Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Whitelist not working?
  FAQ FAQ  Forum Search   Register Register  Login Login

Whitelist not working?

 Post Reply Post Reply
Author
algilson View Drop Down
Newbie
Newbie


Joined: 07 December 2005
Location: Canada
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote algilson Quote  Post ReplyReply Direct Link To This Post Topic: Whitelist not working?
    Posted: 23 May 2007 at 11:10am
Running registered 3.5.3.674, and had an email come in from a customer that gets stuck in the quarantine, even though their domain is whitelisted.

Logs:
05/23/07 09:37:35:773 -- (3560) Connection from: 216.171.105.99  -  Originating country : Canada
05/23/07 09:37:35:903 -- (3560) Resolving 216.171.105.99 - Not found
05/23/07 09:37:35:903 -- (3560) - Reverse DNS not found -
05/23/07 09:37:35:903 -- (3560) 216.171.105.99 - Mail from: ljanisse@wcwood.com To: guelph@mtprint.com will be rejected
05/23/07 09:37:35:953 -- (3560) Start virus scan
05/23/07 09:37:35:963 -- (3560) Starting quarantine procedures
05/23/07 09:37:35:963 -- (3560) Created thread (3172) to add email to quarantine
05/23/07 09:37:35:963 -- (3560) Starting bayesian procedures
05/23/07 09:37:36:023 -- (3540) Time to add Msg to Bayes corpus:0
05/23/07 09:37:36:053 -- (3172) EMail from ljanisse@wcwood.com to guelph@mtprint.com was received and quarantined. Size: 2 KB, 2048 bytes
05/23/07 09:37:36:083 -- (3560) Blacklist cache - Added 216.171.105.99 to limbo
05/23/07 09:37:36:273 -- (3560) SFDB - Added 216.171.105.99 - Response: Error=0
05/23/07 09:37:36:273 -- (3560) Disconnect

Reject if no reverse DNS is enabled
wcwood.com is in the whitelist

Now an hour and 20 minutes later, without changing any settings, I came back to find:
05/23/07 10:51:19:784 -- (1292) Connection from: 216.171.105.99  -  Originating country : Canada
05/23/07 10:51:20:785 -- (1292) Bypassed all rules for: guelph@mtprint.com from ljanisse@wcwood.com ( Whitelisted Email From Domain)
05/23/07 10:51:20:845 -- (1292) Start virus scan
05/23/07 10:51:20:855 -- (1292) Starting queueing procedures
05/23/07 10:51:20:865 -- (1292) EMail from ljanisse@wcwood.com to guelph@mtprint.com was queued. Size: 1 KB, 1024 bytes
05/23/07 10:51:20:865 -- (1292) Starting bayesian procedures
05/23/07 10:51:20:875 -- (2296) Sending email from ljanisse@wcwood.com to guelph@mtprint.com --
05/23/07 10:51:20:906 -- (1772) Time to add Msg to Bayes corpus:0
05/23/07 10:51:21:066 -- (2296) EMail from ljanisse@wcwood.com to guelph@mtprint.com --  was forwarded to 192.168.1.4:25


I checked the autowhitelistForceDelivery.txt file and the sender is NOT in the list. Help?



Edited by algilson
Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 23 May 2007 at 3:06pm
Interesting indeed.  Are you running SFI or SFE?  (I'm only familiar with SFI)

I would search my log file from today for "tblWL_DomainsIPs", or the file name for my whitelisted domains/ips.  See if the file had been reloaded or inaccessible due to someone/something changing or updating it.  Also see if logs indicate changes to or trouble accessing Filters.ini.

Aside: unless you've force-delivered the 1st, quarantined email, you wouldn't expect the sender's email address in autowhitelistForceDelivery.txt.

Let us know if the search ends up with something, particularly between the time of these two messages.  Good luck!

Stephen
Back to Top
algilson View Drop Down
Newbie
Newbie


Joined: 07 December 2005
Location: Canada
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote algilson Quote  Post ReplyReply Direct Link To This Post Posted: 23 May 2007 at 3:20pm
We're running SFE.

