Print Page | Close Window

Why did this not get quarantined?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6637
Printed Date: 17 December 2017 at 1:06am


Topic: Why did this not get quarantined?
Posted By: Straker
Subject: Why did this not get quarantined?
Date Posted: 20 March 2009 at 1:31pm
Here's the issue.  This message's header was clearly labeled spam (via DNSBL zen.spamhaus) by logsat, but it was forwarded to the email address anyway, and the log file shows no problem.  It should have been quarantined.

Header:
Quote
X-DN-ReceivedFileId: 1201fdba6cf_9KTF_9-0.eml
X-DN-Spam-Blacklisted-By-DNSBL: sbl-xbl.spamhaus.org (blacklisted sender IP was 87.30.11.157)
X-Spam-Flag: YES
Delivered-To: aaa@xxxxxx.org
Return-Path: <linguistics@mauthausen.nl>
Received: from 74.78.42.51 ([74.78.42.51])          by yyy.xxxxxx.com (DeskNow) with SMTP ID 899          for <aaa@xxxxxx.org>;            Fri, 20 Mar 2009 04:06:59 -0700 (PDT) Received: from 87.30.11.157 by mail2.xxxxxx.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Fri, 20 Mar 2009 03:06:21 -0800 Message-ID: <49C36AA2.9874878@mauthausen.nl>
Date: Fri, 20 Mar 2009 10:06:18 +0000
From: Riles Dewolf <linguistics@mauthausen.nl>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0 To: aaa@xxxxxx.org
Subject: Better wang parameters!!
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <linguistics@mauthausen.nl>
X-SF-HELO-Domain: lifi.telecomitalia.it
Content-Type: multipart/alternative; 
  boundary="------------727860257652027228952426"


Log File:
Quote
03/20/09 03:06:19:428 -- (2560) Connection from: 87.30.11.157  -  Originating country : Italy
03/20/09 03:06:20:590 -- (2560) RCPT TO: aaa@xxxxxx.org accepted
03/20/09 03:06:21:391 -- (2560) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org passes Bayesian filter - 0% spam  (19ms)
03/20/09 03:06:21:761 -- (2560) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org was queued. Size: 1 KB, 1024 bytes
03/20/09 03:06:21:781 -- (2592) Sending email from linguistics@mauthausen.nl to aaa@xxxxxx.org
03/20/09 03:06:21:801 -- (1808) Time to add Msg to Bayes corpus:0
03/20/09 03:06:22:142 -- (2560) Disconnect
03/20/09 03:06:22:382 -- (2592) EMail from linguistics@mauthausen.nl to aaa@xxxxxx.org  was forwarded to mail.xxxxxx.org:25


Thanks.



Replies:
Posted By: LogSat
Date Posted: 20 March 2009 at 10:50pm
Staker,

Actually SpamFilter did not label the email as spam in the headers due to spamhaus. If that had happened, you would have seen an entry like the following:

X-Rejection-Reason: 12 - 521 The IP 87.30.11.157 is Blacklisted by sbl-xbl.spamhaus.org. http://www.spamhaus.org/query/bl?ip= 87.30.11.157 --

The entry you see in the headers:

X-DN-Spam-Blacklisted-By-DNSBL: sbl-xbl.spamhaus.org (blacklisted sender IP was 87.30.11.157)

was *not* added by SpamFilter.

The question is thus "why didn't SpamFilter check the spamhaus RBL blacklist? Could you then please check the "MAPS Servers" blacklist to ensure you have a list of valid MAPS RBL servers, with the correct trailing suffix (usually ",true") at the end? The list should look similar to the screenshot at:

http://www.logsat.com/sfi-spam-filter-screenshots/sfi-more-filtering-options.asp

If you are running SpamFilter ISP "standard" instead of Enterprise, the tab should also contain a valid path+filename to store the list of servers.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Straker
Date Posted: 21 March 2009 at 5:09pm
The only MAPS Server I have listed is:

zen.spamhaus.org, true

and the checkbox for "Do not quarantine rejected emails from this blacklist" is UNCHECKED.

Spamhaus is detecting that IP address as blacklisted.  but for some reason, it appears that SpamFilter did not check spamhaus even though its listed in my MAPS server list.

My email server (where SpamFilter forwarded the message to) must have flagged the header, after it checked spamhaus (notice the "sbl-xbl" subdomain instead of the now recommended "zen"). hmmm.....

I am running SpamFilter standard




Posted By: LogSat
Date Posted: 22 March 2009 at 11:02pm
Could you please zip and email us (at support at logsat.com) the section of SpamFilter's activity logfile for the 20th, from 2AM to 4AM, so we can take a look? Please also include your SpamFilter.ini file and the entire \SpamFilter\Domains directory structure. We don't see other test being performed either, the most likely cause at this point indicating an issue with your DNS server(s). With this data we should be able to find out more info on what is happening.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window