Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - spam passing filters
  FAQ FAQ  Forum Search   Register Register  Login Login

spam passing filters

 Post Reply Post Reply
Author
2CNL View Drop Down
Newbie
Newbie
Avatar

Joined: 09 May 2005
Location: Netherlands
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote 2CNL Quote  Post ReplyReply Direct Link To This Post Topic: spam passing filters
    Posted: 04 November 2008 at 7:43am
Still approx 6% of the spam is passing through the logsat filters.
Some of this spam is very obvious and the real pain is, even the outlook unwanted mail list is collecting them, but logsat is not. It seems all these mails are coming from the backup smtp server ( of our isp) i put on the greyrlistallowed .
Any thougths what can be the cause of this passed spam.

Remarkable, but not very creal what is the cause are the following figures.
total inbound connections server: 540.000
emails forwarded 26000
emails blocked 82000
email attempts 15000

is this normal behaviour?

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2008 at 3:18pm
2CNL,

If you were to have Outlook's junk filter receive all of your emails rather than SpamFilter, you would see that much more than 6% of spam would slip thru. As SpamFilter will never be 100% accurate, some spam will go undetected. It is almost a certainty that another application can further stop some of this remaining spam.

The main issue here is that you have another SMTP server which is receiving and processing your incoming emails in addition to SpamFilter. SpamFilter *must* see the original IP of the sender to stop spam effectively. All of our most efficient filters require to see that IP in order to do their job and stop the spam. If your secondary server processes emails first, and then passes them on to SpamFilter, the only filters that can then check emails for spam are the Bayesian filter, the SURBL filter and your keyword (if you specified any). These filters will only stop a very small percentage of emails, and thus will not be able to noticeably stop spam being forwarded by your secondary SMTP server.

In regards to the numbers above, please do note that many connection attempts are just "probes" that don't result in emails to be sent. Furthermore, SpamFilter caches for a few minutes IPs that sent large amounts of spam in a certain timeframe, and further connection attempts from them are rejected without any emails being transferred. All these factors mean that the statistics are to be taken with a grain of salt, as the numbers will never add up, and in some cases there will be noticeable discrepancies.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 05 November 2008 at 7:51am
Roberto,
 
As 2CNL have added the IP of their ISP's mail server to the greylistallowed, and they are using it as a backup MX, then I would have thought that SF could recieve the email, then check in the headers for the IP address which sent the email to the backup MX server....these IP's are inserted as the email passes every mail server, and I wouldn't have thought that their ISP would forge the headers.....
 
2CNL...
We have seen an increase in email slipping through SF (with no real answer as to why), but we pass our email through another two filter levels which normally pick up all of these emails. As a cheap method, you could pass emails from SF through SpamAssassin to see if it picks up the 6%, I bet it would as it checks the IP's in all the recieved headers which SF does not do (for some strange reason??).
 
 
www.internetmailservices.co.uk
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 05 November 2008 at 4:16pm
StevenJohns,

There's two main issues. The first is ours, and is caused by how SpamFilter applies its filters. All the IP-based filters are checked before the email is actually received, and are thus applied super-fast. If we were to check the IP in the headers as well, we'd have to receive the email as well and then go back and re-apply the IP filters. That will involve quite a bit of work... but as I said that's an internal matter
The second issue is that we've always made it a point since SpamFilter v1.0 six years ago of *not* checking the headers, as they can always be faked. For example, if SpamFilter were to check the IP in the last header, a spammer could add a fake header listing gmail's IP at the top of the email, and send it thru a host not yet IP-blacklisted. If the email is determined to be spam by the other filters, we risk blocking gmail's IP as well. There would have to be a lot of confusing if/then logic to determine what IPs are then reported as spammers and which not. An option would be to only check the last received header if the email has been received by a specific IP (the secondary MX server)...
We're going to do some brainstorming to see what can be done, as this subject is appearing more and more often recently.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 9:02am
Roberto,
 
I understand your issues as you have explained them and I can understand the reasons for checking the IP filters at TCP connection time. However, only a fool and his dog would only have one email server, so it stands to reason that everyone should have a backup Mx server, and some people might want that to be hosted be their ISP. This in turn means that we MUST have a way of filtering the emails which come through the backup MX.
As I said, we send our emails through SpamAssassin after SF specifically because SF does not scan the headers (we turn off all other Spam Assassin filters).
 
Still a good product, but I feel you may be hitting brick walls soon due to design desicions made years ago.
 
Cheers.
www.internetmailservices.co.uk
Back to Top
Bart View Drop Down
Newbie
Newbie
Avatar

Joined: 20 August 2008
Location: Holland
Status: Offline
Points: 18
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bart Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 10:40am
I never realy read the license agreement but is it legal to install SpamFilterISP enterprise on a second machine to be used as fall-back server or do i have to purchase a second license for a server that is online there in case something goes wrong ?
 
I only have 1 server running now but have the same problem that fallback servers are a problem fighting spam
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 5:49pm
Originally posted by StevenJohns StevenJohns wrote:

However, only a fool and his dog would only have one email server, so it stands to reason that everyone should have a backup Mx server, and some people might want that to be hosted be their ISP. This in turn means that we MUST have a way of filtering the emails which come through the backup MX.

Most admins who have multiple SMTP servers either have SpamFilter (or another product) running on their backup MX server as well, or use network load-balancing (ex. Cisco CSS switches, Windows load balancing, etc) to balance two servers behind a single IP (their primary MX record). We do have a growing number or admins however as yourself, who rely on their ISP to serve as their backup MX record. If the ISP is not running SpamFiltering, then the issues you bring up are indeed issues. We do always listen to everyone's feedback, which is partly why SpamFilter has become so powerful/flexible, as many many times we do implement user's request. We're evaluating this one to see how to proceed.


Originally posted by Bart Bart wrote:

I never realy read the license agreement but is it legal to install SpamFilterISP enterprise on a second machine to be used as fall-back server or do i have to purchase a second license for a server that is online there in case something goes wrong ?

SpamFilter requires a licens for every production server it is installed on. If the second server is used as a secondary MX record, or as a secondary server in a load-balance scenario, yes, a license is required on the 2nd server as well. If you have SpamFilter installed on a spare server, but the server does not process emails until you manually place it online, then in this case as it won't process emails until you manually intervene to replace your "down" server with this backup one, we will not require a second license.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
2CNL View Drop Down
Newbie
Newbie
Avatar

Joined: 09 May 2005
Location: Netherlands
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote 2CNL Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 2:43am
Robert,
 
Is it not possible to make a sort of doublecheckip entry in logsat ini file, combined with a filer, where the secondary SMTP server or other specific ip numbers are checked in the headerinfo.
I guess one of the reasons to not implement options like these is performance? If so, if it is only reserved for a sinlge or a few ip numbers the performance impactr would be less.
Just my 2c  ;)
 
 
 
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 8:39am
That is *exactly* what we had in mind as well

We'll keep this thread updated if this is something that can be implemented in a reasonable amount of time.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
StevenJohns View Drop Down
Senior Member
Senior Member


Joined: 03 August 2006
Status: Offline
Points: 119
Post Options Post Options   Thanks (0) Thanks(0)   Quote StevenJohns Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 8:55am
Sounds like a good solution to me, PLEASE do NOT limit it to one IP though.....
 
Cheers
www.internetmailservices.co.uk
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.078 seconds.