Interesting enough, I have this in my logfiles between when the whitelist failed, and when it worked.

05/23/07 09:46:42:749 -- Shutting down all threads. Please wait up to 15-20 seconds....
05/23/07 09:46:51:081 -- SpamFilter ISP v3.5.3.674 Listening on 209.183.146.39:25,
05/23/07 09:46:51:081 -- Exporting DB data for tbl_FilterSettings: temp\domains\ ALL DOMAINS\Filters.ini
05/23/07 09:46:51:081 -- Reloading filter.ini: temp\domains\ ALL DOMAINS\Filters.ini
05/23/07 09:46:51:081 -- Exporting DB data for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt
05/23/07 09:46:51:081 -- Reloading file for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt
05/23/07 09:46:51:081 -- Exporting DB data for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt
05/23/07 09:46:51:081 -- Reloading file for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt
05/23/07 09:46:51:081 -- Exporting DB data for tblWL_Keywords: temp\domains\ ALL DOMAINS\WL_Keywords.txt

[snip]

And it continues to list all the files it reloaded. Looks like it worked after that. Now the million dollar question: why did it restart at 9:46? The event viewer helped me figure this one out -- my assistant restarted it to access it in his terminal session. I always run it locally.

Back to the original question: why didn't it work at 9:39, but it worked when the tables were reloaded at 9:46?


Back to Top
sgeorge View Drop Down
Senior Member
Senior Member


Joined: 23 August 2005
Status: Offline
Points: 178
Post Options Post Options   Thanks (0) Thanks(0)   Quote sgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 23 May 2007 at 3:43pm
...Indeed, that is the million dollar question.  To answer a question with a question...

Why is SpamFilter loading these files from its temp\domains\ALL DOMAINS\ folder?  On my (SFI) installation, SpamFilter attempts to load from domains\SFI\.  I'm speculating that the temp\domains\ folder is there as a backup/fail-safety for your domain lists, and I wonder if the domain lists in SpamFilter root\domains\ had been missing or inaccessible upon restarting.

On a separate note, your assistant may already be aware, but on Win 2K+ servers, there is a way to see the SpamFilter service without restarting it.  You have to connect to the existing "console session" to see SpamFilter gui.
Important note: If you connect using the console session on a server, NEVER choose the Log Off option.  This will log out the Administrator, closing down important services and applications (including SpamFilter).  Instead click the "X" to disconnect from the session, leaving it running.


Stephen
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 May 2007 at 4:35pm
If it didn't work the first time, but worked the second, the most logical explanation would be that data in the "Whitelisted Email From Domain" list was changed.

Can you look thru the logs for today for the text:

Reloading file for tblWL_DomainsIPs

This will tell you if/when SpamFilter has reloaded that whitelist, which is the one that apparently caused the correct whitelisting the second time. Please note that this event will be logged every time SpamFilter is started, and does not necessarily indicate a change.

As far as the path "temp\domains\ALL DOMAINS", please ignore it, as we use it internally to temporarily stage some of the filter files.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
algilson View Drop Down
Newbie
Newbie


Joined: 07 December 2005
Location: Canada
Status: Offline
Points: 10
Post Options Post Options   Thanks (0) Thanks(0)   Quote algilson Quote  Post ReplyReply Direct Link To This Post Posted: 24 May 2007 at 2:21pm
After a few hours of painful torture, my assistant finally broke down and admitted that he whitelisted the wcwood.com domain at ~9:50 due to complaints from a customer service rep.

I humbly apologize for any confusion that this thread may have caused, and we won't allow this mistake to happen again. Please accept my assistant's head as a token of my goodwill.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 24 May 2007 at 7:40pm
... well... I actually have to thank your assistant, as if it wasn't for his confession, we probably would have spent long hours tonight looking over your logs!

So we respectfully will decline your generous token, and sincerely hope your assistant will be able to cover for some of our programing bugs in the future...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.