Print Page | Close Window

Why does it NOT filter out *.eml?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5048
Printed Date: 22 October 2017 at 8:07am


Topic: Why does it NOT filter out *.eml?
Posted By: Guests
Subject: Why does it NOT filter out *.eml?
Date Posted: 07 February 2005 at 11:07am

I setup all the attachment filters. *.eml is in there too, but a user just received an email with *.eml attachment within which there are a few other files.

Why does the Spamfilter not filter our *.eml? It does its work on all other file types.




Replies:
Posted By: LogSat
Date Posted: 07 February 2005 at 5:30pm
SpamFilter will only stop attachments in the body of the email. If an email has an attached message which in turn has another attachments, the second level attachment will not be detected. Could you either post or email us the full headers of the email that was allowed thru, along with a copy of SpamFilter's logfile for that day (or better, just the relevant section at arounf the time this happened) so we can try to find out what happened?

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: chinabee
Date Posted: 08 February 2005 at 9:57am

Header:

Microsoft Mail Internet Headers Version 2.0
Received: from smtp.mycompany.com ([172.11.13.84]) by houston1.mycompany.com with Microsoft SMTPSVC(5.0.2195.6713);
  Tue, 8 Feb 2005 08:43:42 -0600
Received: from brantford01.mycompany.com ([172.11.1.80])
 by smtp.mycompany.com (SAVSMTP 3.0.0.44) with SMTP id M2005020808434118662
 for < mailto:don@mycompany.com - don@mycompany.com >; Tue, 08 Feb 2005 08:43:41 -0600
Received: (from webmail [172.11.1.200])
 by brantford01.mycompany.com (SMSSMTP 4.0.0.59) with SMTP id M2005020809370413191
 for < mailto:don@mycompany.com - don@mycompany.com >; Tue, 08 Feb 2005 09:37:04 -0500
Received: from 68.142.200.103 by  (LogSat Software SMTP Server) Tue, 8 Feb 2005 09:43:41 -0500
Received: (qmail 5074 invoked by uid 60001); 8 Feb 2005 14:43:31 -0000
Comment: DomainKeys? See http://antispam.earthlink.com/domainkeys - http://antispam.earthlink.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=earthlink.com;
  b=xouZf+ta1XiQJwy9DYgH5lcP6SUSJd+pI2ZgYGFVdnUCMQyba/jTXhKHKR k2x0x6hrwtNVHCg2ifpunXwZYYwYC20Z9DC9vPDlFaHZu7omoumYiNcaQMXR nz6WePBNvlV2hGLCf/09GMbLGDVuPDZKMzM4E+9nePw3EKlaQun5k=  ;
Message-ID: < mailto:20050208144331.5072.qmail@web30310.mail.mud.earthlink.com - 20050208144331.5072.qmail@web30310.mail.mud.earthlink.com >
Received: from [13.119.22.244] by web30310.mail.mud.earthlink.com via HTTP; Tue, 08 Feb 2005 06:43:31 PST
Date: Tue, 8 Feb 2005 06:43:31 -0800 (PST)
From: Chinabee < mailto:chinabee@earthlink.com - chinabee@earthlink.com >
Reply-To: mailto:chinabee@earthlink.com - chinabee@earthlink.com
Subject: test attached email
To: mailto:don@mycompany.com - don@mycompany.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-415394763-1107873811=:4989"
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: < mailto:chinabee@earthlink.com - chinabee@earthlink.com >
Return-Path: mailto:chinabee@earthlink.com - chinabee@earthlink.com
X-OriginalArrivalTime: 08 Feb 2005 14:43:42.0250 (UTC) FILETIME=[958E48A0:01C50DEC]

--0-415394763-1107873811=:4989
Content-Type: multipart/alternative; boundary="0-248409919-1107873811=:4989"

--0-248409919-1107873811=:4989
Content-Type: text/plain; charset=us-ascii

--0-248409919-1107873811=:4989
Content-Type: text/html; charset=us-ascii


--0-248409919-1107873811=:4989--
--0-415394763-1107873811=:4989
Content-Type: message/rfc822

Received: from [66.32.48.192] by web12108.mail.earthlink.com via HTTP; Mon, 13 Dec 2004 09:06:34 PST
Date: Mon, 13 Dec 2004 09:06:33 -0800 (PST)
From: Chinabee < mailto:chinabee@earthlink.com - chinabee@earthlink.com >
Reply-To: mailto:chinabee@earthlink.com - chinabee@earthlink.com
Subject: Legality of Self-defense at Home
To: mailto:prashantmalik@dogmail.com - prashantmalik@dogmail.com , mailto:suhrid@earthlink.com - suhrid@earthlink.com ,

MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-985010455-1102957593=:62891"
Content-Length: 792

--0-985010455-1102957593=:62891
Content-Type: text/plain; charset=us-ascii

--0-985010455-1102957593=:62891
Content-Type: text/html; charset=us-ascii


--0-985010455-1102957593=:62891--

--0-415394763-1107873811=:4989--
------------------------------------------------------------ -----

Logfile

02/08/05 09:43:40:057 -- (2268) Connection from: 68.142.200.103  -  Originating country : United States
02/08/05 09:43:40:369 -- (2268) Resolving 68.142.200.103 - web30310.mail.mud.earthlink.com
02/08/05 09:43:40:541 -- (2268) Mail from: mailto:chinabee@earthlink.com - chinabee@earthlink.com
02/08/05 09:43:40:963 -- (2268) - MAPS search done...
02/08/05 09:43:40:963 -- (2268) RCPT TO: mailto:don@mycompany.com - don@mycompany.com accepted
02/08/05 09:43:41:197 -- (2268) EMail from mailto:chinabee@earthlink.com - chinabee@earthlink.com to mailto:don@mycompany.com - don@mycompany.com passes Bayesian filter - 0% spam  (16ms)
02/08/05 09:43:41:213 -- (2268) EMail from mailto:chinabee@earthlink.com - chinabee@earthlink.com to mailto:don@mycompany.com - don@mycompany.com was queued. Size: 2 KB, 2048 bytes
02/08/05 09:43:41:213 -- (2208) Sending email from mailto:chinabee@earthlink.com - chinabee@earthlink.com to mailto:don@mycompany.com - don@mycompany.com
02/08/05 09:43:41:260 -- (1456) Time to add Msg to Bayes corpus:0
02/08/05 09:43:41:322 -- (2268) Disconnect
02/08/05 09:43:41:572 -- (2208) EMail from mailto:chinabee@earthlink.com - chinabee@earthlink.com to mailto:don@mycompany.com - don@mycompany.com   was forwarded to 172.11.1.80:25

 



Posted By: LogSat
Date Posted: 08 February 2005 at 11:55pm
From you headers we did not see any *.eml attachments. Usually attachments are in the form:

------=_NextPart_000_001A_01C31BA7.813E2D90
Content-Type: application/pdf;
    name="print job.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="print job.pdf"


Can you check the rest of the email's source to see if you spot the eml file name somewhere else? Please note that again SpamFilter will not recurse thru the messages if the "outer" message has other messages attached to it.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: chinabee
Date Posted: 09 February 2005 at 10:00am

I know that, but those eml attachments do appear as attachments in Outlook.

I am actually using the Spamfilter as a antivirus tool. I have it drop every type of attachment that can possibly carry virus. In this case, the eml attachment was not seen by the SpamFilter. As you said, it does not appear as an attachment.

This is not really a big problem for me as I have antivirus for gateway sitting behind the Spamfilter to scan inside every email. It just supprised me that it did not do what i think it should do.



Posted By: LogSat
Date Posted: 09 February 2005 at 1:47pm
If you can zip us the original email (full source and headers) at support@logsat.com we can try to see if we spot a problem.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: chinabee
Date Posted: 11 February 2005 at 11:03am

You can do that yourself. Just go to Yahoo Mail and forward any email to another email address.

I actually pasted everything from that email here.



Posted By: Desperado
Date Posted: 11 February 2005 at 11:58am

This is interesting because I had to REMOVE *.eml from my blocked attachment list because it WAS blocking a lot of forwards from services like hotmail.

Dan S.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: LogSat
Date Posted: 11 February 2005 at 4:17pm
As I mentioned before, please look at the source carefully. There is *no* email attachment with the extension .eml in the email from yahoo if sent as you described. The attachment is simply an inline MIME content, of type "message/rfc822".

If you receive such a message with Outlook Express, it is *Outlook* that converts the MIME attachment into an eml attachment so Outlook itself can read it. If youhad tried using Microsoft Outlook (not Outlook Express) you would have seen that the attachment is not at an eml, but somehting else. Other email clients will massage inline messages in different ways.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window