Print Page | Close Window

spam passing filters

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6575
Printed Date: 14 December 2017 at 2:02pm


Topic: spam passing filters
Posted By: 2CNL
Subject: spam passing filters
Date Posted: 04 November 2008 at 7:43am
Still approx 6% of the spam is passing through the logsat filters.
Some of this spam is very obvious and the real pain is, even the outlook unwanted mail list is collecting them, but logsat is not. It seems all these mails are coming from the backup smtp server ( of our isp) i put on the greyrlistallowed .
Any thougths what can be the cause of this passed spam.

Remarkable, but not very creal what is the cause are the following figures.
total inbound connections server: 540.000
emails forwarded 26000
emails blocked 82000
email attempts 15000

is this normal behaviour?




Replies:
Posted By: LogSat
Date Posted: 04 November 2008 at 3:18pm
2CNL,

If you were to have Outlook's junk filter receive all of your emails rather than SpamFilter, you would see that much more than 6% of spam would slip thru. As SpamFilter will never be 100% accurate, some spam will go undetected. It is almost a certainty that another application can further stop some of this remaining spam.

The main issue here is that you have another SMTP server which is receiving and processing your incoming emails in addition to SpamFilter. SpamFilter *must* see the original IP of the sender to stop spam effectively. All of our most efficient filters require to see that IP in order to do their job and stop the spam. If your secondary server processes emails first, and then passes them on to SpamFilter, the only filters that can then check emails for spam are the Bayesian filter, the SURBL filter and your keyword (if you specified any). These filters will only stop a very small percentage of emails, and thus will not be able to noticeably stop spam being forwarded by your secondary SMTP server.

In regards to the numbers above, please do note that many connection attempts are just "probes" that don't result in emails to be sent. Furthermore, SpamFilter caches for a few minutes IPs that sent large amounts of spam in a certain timeframe, and further connection attempts from them are rejected without any emails being transferred. All these factors mean that the statistics are to be taken with a grain of salt, as the numbers will never add up, and in some cases there will be noticeable discrepancies.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: StevenJohns
Date Posted: 05 November 2008 at 7:51am
Roberto,
 
As 2CNL have added the IP of their ISP's mail server to the greylistallowed, and they are using it as a backup MX, then I would have thought that SF could recieve the email, then check in the headers for the IP address which sent the email to the backup MX server....these IP's are inserted as the email passes every mail server, and I wouldn't have thought that their ISP would forge the headers.....
 
2CNL...
We have seen an increase in email slipping through SF (with no real answer as to why), but we pass our email through another two filter levels which normally pick up all of these emails. As a cheap method, you could pass emails from SF through SpamAssassin to see if it picks up the 6%, I bet it would as it checks the IP's in all the recieved headers which SF does not do (for some strange reason??).
 
 


-------------
www.internetmailservices.co.uk


Posted By: LogSat
Date Posted: 05 November 2008 at 4:16pm
StevenJohns,

There's two main issues. The first is ours, and is caused by how SpamFilter applies its filters. All the IP-based filters are checked before the email is actually received, and are thus applied super-fast. If we were to check the IP in the headers as well, we'd have to receive the email as well and then go back and re-apply the IP filters. That will involve quite a bit of work... but as I said that's an internal matter
The second issue is that we've always made it a point since SpamFilter v1.0 six years ago of *not* checking the headers, as they can always be faked. For example, if SpamFilter were to check the IP in the last header, a spammer could add a fake header listing gmail's IP at the top of the email, and send it thru a host not yet IP-blacklisted. If the email is determined to be spam by the other filters, we risk blocking gmail's IP as well. There would have to be a lot of confusing if/then logic to determine what IPs are then reported as spammers and which not. An option would be to only check the last received header if the email has been received by a specific IP (the secondary MX server)...
We're going to do some brainstorming to see what can be done, as this subject is appearing more and more often recently.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: StevenJohns
Date Posted: 06 November 2008 at 9:02am
Roberto,
 
I understand your issues as you have explained them and I can understand the reasons for checking the IP filters at TCP connection time. However, only a fool and his dog would only have one email server, so it stands to reason that everyone should have a backup Mx server, and some people might want that to be hosted be their ISP. This in turn means that we MUST have a way of filtering the emails which come through the backup MX.
As I said, we send our emails through SpamAssassin after SF specifically because SF does not scan the headers (we turn off all other Spam Assassin filters).
 
Still a good product, but I feel you may be hitting brick walls soon due to design desicions made years ago.
 
Cheers.


-------------
www.internetmailservices.co.uk


Posted By: Bart
Date Posted: 06 November 2008 at 10:40am
I never realy read the license agreement but is it legal to install SpamFilterISP enterprise on a second machine to be used as fall-back server or do i have to purchase a second license for a server that is online there in case something goes wrong ?
 
I only have 1 server running now but have the same problem that fallback servers are a problem fighting spam


Posted By: LogSat
Date Posted: 06 November 2008 at 5:49pm
Originally posted by StevenJohns StevenJohns wrote:

However, only a fool and his dog would only have one email server, so it stands to reason that everyone should have a backup Mx server, and some people might want that to be hosted be their ISP. This in turn means that we MUST have a way of filtering the emails which come through the backup MX.

Most admins who have multiple SMTP servers either have SpamFilter (or another product) running on their backup MX server as well, or use network load-balancing (ex. Cisco CSS switches, Windows load balancing, etc) to balance two servers behind a single IP (their primary MX record). We do have a growing number or admins however as yourself, who rely on their ISP to serve as their backup MX record. If the ISP is not running SpamFiltering, then the issues you bring up are indeed issues. We do always listen to everyone's feedback, which is partly why SpamFilter has become so powerful/flexible, as many many times we do implement user's request. We're evaluating this one to see how to proceed.


Originally posted by Bart Bart wrote:

I never realy read the license agreement but is it legal to install SpamFilterISP enterprise on a second machine to be used as fall-back server or do i have to purchase a second license for a server that is online there in case something goes wrong ?

SpamFilter requires a licens for every production server it is installed on. If the second server is used as a secondary MX record, or as a secondary server in a load-balance scenario, yes, a license is required on the 2nd server as well. If you have SpamFilter installed on a spare server, but the server does not process emails until you manually place it online, then in this case as it won't process emails until you manually intervene to replace your "down" server with this backup one, we will not require a second license.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: 2CNL
Date Posted: 07 November 2008 at 2:43am
Robert,
 
Is it not possible to make a sort of doublecheckip entry in logsat ini file, combined with a filer, where the secondary SMTP server or other specific ip numbers are checked in the headerinfo.
I guess one of the reasons to not implement options like these is performance? If so, if it is only reserved for a sinlge or a few ip numbers the performance impactr would be less.
Just my 2c  ;)
 
 
 


Posted By: LogSat
Date Posted: 07 November 2008 at 8:39am
That is *exactly* what we had in mind as well

We'll keep this thread updated if this is something that can be implemented in a reasonable amount of time.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: StevenJohns
Date Posted: 07 November 2008 at 8:55am
Sounds like a good solution to me, PLEASE do NOT limit it to one IP though.....
 
Cheers


-------------
www.internetmailservices.co.uk



Print Page | Close Window