks (0) Thanks(0)   Quote jacksun Quote  Post ReplyReply Direct Link To This Post Topic: SpamFilter rejecting store & forward mail
    Posted: 25 January 2006 at 8:23pm

Hi everyone, I have a little problem I need to resolve and I hope you can help.
Basically what I need is the ability to whitelist certain servers, but still have all email coming from them spamfiltered (confused yet?).

Here is the situation: We use Frontbridge for store & forward service. Basically if our mail servers are offline our mail is redirected to them, they store it and when our servers come back online they forward it through to us.
We do not use their optional Spamfiltering service because, well. we have a better one that we are more than happy with.

So, to test this service we took our mail servers offline for scheduled maintenance. Everything worked fine, notifications, reports, stats etc until we turned our servers back online.
Because all the mail they are now forwarding to us shows as coming from their servers, not the true originator, and we are not using their spamfiltering service we receive emails that would normally be filtered by our superior product.
Needless to say this results in their servers being blocked, some by honeypot, some by blacklist cache because of the volumes. I can solve the honeypot issue by adding their IP's to the DoNotAddIPtoHoneypot section of spamfilter.ini. I would like to keep the IP blacklist cache settings I have, upping them would be an interim solution, but I would prefer a minimal admin permanent solution. Whitelisting the servers stops us from filtering the inbound email.

I need to prevent their servers from ever being blocked, except for emails that are spam that would be blocked if the original senders server was seen by spamfilter.

Any ideas?

Thanks,
Wayne



Edited by jacksun
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 8:40pm

Wayne,

Tough one ... one that I resolved only by running my own backup servers at our 2nd facility and using SpamFilter.  Once a server is allowed to receive its mail for you, any blocking due to connection stuff, rDNS, MX, even dnsbl's will no longer work (as you saw) and you are now down to filtering by the more subjective keywords, froms, to's ETC.

No help from me.

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 10:25pm
Wayne,

That is a bit problematic... In your scenario, as Dan said, many of the IP-based filter will fail to detect spam as the IP address of the sender is masked by the mail holding service. Furthermore, other tests, like the SPF filter, will actually cause emails to be rejected as the sender (Frontbridge) is not going to be an approved IP for the sender's email domain (SPF verifies that the IP used to send an email has been authorized by the domain administrators to send emails on their behalf).

That said, you should be able to prevent Frontbridge to be permanently blocked by adding their IP in the "DoNotAddIPtoHoneypot" settings. That setting is used not only by the honeypot, but also by the new IP blacklist cache, so that neither filter will permanently block them. If you're using the antivirus plugin, you'll need to disable the option to "Autoblock virus sender's IP" as well. From then on, unless Frontbridge's IP address appears on the various MAPS RBL lists, they should not be blocked (please note the SPF comment above, as those emails *will* be blocked...)
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
jacksun View Drop Down
Newbie
Newbie


Joined: 24 February 2005
Status: Offline
Points: 31
Post Options Post Options   Thanks (0) Thanks(0)   Quote jacksun Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 10:43pm

Hi Guys, thanks for the feedback. One key piece of information from Roberto is that the "DoNotAddIPtoHoneypot" setting works on the Blacklist IP cache as well.

I am not sure that SPF is an issue, here is a header from one of the inbound mails:

Received: from 63.161.60.29 by ccsmail1.ccs.corp (LogSat Software SMTP Server) Tue, 24 Jan 2006 10:51:32 -0700
Received: from mail34-kan.bigfish.com (localhost.localdomain [127.0.0.1])
 by mail34-kan-R.bigfish.com (Postfix) with ESMTP id 55DD21C5BFC
 for <rtwright@concordwell.com>; Tue, 24 Jan 2006 11:23:48 +0000 (UTC)
Received: by mail34-kan (MessageSwitch) id 1138101828323447_16009; Tue, 24 Jan 2006 11:23:48 +0000 (UCT)
Received: from -1208164416 (chello084114139028.4.15.vie.surfer.at [84.114.139.28])
 by mail34-kan.bigfish.com (Postfix) with SMTP id ED0D91C5C30
 for <rtwright@concordwell.com>; Tue, 24 Jan 2006 11:23:44 +0000 (UTC)
Received: from grdouglas.com (-1210093304 [-1213917768])
 by chello084114139028.4.15.vie.surfer.at (Qmailv1) with ESMTP id 41FEB72ED9
 for <rtwright@concordwell.com>; Tue, 24 Jan 2006 05:15:45 -0500
Date: Tue, 24 Jan 2006 05:15:45 -0500
From: "Draft O. Pollock" <Yuriy_Kaminsky@grdouglas.com>
X-Mailer: The Bat! (v2.00.3) Personal
X-Priority: 3
Message-ID: <3546129965.20060124051545@grdouglas.com>
To: Rtwright <rtwright@concordwell.com>
Subject: Software
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <Yuriy_Kaminsky@grdouglas.com>
X-SF-HELO-Domain: mail34-kan-R.bigfish.com

The originators IP is the [84.114.139.28]

Bigfish.com is the domain frontbridge uses for all its mail servers so this is legitimate.
Not sure if the header gives anyone any other ideas, but any would be welcome.

My biggest issue is making certain they are filtered to the largest degree possible and not blocked from delivery. Some false positives are acceptable as this situation will not occur often and users can us their quarantine web access to grab what they didn't get and needed.

Thanks,
Wayne

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.