Print Page | Close Window

Keyword blacklist not working

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
Printed Date: 23 March 2018 at 3:23am

Topic: Keyword blacklist not working
Posted By: hartsockt
Subject: Keyword blacklist not working
Date Posted: 23 June 2009 at 10:56am
A group of text (non-html) messages are not being blocked by the blacklist keyword filter.  I have "ttys cutie" in the Blacklist Keyword Filter list and the following is the headers of one of the messages that are getting through:

Received: from ([]) by with MailEnable ESMTP; Mon, 22 Jun 2009 19:51:21 -0700
Message-ID: <>
Date: Tue, 23 Jun 2009 02:51:09 GMT
From: Wilma <>
User-Agent: Thunderbird (Windows/20080213)
MIME-Version: 1.0
To: <>
Subject: oh wow. ur really REALLY cute
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Received-SPF: fail ( domain of does not designate as permitted sender)
X-ME-Bayesian: 21.814562
NoMEFiltering: NoMEFiltering
Return-Path: <>
X-Antivirus: AVG for E-mail 8.5.372 [270.12.88/2196]

The text (as displayed by Outlook 2007) is as follows:

< ="-" ="text/; =utf-8">< name="ProgId" ="Word.">< name="Generator" ="Microsoft Word 12">< name="Originator" ="Microsoft Word 12"> file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml - file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx - file:///C:%5CDOCUME%7E1%5CTom%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml - <>


- hai there, my friend think ur REALLY REALLY cute ok. im just trying to hook yall up. ADD her on MSN messenger and talk to her!! her name is


- my MSN name is -


ttys cutie :-*


Three things I'm confused about. 

First, I've searched 20090622.log for the originating ip address ""and it's not found.  Why?  I thought mail might be going to our mail server first and then getting to the spam filter server.  But the mx record for is pointed to the spam filter server.

Second, why does the header:
"Received-SPF: fail ( domain of does not designate as permitted sender) client-ip="
indicate that (which is the primary domain on our mail server) is a domain of  Perhaps that's the whole reason this is spam.

And Third, why aren't these (text) messages being blocked when "ttys cutie" is in the blacklist keyword filter list?

Thank you,


Posted By: LogSat
Date Posted: 23 June 2009 at 7:59pm

It appears that SpamFilter did not process this email, as all the headers that SpamFilter would normally add to the email are missing. SpamFilter will always add a “Received” header in the email to indicate that it has processed it. In addition, it adds several “X-SF-” headers like the following:

Received: from by (LogSat Software SMTP Server); Wed, 14 Nov 2007 09:52:21 -0500
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <>

If these headers are not present in the email, the email was not processed by SpamFilter (which is confirmed by the fact you did not find it in the logs).

Please also note that while your MX record is indeed pointing to (running SpamFilter), the A record for your domain points to, which I see is running MailEnable and is listening for SMTP traffic. Spammers *will* send emails directly to your A server as well, and if it running an unprotected SMTP server, as you've seen, you will receive spam sent directly to that IP as well.

The SPF filter in SpamFilter would have blocked this email (if you had enabled). However as it was processed by your MailEnable, I'm not sure what kind of settings you have configured for it.

As a side-note, please note that Outlook will completely change the source of the email. So even if SpamFilter had processed that specific spam, it's possible the keyword would not have triggered as the email's source was very possibly different as rendered by Outlook (even Outlook's "show source" is useless here, it will only show the html source, which is *not* the same as the email source).

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Posted By: hartsockt
Date Posted: 23 June 2009 at 8:07pm
So, would a typical configuration of a mail server be to only accept mail (for this particular domain) from the server running SpamFilter?  Would this solve this issue?


Posted By: LogSat
Date Posted: 24 June 2009 at 10:13pm
When implementing a spam filtering solution, usually the "real" mail server(s) are not accessible from the internet (or at least they are not accepting SMTP traffic on port 25). All inbound emails from the internet are processed by the spam filtering software, which then forwards them to the real SMTP server.

In some installations (ISPs are the typical example) there is the need to allow users the ability to send their emails from home or while traveling. In these cases, users are usually instructed to configure SMTP authentication in their email client settings for their "Outgoing SMTP Server", as authenticated users can then be allowed to use a mail server for relay. In these cases, if the existing SMTP server does not support SMTP Authentication (most mail servers nowdays do), SpamFilter can also help as we do support SMTP AUTH via Active Directory, LDAP, or via Unix-style password files.

Roberto Franceschetti" rel="nofollow - LogSat Software" rel="nofollow - Spam Filter ISP

Print Page | Close Window