Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Keyword blacklist not working
  FAQ FAQ  Forum Search   Register Register  Login Login

Keyword blacklist not working

 Post Reply Post Reply
Author
hartsockt View Drop Down
Newbie
Newbie


Joined: 31 May 2009
Location: Arizona
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote hartsockt Quote  Post ReplyReply Direct Link To This Post Topic: Keyword blacklist not working
    Posted: 23 June 2009 at 10:56am
A group of text (non-html) messages are not being blocked by the blacklist keyword filter.  I have "ttys cutie" in the Blacklist Keyword Filter list and the following is the headers of one of the messages that are getting through:

Received: from CL210-201-220-199.static.apol.com.tw ([210.201.220.199]) by micronettechnicalservices.net with MailEnable ESMTP; Mon, 22 Jun 2009 19:51:21 -0700
Message-ID: <4A40431D.1025126@webtv.net>
Date: Tue, 23 Jun 2009 02:51:09 GMT
From: Wilma <WilmaStarnes38@webtv.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: <tomh@micronetservices.com>
Subject: oh wow. ur really REALLY cute
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Received-SPF: fail (micronettechnicalservices.net: domain of webtv.net does not designate 210.201.220.199 as permitted sender)
    client-ip=210.201.220.199
X-ME-Bayesian: 21.814562
NoMEFiltering: NoMEFiltering
Return-Path: <WilmaStarnes38@webtv.net>
X-Antivirus: AVG for E-mail 8.5.372 [270.12.88/2196]




The text (as displayed by Outlook 2007) is as follows:

< ="-" ="text/; =utf-8">< name="ProgId" ="Word.">< name="Generator" ="Microsoft Word 12">< name="Originator" ="Microsoft Word 12"><>

 

hai there, my friend think ur REALLY REALLY cute ok. im just trying to hook yall up. ADD her on MSN messenger and talk to her!! her name is

 

my MSN name is sheldenmalleingerin98@live.com

 

ttys cutie :-*

 


Three things I'm confused about. 

First, I've searched 20090622.log for the originating ip address "210.201.220.199"and it's not found.  Why?  I thought mail might be going to our mail server first and then getting to the spam filter server.  But the mx record for micronetservices.com is pointed to the spam filter server.

Second, why does the header:
"Received-SPF: fail (micronettechnicalservices.net: domain of webtv.net does not designate 210.201.220.199 as permitted sender) client-ip=210.201.220.199"
indicate that micronettechnicalservices.net (which is the primary domain on our mail server) is a domain of webtv.net?  Perhaps that's the whole reason this is spam.

And Third, why aren't these (text) messages being blocked when "ttys cutie" is in the blacklist keyword filter list?

Thank you,

Tom
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2009 at 7:59pm
hartsockt,

It appears that SpamFilter did not process this email, as all the headers that SpamFilter would normally add to the email are missing. SpamFilter will always add a “Received” header in the email to indicate that it has processed it. In addition, it adds several “X-SF-” headers like the following:

Received: from 62.2.138.178 by mail2.netwide.net (LogSat Software SMTP Server); Wed, 14 Nov 2007 09:52:21 -0500
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <some_user@gmail.com>
X-SF-HELO-Domain: gmail.com
X-SF-Originating-IP: 62.24.133.278

If these headers are not present in the email, the email was not processed by SpamFilter (which is confirmed by the fact you did not find it in the logs).

Please also note that while your MX record is indeed pointing to 98.190.128.61 (running SpamFilter), the A record for your domain points to 98.190.128.60, which I see is running MailEnable and is listening for SMTP traffic. Spammers *will* send emails directly to your A server as well, and if it running an unprotected SMTP server, as you've seen, you will receive spam sent directly to that IP as well.

The SPF filter in SpamFilter would have blocked this email (if you had enabled). However as it was processed by your MailEnable, I'm not sure what kind of settings you have configured for it.

As a side-note, please note that Outlook will completely change the source of the email. So even if SpamFilter had processed that specific spam, it's possible the keyword would not have triggered as the email's source was very possibly different as rendered by Outlook (even Outlook's "show source" is useless here, it will only show the html source, which is *not* the same as the email source).
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
hartsockt View Drop Down
Newbie
Newbie


Joined: 31 May 2009
Location: Arizona
Status: Offline
Points: 11
Post Options Post Options   Thanks (0) Thanks(0)   Quote hartsockt Quote  Post ReplyReply Direct Link To This Post Posted: 23 June 2009 at 8:07pm
So, would a typical configuration of a mail server be to only accept mail (for this particular domain) from the server running SpamFilter?  Would this solve this issue?

Thanks
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4066
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 24 June 2009 at 10:13pm
When implementing a spam filtering solution, usually the "real" mail server(s) are not accessible from the internet (or at least they are not accepting SMTP traffic on port 25). All inbound emails from the internet are processed by the spam filtering software, which then forwards them to the real SMTP server.

In some installations (ISPs are the typical example) there is the need to allow users the ability to send their emails from home or while traveling. In these cases, users are usually instructed to configure SMTP authentication in their email client settings for their "Outgoing SMTP Server", as authenticated users can then be allowed to use a mail server for relay. In these cases, if the existing SMTP server does not support SMTP Authentication (most mail servers nowdays do), SpamFilter can also help as we do support SMTP AUTH via Active Directory, LDAP, or via Unix-style password files.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.109 seconds.