Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - IP is in local blacklist cache
  FAQ FAQ  Forum Search   Register Register  Login Login

IP is in local blacklist cache

 Post Reply Post Reply
Author
Derk View Drop Down
Groupie
Groupie


Joined: 26 January 2005
Location: United States
Status: Offline
Points: 39
Post Options Post Options   Thanks (0) Thanks(0)   Quote Derk Quote  Post ReplyReply Direct Link To This Post Topic: IP is in local blacklist cache
    Posted: 02 February 2006 at 12:20pm

I have our spam filter as the primary MX entry and 216.217.139.56 is one of my secondary MX backup mail servers.  I have the backup servers configured to hold mail if the spam filter is not reachable and to attempt delivery later.

correct me if I'm wrong, but does the following log entry indicate the spam filter is blocking traffic from the backup?  I have looked and the IP address is not in my IP Blacklist.


02/02/06 10:38:06:892 -- (2316) Connection from: 216.217.139.56  -  Originating country : United States
02/02/06 10:38:06:892 -- (2316) IP is in local blacklist cache. Disconnecting: 216.217.139.56

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 1:39pm
Derk,
Yes, you are correct and it would be wise to put an allow in the primary for the secondary IP.  You will diminish some of the filtering abilities in the case where the secondary is receiving the mail but a mail server should never, under any conditions, block mail from it's backup.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Derk View Drop Down
Groupie
Groupie


Joined: 26 January 2005
Location: United States
Status: Offline
Points: 39
Post Options Post Options   Thanks (0) Thanks(0)   Quote Derk Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 1:57pm

I think you are close to understanding my configuration, but from your reply either I am misinterpreting or you are missing part of my configuration.  Let me try again:

95% of our hosted domains have e-mail configured as:

10 mx spamfilter.webconnectivityllc.com
20 mx mail2.webconnectivityllc.com
30 mx mail3.webconnectivityllc.com

mail2 and mail3 queue messages and only forward them to spamfilter when it is available.  Spamfilter forwards legitimate messages to the "real" mail server: mail.webconnectivityllc.com

no messages should ever be directly delivered to mail.webconnectivityllc.com.

if I put the IP addresses in the IP white list are those messages never filtered and would go through or does the IP address in the list simply tell the spam filter to always accept connections from these IP's and continue filtering?

 

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 2:40pm
Derk,
 
I understand *exactly* what you were stating in your first post.  Let me expand my answer a little.
 
If you do not want the ip of the queuing servers to ever be falsely blocked, then yes, you need the allowed IP and *YES* all mail will then, unfortunately, go by, unmolested no matter what (with the exceptions of viruses).
 
So, can you find the actual reason your queuing server was put in the automatic IP Blacklist cache?  See, the issue is as follows:  Your mail2.webconnectivityllc.com queues say, 100 messages due to a re-boot of spamfilter.webconnectivityllc.com (normal Windows Update for example).  80 of the messages are Spam as defined by spamfilter.webconnectivityllc.com due to either keywords or some other *non -IP* based reason.  OK ... now spamfilter.webconnectivityllc.com returns to service and mail2.webconnectivityllc.com flushes.  In very short order, mail2.webconnectivityllc.com's IP is in the Blacklist cache.
 
HOWEVER, And Roberto needs to look at this, If you place the mail2.webconnectivityllc.com's IP in the INI file "DoNotAddIPToHoneypot" setting, perhaps this setting will also prevent it from being added to the IP Cache ... I am not sure on that but the IP should probably be added to that setting anyway.
 
Digest the above before I add any more thoughts.  AND, I am only a user so I may be providing crap info and LogSat should verify my comments.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 2:49pm
Derk,

Before we reply, let me pre-say the following:

SpamFilter needs to see the original IP of the sender when receiving emails, otherwise many of the DNS-based tests will fail. For example, if you're using the SPF filter, SpamFilter will reject the email unless it comes from a very specific server(s) as specified in their SPF DNS records. So if instead that email is processed by another server on your network, and then delivered to SpamFilter, the email will be rejected as your server is not authorized to send the email on behalf of the sender.

This said, from your first post, it seems as if your secondary MX server at 216.217.139.56 is forwarding emails to SpamFilter:

02/02/06 10:38:06:892 -- (2316) Connection from: 216.217.139.56  -  Originating country : United States

in this case, SpamFilter will eventually block email from your secondary. This can happen if you're using the SPF filter (and please note that SpamFilter *should* block such emails, as the SPF standard is purposely created to forbid unauthorized servers to send email on someone's behalf), or also for example if you're using the SURBL filter that scans email for blacklisted URL. After SpamFilter blcoks your secondary MX a few times (3 times within 10 minutes by default) it will add its IP to a local IP blacklist cache, and will block any further connection attempts for an hour (by default).

The IP blacklist cache has a setting in the SpamFilter.ini file (DoNotAddIPToHoneypot) where you can add, separated by commas, the IP addresses of "trusted servers" that you do not wish to be automatically blacklisted.

Please note however that we recommend reconfiguring all your servers on the MX records so that they forward emails to your "real" mail server, *not* to SpamFilter, as many legitimate emails will be blocked, unless you disable in SpamFilter the SPF filter.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4065
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 2:55pm
Dan,

I was typing my reply as you were submitting yours...!

I'm sorry about the DoNotAddIPToHoneypot setting documentation. I was looking for where in the readme we say that this setting works for both the Honeypot and the blacklist cache... but did not find it!

You are absolutely correct, any servers listed there will *not* be neither "honypotted" nor will be listed in the cache.

I'll update the documentation right now...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 3:22pm

Originally posted by LogSat LogSat wrote:

Dan,
You are absolutely correct, any servers listed there will *not* be neither "honypotted" nor will be listed in the cache.

Roberto,

This is actually good news as I was using the setting that way and ASSUMING it was as you state!

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.047 seconds.