Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - SF added X-Headers
  FAQ FAQ  Forum Search   Register Register  Login Login

SF added X-Headers

 Post Reply Post Reply
Author
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Topic: SF added X-Headers
    Posted: 26 March 2008 at 5:47am
Roberto,
 
I use SF in the tag and forward mode, forwarding all email to an internal server where we process the emails more. After we apply more filtering, we then search the email for the "X-Rejection-Reason:" header, and if it is present then it is spam and delt with accordingly. Now, I have seen several emails getting through and it appears to be related to where in the email SF inserts the headers. (I have added the headers of an example email below).
 
As you can see, there appears to be a crlf in the middle of the headers.....just after the Date.  As far as the RFC states, this crlf indicates the start of the body of the email, however the SF headers seem to be after this point, therefore our filter does not pick up the SF headers as it assumes they are part of the email (as per RFC).
 
To bypass this, would it be possable to insert the headers right at the top of the email???
 
 
Cheers
 
 
Received: from 122.2.22.69 by mail.protected-mail.co.uk (IMS Spam Filtering Server); Sat, 22 Mar 2008 21:40:39 +0000
From: "JESSICA LOVERN" <Lovernonline@company.com>
To: <steve@stevenjohns.co.uk>
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Subject: HURRY!!! GREAT OPPORTUNITY THAT CAN GIVE US CHANCE TO EARN BIG.START NOW!!!
Return-Path: <Lovernonline@company.com>
Message-ID: <NS1HM3SOlbpH71yEXUI0000000e@mail.protected-mail.co.uk>
X-OriginalArrivalTime: 22 Mar 2008 21:40:39.0554 (UTC) FILETIME=[5F1F6E20:01C88C65]
Date: 22 Mar 2008 21:40:39 +0000
 
US CHANCE TO EARN BIG. Join Now!!!
Sender: "JESSICA LOVERN" <Lovernonline@company.com>
Mime-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Date: Sun, 23 Mar 2008 17:40:02 -0400
Reply-To: "JESSICA LOVERN" <lovern.jessica@gmail.com>
X-Priority: 1 (Highest)
Content-Transfer-Encoding: 8bit
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <Lovernonline@company.com>
X-SF-HELO-Domain: company.com
X-SF-Originating-IP: 122.2.22.69
X-Rejection-Reason: 16 - 557 Your domain company.com does not have a valid
MX DNS record. Disconnecting...
X-SF-SPAM:Y


Edited by StevenJohns - 26 March 2008 at 5:49am
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 March 2008 at 1:41pm
StevenJohns,

Without seeing the actual source of the email we can only make assumptions. if the email arrived with the CRLF already present, then the email's body would actually have started with the line "US CHANCE TO" and any pre-existing headers after that line would now be part of the email body. However SpamFilter is able to auto correct minor encoding errors in an email, and may have attempted to "fix" itself by understanding where the real intended headers were, and then added our own X-SF hedaers at the end of them. The email is then forwarded as received, including the mis-formatted extra CRLF (or whatever other control character may have been there).

SpamFilter will append its headers at the end of the list of the pre-existing ones, we currently have no plans to change this... but if does become a bigger problem, that may change.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 26 March 2008 at 3:43pm
Roberto,
 
I see your point of view, but I am seeing quite a few of these emails getting through and SF is missing them. My feeling is that the extra cflr has been placed there intentionally to decieve spam filters....and it appears to be working.
 
With reference to your comment of  SF attempting to "fix" itself, well my thoughts are that that behaviour is specifically opposite to the RFC for which you state that SF complies with.
If headers are to be added, then they should be added before the very first blank line (crlf pair) as the RFC states, not where SF "thinks" it should put them.
I am sure that you are aware that the RFC specifically states that the email body starts at the very first blank line and all headers should be before this. Absolutely everything after the blank line should be treated as the email body.
 
If you could please insert your headers where they should go, then our secondary filters (which are RFC compliant) will be able to pick up your X-SF headers perfectly well and these spam emails will be stopped.
 
I would like to thank you for a great product and await in anticipation for you to fix this obvious bug.
 
Cheers
 
 


Edited by StevenJohns - 26 March 2008 at 3:47pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.125 seconds.