Print Page | Close Window

lots of spam getting through

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7138
Printed Date: 21 November 2017 at 6:14pm


Topic: lots of spam getting through
Posted By: Terry
Subject: lots of spam getting through
Date Posted: 30 July 2016 at 8:58pm
Getting messages in the log like this through out the day...
HTTP Error in DoSFDBCheck:Connect timed out.
 
In the meantime I am blocking a bunch of countries to help some...
 
Here are the maps filters
bl.spamcop.net, true
cbl.abuseat.org, true
zen.spamhaus.org, true
b.barracudacentral.org, true
psbl.surriel.com, true
dnsbl.zapbl.com, true
truncate.gbudb.net,true
dnsbl.sorbs.net,true
dnsbl-2.uceprotect.net,true
 
and here is the surbl filter
multi.surbl.org
 
Also I am on the most current release 4.7.2.206
 



Replies:
Posted By: LogSat
Date Posted: 31 July 2016 at 8:19am
Hi Terry,

Those errors indicate that either the SFDB service is temporarily unavailable, or that your SpamFilter is unable to reach our SFDB webservice at http://sfdb.logsat.com.

I checked our logs for the SFDB service for yesterday, and did not find any issues (at least not any obvious ones). If you'd like to upload for us your SpamFilter's activity logfile for the day this happened, you can do so here:

https://logsat.com/sfi-upload-box.asp

 

Please let us also know the external IP address of your SpamFilter server, so we can locate it in our webservice logs and see if we see any problems we may have missed during the superficial look we had earlier.


Regards,


Roberto Franceschetti

LogSat Software



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 31 July 2016 at 11:16am
I was wondering if we were having some internet problems getting out...I also see this kind of error a lot
 
Warning - SFDB_WebErrors has reached its limit, SFDB checks are paused temporarily
 
I assume that is also related to the same problem?


Posted By: LogSat
Date Posted: 31 July 2016 at 12:31pm
Yes - they are related. After a few timeouts, SpamFilter will stop trying querying the SFDB webservice so as to not waste any more time while processing new emails. Once a minute or so SpamFilter will poll that webservice on the side to see if it becomes available, and if so, the SFDB tests will resume automatically.

If you'd like to send the logs over we may be able to tell if it was an issue with your internet connection or our own webservices.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 31 July 2016 at 7:55pm
Roberto, being I bother you with the logs...I am going to make sure that the recent changes that were made to our edge network aren't causing this. 
Could this be adding to the volume of spam making it through our filter?


Posted By: LogSat
Date Posted: 31 July 2016 at 9:48pm
No bother at all - we're here to help! The SFDB is usually our most efficient filter, so yes - if it's not working properly that would most likely cause an increase in spam. If you send the logs over I'll review them for ano overall health check as well, to ensure all the major filters are also working and stopping the same % of spam as we'd expect.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 01 August 2016 at 10:14am
Okay...I have uploaded todays log...maybe that will show you something


Posted By: Terry
Date Posted: 01 August 2016 at 3:11pm
Roberto, I had the firewall guys open up the connection to the ip address of sfdb.logsat.com  and that fixed the errors we were getting.  Did the address of that site change?


Posted By: LogSat
Date Posted: 01 August 2016 at 4:06pm
Hi Terry,

As you discovered, I can confirm that neither your SDFB nor your SFDE filters were working at all for the day of the logfile.

The URL used for our proprietary SFDB/SFDE/SFDC filters is http://sfdb.logsat.com. Its IP (66.181.198.110) has not changed in quite a while (years I think), even though we may occasionally temporarily move that website to different servers in the 66.181.198.nnn subnet during server maintenances and updates. The last time this happened was for about 24 hours a couple of weeks ago. As an FYI if you use the antivirus plugin we also just started using Amazon's cloud storage for faster downloads, using the URL http://aws.logsat.com. Being cloud-based, those IPs will change routinely.

AS a side-note, we also finished debugging your logfile, and even without being able to use our most efficient filter (SFDB), SpamFilter seems to be working extremely well.

Let me give you an example. The logfile you forwarded us shows 15,764 connection attempts. Of those connections, SpamFilter accepted and delivered only 700 emails. 255 of these emails were whitelisted, so SpamFilter identified as clean 445 emails out of 15,764. This means that SpamFilter only allowed 2.8% of your total email traffic thru. Not counting the whitelisted emails, SpamFilter thus identified as spam and blocked a whopping 97.2% of your total SMTP traffic.
Now, assuming that one out of three emails you receive in your mailbox is spam (thus 33%), this still means that SpamFilter incorrectly allowed thru 33% x 445 = 148 emails. So SpamFilter would have incorrectly identified as clean only 148 emails out of 15,764. This is an accuracy of 99.1%, which is actually a very very good spam catch ratio.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 01 August 2016 at 4:10pm
The log I sent you today was just for today and I had added country and additional domain blocking from last week.  Would you like me to upload Thursday's log which would have had more spam make it through to the employees...I will go ahead and upload the log for you...


Posted By: LogSat
Date Posted: 01 August 2016 at 4:12pm
Sure - we'll take a look at that one too.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 01 August 2016 at 5:57pm
Received the 2nd log. The stats are indeed a bit worse, so your additional settings appeared to have helped quite a bit. As a reference, these are the stats for you log of the 28th:

70910 Total Connections
6986 Forwarded
1654 Whitelisted
5,332 Detected Clean
7.5% % emails allowed
92.5% % emails blocked
33.3% Assume percentage of spam in mailbox
1,776 spam emails assuming above percentage in mailbox
2.5% Percentage spam emails missed
97.5% SpamFilter accuracy


and these were instead the ones for your log of the 1st:

15764 Total Connections
700 Forwarded
255 Whitelisted
445 Detected Clean
2.8% % emails allowed
97.2% % emails blocked
33.3% Assume percentage of spam in mailbox
148 spam emails assuming above percentage in mailbox
0.9% Percentage spam emails missed
99.1% SpamFilter accuracy


note however that the log for the 1st only contained emails from midnight until 6AM, while the one for the 28th had emails for the entire day. This may skew the stats as during working hours more legitimate emails usually comes thru than at night, so the overall percentages of emails allowed and of the accuracy may differ if only considering the interval midnight-6AM (during which there will be less legitimate emails).



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: LogSat
Date Posted: 01 August 2016 at 6:04pm
To be more thorough, I just re-run the stats for your log of the 28th, but this time only including entries from midnight until 6AM (just like your log for the 1st). Now the stats become very similar:

20095 Total Connections
914 Forwarded
178 Whitelisted
736 Detected Clean
3.7% % emails allowed
96.3% % emails blocked
33.3% Assume percentage of spam in mailbox
245 spam emails assuming above percentage in mailbox
1.2% Percentage spam emails missed
98.8% SpamFilter accuracy

which means that my original statement:
Originally posted by LogSat LogSat wrote:

The stats are indeed a bit worse, so your additional settings appeared to have helped quite a bit.
was probably inaccurate... as there seems to be very little difference between the two days when considering the same time interval.



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Terry
Date Posted: 02 August 2016 at 12:08pm
that's unfortunate because some really bad ones got through and landed in several directors and senior managers inboxes.



Print Page | Close Window