Print Page | Close Window

Whitelist not working?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6080
Printed Date: 18 December 2017 at 9:46am


Topic: Whitelist not working?
Posted By: algilson
Subject: Whitelist not working?
Date Posted: 23 May 2007 at 11:10am
Running registered 3.5.3.674, and had an email come in from a customer that gets stuck in the quarantine, even though their domain is whitelisted.

Logs:
05/23/07 09:37:35:773 -- (3560) Connection from: 216.171.105.99  -  Originating country : Canada
05/23/07 09:37:35:903 -- (3560) Resolving 216.171.105.99 - Not found
05/23/07 09:37:35:903 -- (3560) - Reverse DNS not found -
05/23/07 09:37:35:903 -- (3560) 216.171.105.99 - Mail from: ljanisse@wcwood.com To: guelph@mtprint.com will be rejected
05/23/07 09:37:35:953 -- (3560) Start virus scan
05/23/07 09:37:35:963 -- (3560) Starting quarantine procedures
05/23/07 09:37:35:963 -- (3560) Created thread (3172) to add email to quarantine
05/23/07 09:37:35:963 -- (3560) Starting bayesian procedures
05/23/07 09:37:36:023 -- (3540) Time to add Msg to Bayes corpus:0
05/23/07 09:37:36:053 -- (3172) EMail from ljanisse@wcwood.com to guelph@mtprint.com was received and quarantined. Size: 2 KB, 2048 bytes
05/23/07 09:37:36:083 -- (3560) Blacklist cache - Added 216.171.105.99 to limbo
05/23/07 09:37:36:273 -- (3560) SFDB - Added 216.171.105.99 - Response: Error=0
05/23/07 09:37:36:273 -- (3560) Disconnect

Reject if no reverse DNS is enabled
wcwood.com is in the whitelist

Now an hour and 20 minutes later, without changing any settings, I came back to find:
05/23/07 10:51:19:784 -- (1292) Connection from: 216.171.105.99  -  Originating country : Canada
05/23/07 10:51:20:785 -- (1292) Bypassed all rules for: guelph@mtprint.com from ljanisse@wcwood.com ( Whitelisted Email From Domain)
05/23/07 10:51:20:845 -- (1292) Start virus scan
05/23/07 10:51:20:855 -- (1292) Starting queueing procedures
05/23/07 10:51:20:865 -- (1292) EMail from ljanisse@wcwood.com to guelph@mtprint.com was queued. Size: 1 KB, 1024 bytes
05/23/07 10:51:20:865 -- (1292) Starting bayesian procedures
05/23/07 10:51:20:875 -- (2296) Sending email from ljanisse@wcwood.com to guelph@mtprint.com --
05/23/07 10:51:20:906 -- (1772) Time to add Msg to Bayes corpus:0
05/23/07 10:51:21:066 -- (2296) EMail from ljanisse@wcwood.com to guelph@mtprint.com --  was forwarded to 192.168.1.4:25


I checked the autowhitelistForceDelivery.txt file and the sender is NOT in the list. Help?




Replies:
Posted By: sgeorge
Date Posted: 23 May 2007 at 3:06pm
Interesting indeed.  Are you running SFI or SFE?  (I'm only familiar with SFI)

I would search my log file from today for "tblWL_DomainsIPs", or the file name for my whitelisted domains/ips.  See if the file had been reloaded or inaccessible due to someone/something changing or updating it.  Also see if logs indicate changes to or trouble accessing Filters.ini.

Aside: unless you've force-delivered the 1st, quarantined email, you wouldn't expect the sender's email address in autowhitelistForceDelivery.txt.

Let us know if the search ends up with something, particularly between the time of these two messages.  Good luck!

Stephen


Posted By: algilson
Date Posted: 23 May 2007 at 3:20pm
We're running SFE.

Interesting enough, I have this in my logfiles between when the whitelist failed, and when it worked.

05/23/07 09:46:42:749 -- Shutting down all threads. Please wait up to 15-20 seconds....
05/23/07 09:46:51:081 -- SpamFilter ISP v3.5.3.674 Listening on 209.183.146.39:25,
05/23/07 09:46:51:081 -- Exporting DB data for tbl_FilterSettings: temp\domains\ ALL DOMAINS\Filters.ini
05/23/07 09:46:51:081 -- Reloading filter.ini: temp\domains\ ALL DOMAINS\Filters.ini
05/23/07 09:46:51:081 -- Exporting DB data for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt
05/23/07 09:46:51:081 -- Reloading file for tbl_LocalDomains: temp\domains\ ALL DOMAINS\_LocalDomains.txt
05/23/07 09:46:51:081 -- Exporting DB data for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt
05/23/07 09:46:51:081 -- Reloading file for tblWL_AuthorizedTOEmails: temp\domains\ ALL DOMAINS\WL_AuthorizedTOEmails.txt
05/23/07 09:46:51:081 -- Exporting DB data for tblWL_Keywords: temp\domains\ ALL DOMAINS\WL_Keywords.txt

[snip]

And it continues to list all the files it reloaded. Looks like it worked after that. Now the million dollar question: why did it restart at 9:46? The event viewer helped me figure this one out -- my assistant restarted it to access it in his terminal session. I always run it locally.

Back to the original question: why didn't it work at 9:39, but it worked when the tables were reloaded at 9:46?




Posted By: sgeorge
Date Posted: 23 May 2007 at 3:43pm
...Indeed, that is the million dollar question.  To answer a question with a question...

Why is SpamFilter loading these files from its temp\domains\ALL DOMAINS\ folder?  On my (SFI) installation, SpamFilter attempts to load from domains\SFI\.  I'm speculating that the temp\domains\ folder is there as a backup/fail-safety for your domain lists, and I wonder if the domain lists in SpamFilter root\domains\ had been missing or inaccessible upon restarting.

On a separate note, your assistant may already be aware, but on Win 2K+ servers, there is a way to see the SpamFilter service without restarting it.  You have to connect to the existing "console session" to see SpamFilter gui.
Important note: If you connect using the console session on a server, NEVER choose the Log Off option.  This will log out the Administrator, closing down important services and applications (including SpamFilter).  Instead click the "X" to disconnect from the session, leaving it running.


Stephen


Posted By: LogSat
Date Posted: 23 May 2007 at 4:35pm
If it didn't work the first time, but worked the second, the most logical explanation would be that data in the "Whitelisted Email From Domain" list was changed.

Can you look thru the logs for today for the text:

Reloading file for tblWL_DomainsIPs

This will tell you if/when SpamFilter has reloaded that whitelist, which is the one that apparently caused the correct whitelisting the second time. Please note that this event will be logged every time SpamFilter is started, and does not necessarily indicate a change.

As far as the path "temp\domains\ALL DOMAINS", please ignore it, as we use it internally to temporarily stage some of the filter files.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: algilson
Date Posted: 24 May 2007 at 2:21pm
After a few hours of painful torture, my assistant finally broke down and admitted that he whitelisted the wcwood.com domain at ~9:50 due to complaints from a customer service rep.

I humbly apologize for any confusion that this thread may have caused, and we won't allow this mistake to happen again. Please accept my assistant's head as a token of my goodwill.


Posted By: LogSat
Date Posted: 24 May 2007 at 7:40pm
... well... I actually have to thank your assistant, as if it wasn't for his confession, we probably would have spent long hours tonight looking over your logs!

So we respectfully will decline your generous token, and sincerely hope your assistant will be able to cover for some of our programing bugs in the future...


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window