Print Page | Close Window

Whitelisted E-mail Quarantined

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6736
Printed Date: 17 December 2017 at 1:04am


Topic: Whitelisted E-mail Quarantined
Posted By: invicta
Subject: Whitelisted E-mail Quarantined
Date Posted: 19 August 2009 at 12:17am
We have at least one person who e-mailed a client and they were quarantined despite being on the Whitelisted Auto White List Force Delivery file. The user was quarantined to due a keyword match in the filter for this particular domain. My understanding is that if something is whitelisted it will bypass all the other filters except for Cached IP Blacklist and Greylisting. Here are excerpts from the log file:
Note I put the Xs in there.
08/18/09 16:49:22:274 -- (6392) Connection from: 74.10.23.X  -  Originating country : United States
08/18/09 16:49:22:462 -- (6392) Received MAIL FROM: < mailto:mxxxxxx@zxxxxx.com - mxxxxxx@zxxxxx.com >
08/18/09 16:49:22:477 -- (6392) Received RCPT TO: mailto:wxxxxx@Hxxxxxx.com - wxxxxx@Hxxxxxx.com
08/18/09 16:49:22:774 -- (6392) Resolving 74.10.23.x - mail.zxxxxx.com
08/18/09 16:49:24:133 -- (6392) - SPF analysis for zxxxxxx.com done: - none
08/18/09 16:49:24:133 -- (6392) Mail from: mailto:mxxxxx@zxxxxx.com - mxxxxx@zxxxxx.com
08/18/09 16:49:26:508 -- (6392) - MAPS search done...
08/18/09 16:49:26:508 -- (6392) RCPT TO: mailto:wxxxxxx@Hxxxxxx.com - wxxxxxx@Hxxxxxx.com accepted
08/18/09 16:49:26:555 -- (6392) Checking SFDC
08/18/09 16:49:26:774 -- (6392) Hash cache - Added OK
08/18/09 16:49:26:774 -- (6392) Found Keywords: [get your] (this is a generic keyword set and I removed it)
08/18/09 16:49:26:774 -- (6392) EMail from mailto:mxxxxxx@zxxxxx.com - mxxxxxx@zxxxxx.com to mailto:wxxxxx@Hxxxxxx.com - wxxxxx@Hxxxxxx.com matches content filter rules - rejected.
08/18/09 16:49:26:774 -- (6392) Start virus scan
08/18/09 16:49:26:805 -- (6392) Starting quarantine procedures
08/18/09 16:49:26:805 -- (6392) Created thread (2328) to add email to quarantine
08/18/09 16:49:26:805 -- (2328) Adding to Quarantine file:Qrtn14A9CBED-2DC3-4151-936A-D786D37A7B45.tmp
08/18/09 16:49:26:821 -- (6392) Disconnect
08/18/09 16:49:26:837 -- (2328) EMail from mailto:mxxxxxx@zxxxxxx.com - mxxxxxx@zxxxxxx.com to mailto:wxxxxx@Hxxxxxx.com - wxxxxx@Hxxxxxx.com was received and quarantined. Size: 10 KB, 10240 bytes



Replies:
Posted By: LogSat
Date Posted: 19 August 2009 at 7:46pm
invicta,

From your log entries it does not appear that there was a match caused by the from/to email addresses being present in the AutoWhiteList Force Delivery file. If there was a match, the following entry would have been logged:

08/19/09 19:41:23:026 -- (3768) Bypassed all rules for: wxxxxx@Hxxxxxx.com from mxxxxxx@zxxxxx.com ( AutoWhiteList Force Delivery)

Can you please double-check that the file does indeed contain the entry:

mxxxxxx@zxxxxx.com|wxxxxx@Hxxxxxx.com

and that the file is the actual one being used? If you're using SpamFilter ISP "standard", the file being used will be identified by the entry "WL_AuthorizedTOEmailsFileName" in the \SpamFilter\Domains\SFI\Filters.ini


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: invicta
Date Posted: 20 August 2009 at 11:39am

Hello,

 
I have the Enterprise version and and see the address whitelisted in the file C:\Program Files\SpamFilter\domains\Hxxxxxx.com\WL_AutoWhiteListForceDelivery.txt
 
mailto:mxxxxxx@zxxxxx.com|wxxxxx@Hxxxxxx.com - mxxxxxx@zxxxxx.com|wxxxxx@Hxxxxxx.com
 
Is there any way to verify when the entry was whitelisted to verify that the client actually whitelisted it before it was blocked?
 
Thanks!


Posted By: LogSat
Date Posted: 20 August 2009 at 6:18pm
Sure. When the entry is added to the autowhitelist file, SpamFilter will log the event with a line similar to:

08/20/09 18:14:31:438 -- (288) Adding to C:\Program Files\SpamFilter\domains\Hxxxxxx.com\WL_AutoWhiteListForceDelivery.txt:mxxxxxx@zxxxxx.com|wxxxxx@Hxxxxxx.com

If you run a text search thru SpamFilter's activity logfiles for either the entry in bold above, or more simply for "mxxxxxx@zxxxxx.com|wxxxxx@Hxxxxxx.com" you should be able to pinpoint the date/time when that entry was added.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window