Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - blacklist domains not working as expected
  FAQ FAQ  Forum Search   Register Register  Login Login

blacklist domains not working as expected

 Post Reply Post Reply
Author
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Topic: blacklist domains not working as expected
    Posted: 06 July 2004 at 10:10am
I am having a problem with a domain that I had previously blacklisted. After Blacklisting it, email from the domain still came through.

this is the section of the log file...

07/02/04 10:37:29:191 -- (7924) Connection from: 63.251.135.74 - Originating country : United States 07/02/04 10:37:29:816 -- (7924) Resolving 63.251.135.74 - ccm01.roving.com 07/02/04 10:37:29:816 -- (7924) Mail from: ESC1011304316885_1011145214232_4201@in.roving.com 07/02/04 10:37:30:941 -- (7924) - MAPS search done... 07/02/04 10:37:30:941 -- (7924) RCPT TO: srx@mydomain.com accepted 07/02/04 10:37:31:503 -- (7924) EMail from ESC1011304316885_1011145214232_4201@in.roving.com to srx@mydomain.com was queued. Size: 11 KB, 11264 bytes 07/02/04 10:37:31:503 -- (6824) Sending email from alist@bostonsalist.com to srx@m.com 07/02/04 10:37:31:582 -- (7924) Disconnect 07/02/04 10:37:31:660 -- (6824) EMail from alist@bostonsalist.com to srx@mydomain.com was forwarded to x.mydomain.com:9876

Basically, I blacklisted bostonsalist.com, but the email says it is coming from roving.com until it is forwarded. I have since blacklisted roving.com, but shouldn't this have worked with out having to do that?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 12:39pm

Can you post the entry you used?

Dan S.

Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 12:45pm
I'm not sure if I understand what you mean. In my domain blacklist file I have an entry for bostonalist.com This did not stop the email from coming through. I just recently added roving.com to the same file hoping it will work since the email seems to coming from ESC1011304316885_1011145214232_4201@in.roving.com until the time that it is forwarded to my next relay (Trend IMSS).. which it then magically comes from alist@bostonsalist.com

Thanks.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 1:14pm
OK ... the question was meant to ask if you have used RegEx, or wildcards or just the domain name in your black list.  Also,  if you take the word-wrapping out of your posted logs, it is easier to see that this is the log for 2 messages .... one with PID 7924 and one with PID 6824 so I think you may have confused your analysis somewhat.   OR ... am I looking at 2 differant server logs?  Perhaps I am confused.
 
I will TRY to post what I mean by shortening you log entries:
 
07/02/04 10:37:29:191 -- (7924) Connection from: 63.251.135.74 - Originating country : United States
07/02/04 10:37:29:816 -- (7924) Resolving 63.251.135.74 - ccm01.roving.com
07/02/04 10:37:29:816 -- (7924) Mail from:
ESC1011304316885_1011145214232_4201@in.roving.com
07/02/04 10:37:30:941 -- (7924) - MAPS search done...
07/02/04 10:37:30:941 -- (7924) RCPT TO:
srx@mydomain.com accepted
07/02/04 10:37:31:503 -- (7924) EMail from
ESC1011304316885_1011145214232_4201@in.roving.com to srx@mydomain.com was queued. Size: 11 KB, 11264 bytes
07/02/04 10:37:31:503 -- (6824) Sending email from
alist@bostonsalist.com to srx@m.com
07/02/04 10:37:31:582 -- (7924) Disconnect
07/02/04 10:37:31:660 -- (6824) EMail from
alist@bostonsalist.com to srx@mydomain.com was forwarded to x.mydomain.com:9876
 
Regards,
 
Dan S.
Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 2:59pm

"OK ... the question was meant to ask if you have used RegEx, or wildcards or just the domain name in your black list.  Also,  if you take the word-wrapping out of your posted logs, it is easier to see that this is the log for 2 messages .... one with PID 7924 and one with PID 6824 so I think you may have confused your analysis somewhat.   OR ... am I looking at 2 differant server logs?  Perhaps I am confused."

I did not use any regex, just the domain name. sorry about the word wrapping...

It is one server log and yes I noticed that about the PID numbers being different, but from as far as I can tell it is the same message. I went back through my logs and all messages (there are pleny) that initially come from in.roving.com look like this. It is weird.
I have since blocked "in.roving.com" by adding it to my domain black list file and I have confirmed that it works now.

But I am confused as to how the message initially appears to be from one email address, but then spamfilter reports it as a different from address when it forwards it to its final destination.

Thanks again.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 6:27pm

Hmm ... not sure I understand that.  However,  I looked in my logs and found a zillion entries for "roving.com".  I saw nothing like your magic change.  I did some digging though and unfortunately, Roving.com is a ligit service and it seems as though many of our customers get crap from them and are not complaining (yet).  Out of all the messages, only one of our customers are blocking them and it was a keyword that dinged those messages.

I looked very closely at the message content of the ones that were blocked and my "satandard" filters will not block them because they seem to follow the basic rules of being CAN-SPAM Act compliant.  I, however, take acception to any service that has to advertize that they are compliant.  It just means the they are skirting the edge of the LEGAL defination of SpamWare.

Oh well ...

Dan S.

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 July 2004 at 10:10pm

Keizersozay,

The following line:

07/02/04 10:37:29:816 -- (7924) Mail from: ESC1011304316885_1011145214232_4201@in.roving.com

in your log snippet shows that an incoming email has arrived, and the sender specified "@in.roving.com" in the "MAIL FROM" smtp command. The MAIL FROM indicates the sender, and should be identified in the "Return-Path" email headers.

The sender however then proceeds to indicate a different email address in the "From:" email headers. The "From:" header determines what most email clients show in the "From" field, but please note that this is different from the real sender.

SpamFilter's blacklist will work only on the "MAIL FROM" email address. In the logfile you see the entry:

07/02/04 10:37:31:503 -- (6824) Sending email from alist@bostonsalist.com to srx@m.com

SpamFilter will log the "From:" header when forwarding the email to your destination smtp server rather than the MAIL FROM address so that the log will reflect the mismatch and help identifying emails that would possibly not appear in the logs, had we chosen to stick with only one of the MAIL FROM or "From:" headers.

Roberto F.
LogSat Software

Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 07 July 2004 at 8:33am
Thank you very much Roberto.
Back to Top
keizersozay View Drop Down
Groupie
Groupie
Avatar

Joined: 26 January 2005
Location: United States
Status: Offline
Points: 77
Post Options Post Options   Thanks (0) Thanks(0)   Quote keizersozay Quote  Post ReplyReply Direct Link To This Post Posted: 07 July 2004 at 8:35am

Thanks Dan.

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.063 seconds.