Print Page | Close Window

SFDC blocking legitimate blackberry email

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6600
Printed Date: 21 October 2017 at 2:53am


Topic: SFDC blocking legitimate blackberry email
Posted By: hookjd
Subject: SFDC blocking legitimate blackberry email
Date Posted: 15 January 2009 at 12:02am
I've never seen a problem with SFDC before but this one is consistently happening to a specific sender trying to get email to one of my clients.  They are sending legitimate emails from their blackberry and the SFDC filter is blocking them every time.  It seems that the sophistication of the SFDC filter really ought to keep this from happening... but in reading it through it sounds like if this user has keywords or something in their signature that are getting blocked and then the hash is matching because he's sending through different blackberry servers... maybe that could be triggering it?

I'm not sure what I'm asking exactly, but just wondering if you've encountered issues with legit email coming from blackberry before. 

In addition, the "sender" of the email is always a really long string like this:

SRS0=imIkUf=5T=domain.com=username@srs.bis.na.blackberry.com

And its always different, so my client is unable to auto-whitelist this user.  I have had to turn off SFDC until I can understand better how to whitelist this user.



Replies:
Posted By: LogSat
Date Posted: 16 January 2009 at 2:47pm
hookjd, if you can please email us a sample email (we'll need the full, original source) that was blocked we can try to see what is happening. Please email it to us at support at logsat.com

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: hookjd
Date Posted: 16 January 2009 at 2:49pm
I won't be able to do that.  I had to just switch of SFDC for this domain.  The user sending email was more than upset and I can't really go back to them at this time.  Oh well.  If something else comes up that I can send you, I will try and do it.  Was mainly hoping you had seen this issue before.


Posted By: hookjd
Date Posted: 09 March 2009 at 12:59pm
This issue has come back up for me, so I am going to email you some content that I would love for you to evaluate.  It seems that when SFDC is on on any domain on my machine it is blocking most all blackberry email.


Posted By: LogSat
Date Posted: 09 March 2009 at 8:14pm
hookjd,

All the 5 email samples you forwarded us are "delivery receipts" sent to indicate that a message has been delivered. All their content is very similar, and since the SFDC filter is based on a common "hash" of similar messages, all these messages are being stopped at the same time.

They all look like:

Your message was delivered to the recipient.Original-Message-ID:1654183298
Final-Recipient:user@some_domain.com
Action:Delivered


Unfortunately this hash is very similar to one for a specific spam that is currently being sent, so it is being incorrectly blocked. The message however also appears to be barely surpassing a threshold we use to *not* block small emails, as the smaller the email the more likely it is to make mistakes in comparing similar contents. Please allow us a couple of days to better analyze this specific type of emails to see if there's anything we can do to prevent them from being stopped in the future.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: hookjd
Date Posted: 10 March 2009 at 2:54pm
Thanks very much.  I am wondering if they are using an odd setting because I don't think its just delivery receipts that are being blocked.  are the contents of the emails I sent you just that?  Or is that header information?  I understand from my clients that we are seeing this issue across all blackberry email.


Posted By: LogSat
Date Posted: 10 March 2009 at 4:51pm
If you'd like to send us more samples I'll be glad to double-check for you. All the ones you sent are indeed all 5 delivery receipts. I'm forwarding them to you via email in an .eml format, so you may use Outlook Express or Thunderbird to view them in a more user-friendly format for you to verify.
What triggers the SFDC filter in this case is the content of the email ("Your message was delivered to the recipient.").

We're trying to determine if the MIME boundary and the content type "delivery-status":

--part145653-boundary-1504910472-1556113981
Content-Type: message/delivery-status

Original-Message-ID:1654183298


are playing a part in this as well. We should find out more within a few hours.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: hookjd
Date Posted: 27 August 2009 at 1:25pm
This thread was from a while ago, but I continue to have issues with all delivery receipts that come from blackberrys getting blocked.  Have you discovered a way to work around this issue?


Posted By: LogSat
Date Posted: 30 August 2009 at 11:12pm
We've made some slight changes to the SFDC database to remove entries that are older than 3 days even in cases where emails with similar signatures are still being received, in the hope that this will remove some false positives.

Can you please let us know if these blackberry delivery receipts are still being blocked? If they still are, can you please zip and email us 3-4 of them (including the original, unmodified source) so we can see if they can be manually excluded from the SFDC filter?


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: mike
Date Posted: 25 September 2009 at 3:31am
Hi
 
I ma also have problems with this... one of my users has a blackberry and he keeps getting these:
 
Reporting-MTA: dns; smtp05.bis.eu.blackberry.com
Final-Recipient: rfc822;name@email.com
Action: failed
Status: 5.0.0 (permanent failure)
Remote-MTA: dns; [ipaddress]
Diagnostic-Code: smtp; 5.1.0 - Unknown address error 557-'The email content matches known spam signatures.' (delivery attempts: 0)
 
 
 

-----Original Message-----

From: Mail Delivery System

[mailto:blackberry_internet_services@bis.eu.blackberry.com]

Sent: 24 September 2009 12:56

To:

To: mailto:SRS0=i81fSm=FP=domain.co.uk=user@srs.bis.eu.blackberry.com - SRS0=i81fSm=FP=domain.co.uk=user@srs.bis.eu.blackberry.com
Subject: Delivery Status Notification (Failure)
 

The following message to <emailaddress> was undeliverable.

The reason for the problem:

5.1.0 - Unknown address error 557-'The email content matches known spam signatures.'



Posted By: LogSat
Date Posted: 25 September 2009 at 10:02pm
mike,

These rejections are very hard to track down, as the SFDC database is updated in realtime with the fingerprints of spam content being detected around the world at that time. Those signatures are kept in the SFDC database for a few days only, as when the spam that caused them slows down, they are automatically removed from the centralized SFDC database.

This said, do you have any of these rejected email samples stored in the quarantine database? If we have the *original* emails as they were received by SpamFilter, we will be able to reproduce their signature and see if we can prevent them from being stored in the SFDC.

If you do, can you please zip and email us 2-3 such samples to support at logsat.com?


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window