Print Page | Close Window

suddenly more spam making it in

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7084
Printed Date: 20 November 2017 at 11:47pm


Topic: suddenly more spam making it in
Posted By: Terry
Subject: suddenly more spam making it in
Date Posted: 09 May 2014 at 10:05am
Starting about 2.5 weeks ago we have started to see a jump in spam making it through the filter...some of this is borderline offensive.  We are currently on 4.5.1.98 version of spamfilter.  My blacklists are as follows:
 
Maps
bl.spamcop.nt
cbl.abuseat.org
combined.njabl.org
zen.spamhause.org
b.barracudacentral.org
zombie.dnsbl.sorbs.net
 
Surbl
multi.surbl.org
 
I am thinking some setting must have gotten messed up because we haven't had this type of issue since we installed spamfilter many many years ago...



Replies:
Posted By: LogSat
Date Posted: 11 May 2014 at 10:20pm
Terry,

Could you please zip us the following so we can take a look:

• SpamFilter's activity logfile for a day

• The to/from email addresses for at least 3-4 such emails for the above day so we can locate them in the logs

• Your SpamFilter.ini file

• The \SpamFilter\Domains directory structure (if the files containing any of your blacklists/whitelists are outside that directory tree, please include those as well.


I'll send you via a PM with link to upload the files to us.



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 12 May 2014 at 10:06am
Okay...I have uploaded some samples and the info requested...really unusual for me to get "Hot Cougars" messages anymore and our users are starting to notice and complain about the increase.  Hope you can find something we are doing wrong.


Posted By: LogSat
Date Posted: 12 May 2014 at 10:27pm
Terry,

We finished debugging your logfile, and I have to agree that the spam catch accuracy is not as good as we're used to seeing.

The logfile you forwarded us shows 44,302 connection attempts. Of those connections, SpamFilter accepted and delivered only 7,337  emails. 758 of these emails were whitelisted, so SpamFilter identified as clean 6,579 emails out of 44,302. This means that SpamFilter only allowed 14.9% of your total email traffic thru. Not counting the whitelisted emails, SpamFilter thus identified as spam about 85.1% of your total SMTP traffic. This is actually slightly better than the 70%-80% we usually see.

Now, assuming that one out of two emails you receive in your mailbox is spam (thus 50%), this still means that SpamFilter incorrectly allowed thru 50% x 6,579 = 3,290 emails. So SpamFilter would have incorrectly identified as clean only 3,290 emails out of 44,302. This is an accuracy of 92.6%, which is instead slightly lower from the 95%-99%% accuracy we often see.

The one filter that usually catches more spam than what we see in your logs is the MAPS RBL filter. That filter blocked only 1,652 emails that day. That is rather low when comparing it to our own proprietary SFDB filter that blocked 8,121 of your emails.

I'd suggest removing these entries from your MAPS server list as they did not block a single email:

combined.njabl.org, true
zombie.dnsbl.sorbs.net, true

and replacing them with these ones:

dnsbl-2.uceprotect.net, true
ubl.unsubscore.com, true
free.v4bl.org, true

to see if that filter improves a bit.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 13 May 2014 at 8:42am
Thank you Roberto,   I have made the changes and will see how it goes.  This all started about 3 weeks ago so it is pretty weird.....Thank you for taking the time to analyze the information so thoroughly and for the suggestions.


Posted By: Terry
Date Posted: 13 May 2014 at 2:19pm
well that worked way to good...the ubl.unsubscore.com and free.v4bl.org blocked so many legitimate emails our users were complaining and we had to remove those lists...any others I should be looking at?


Posted By: LogSat
Date Posted: 13 May 2014 at 6:05pm
Those two were the only ones which had blacklisted all 3 IP for the spam samples that you forwarded to us. The dnsbl-2.uceprotect.net had blacklisted two of them, so even just adding that one single one may help. There are many other public RBL servers available, but those 3 are the ones we are familiar with, in addition to the ones that SpamFilter comes configured for.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window