Print Page | Close Window

spam are getting through

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6742
Printed Date: 23 October 2017 at 5:47am


Topic: spam are getting through
Posted By: Stupid
Subject: spam are getting through
Date Posted: 01 September 2009 at 5:43pm
Could anybody shine some light on this. how can I stop this spam? have seen a lot like this lately.

---
09/01/09 10:02:27:819 -- (5424) Connection from: 69.28.57.201  -  Originating country : United States
09/01/09 10:02:28:194 -- (5424) Received MAIL FROM: <KimBeaver@photopath.net>
09/01/09 10:02:28:381 -- (5424) Received RCPT TO: joe.rochester@mycompany.com
09/01/09 10:02:28:412 -- (5424) Resolving 69.28.57.201 - web201.lightningjetdns.com
09/01/09 10:02:28:850 -- (5424) - SPF analysis for photopath.net done: - none
09/01/09 10:02:28:850 -- (5424) Mail from: KimBeaver@photopath.net
09/01/09 10:02:34:756 -- (5424) DNS Error:TimedOut
09/01/09 10:02:35:115 -- (5424) - MAPS search done...
09/01/09 10:02:35:115 -- (5424) RCPT TO: joe.rochester@mycompany.com accepted
09/01/09 10:02:35:506 -- (5424) Checking SFDC
09/01/09 10:02:35:694 -- (5424) Hash cache - Added OK
09/01/09 10:02:36:647 -- (5424) EMail from KimBeaver@photopath.net to joe.rochester@mycompany.com passes Bayesian filter - 0% spam  (16ms)
09/01/09 10:02:36:647 -- (5424) Checking SURBL
09/01/09 10:02:36:756 -- (5424) Starting queueing procedures
09/01/09 10:02:36:756 -- (5424) EMail from KimBeaver@photopath.net to joe.rochester@mycompany.com was queued. Size: 1 KB, 1024 bytes
09/01/09 10:02:36:756 -- (5424) Starting bayesian procedures
09/01/09 10:02:37:006 -- (5424) Disconnect




Replies:
Posted By: Stupid
Date Posted: 01 September 2009 at 5:44pm
this is version 4.0.0.772


Posted By: LogSat
Date Posted: 01 September 2009 at 8:37pm
From the log entries we see that at least  a couple of filters are not being applied. Please see the following sample entry showing the filters being applied (to a clean email):

09/01/09 20:26:25:881 -- (1844) Connection from: 192.168.167.131  -  Originating country : N/A
09/01/09 20:26:26:006 -- (1844) Received MAIL FROM: <spam@test.logsat.com>
09/01/09 20:26:26:006 -- (1844) Received RCPT TO: test@logsat.com
09/01/09 20:26:26:241 -- (1844) - SPF analysis for test.logsat.com done: - none
09/01/09 20:26:26:241 -- (1844) Mail from: spam@test.logsat.com
09/01/09 20:26:26:662 -- (1844) - MAPS search done... 
09/01/09 20:26:26:662 -- (1844) RCPT TO: test@logsat.com accepted
09/01/09 20:26:26:741 -- (1844) Checking SFDC
09/01/09 20:26:27:100 -- (1844) SFDC - Added 192.168.167.131 - Response: Error=0
09/01/09 20:26:27:100 -- (1844) EMail from spam@test.logsat.com to test@logsat.com passes Bayesian filter - 0% spam  (0ms)
09/01/09 20:26:27:100 -- (1844) Checking SURBL
09/01/09 20:26:27:100 -- (1844) Checking URLs in emails against MAPS
09/01/09 20:26:27:100 -- (1844) - URLs In MAPS search done... 
09/01/09 20:26:27:100 -- (1844) Start virus scan
09/01/09 20:26:27:131 -- (1844) Starting queueing procedures
09/01/09 20:26:27:256 -- (1844) Disconnect

The entry in red above shows the MAPS filter being tested. This filter is the one that on average catches the most spam. Judging from your logs, it seems that the DNS error:

09/01/09 10:02:34:756 -- (5424) DNS Error:TimedOut
09/01/09 10:02:35:115 -- (5424) - MAPS search done... 

Occurred while querying your DNS server for the MAPS RBL filter requests. The DNS timeout from the dns server likely means that none of the MAPS tests were performed, thus skipping one of the most important filter tests.
If the DNS errors are common/frequent, you are likely receiving tons of spam as again, the MAPS filter, along with the SFDB and the reverse DNS filter, are the most effective filters SpamFilter uses.

The entry in blue above is a new feature in the latest SpamFilter 4.1, which allows SpamFilter to resolve URLs embedded in emails to IP addresses, which are then in turn checked agains the MAPS RBL servers to see if they are used for spam-related purposes (this again requires a functioning DNS server).


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 02 September 2009 at 9:23am
What MAPS RBL servers do you suggest me to use? I have these but it seems the first one does not return any IP address while the rest do.

sbl-xbl.spamhaus.org, true
bl.spamcop.net, true
xbl.spamhaus.org, true
sbl.spamhaus.org, true
dnsbl.njabl.org, true
sbl.spamhaus.org, true
vox.schpider.com, true
relays.mail-abuse.org, true
dialups.mail-abuse.org, true
blackholes.easynet.nl, true
blackholes.wirehub.net, true



Posted By: Stupid
Date Posted: 02 September 2009 at 10:19am
I looked up zen.spamhaus.org on www.network-tools.com and it does not return any IP address either, nor does nslookup on the spamfilter server.

I put bl.spamcop.net on the first, but still getting DNS error.

I upgraded to 4.1.2.815 version, but still getting DNS error. What could be the cause? I really don't anything wrong with my DNS server as all of us are using it to browse Internet, send emails and perform Active Directory tasks. would you shine some light on this?

09/02/09 09:49:48:014 -- (7012) Detected TCP Connection: 72.32.66.29
09/02/09 09:49:48:030 -- (7012) Connection from: 72.32.66.29  -  Originating country : United States
09/02/09 09:49:48:186 -- (7012) Received MAIL FROM: <bounces@sm.b2bportales.com>
09/02/09 09:49:48:374 -- (7012) Received RCPT TO: contact@mycompany.com
09/02/09 09:49:48:608 -- (7012) Resolving 72.32.66.29 - sm.b2bportales.com
09/02/09 09:49:49:061 -- (7012) found SPF record for sm.b2bportales.com: v=spf1 ip4:72.32.66.29 -all
09/02/09 09:49:49:061 -- (7012) SPF query result: pass
09/02/09 09:49:49:061 -- (7012) - SPF analysis for sm.b2bportales.com done: - pass
09/02/09 09:49:49:061 -- (7012) Mail from: bounces@sm.b2bportales.com
09/02/09 09:49:54:202 -- (7012) DNS Error:TimedOut
09/02/09 09:49:54:639 -- (7012) - MAPS search done...
09/02/09 09:49:54:639 -- (7012) RCPT TO: contact@mycompany.com accepted
09/02/09 09:49:54:733 -- (7012) Checking SFDC
09/02/09 09:49:54:921 -- (7012) Hash cache - Added OK
09/02/09 09:49:59:296 -- (7012) EMail from bounces@sm.b2bportales.com to contact@mycompany.com passes Bayesian filter - 0% spam  (46ms)
09/02/09 09:49:59:296 -- (7012) Checking SURBL
09/02/09 09:49:59:577 -- (7012) Checking URLs in emails against MAPS
09/02/09 09:49:59:577 -- (7012) Resolving for URLsInMAPS: sm.b2bportales.com
09/02/09 09:50:04:592 -- (7012) DNS Error:TimedOut
09/02/09 09:50:04:592 -- (7012) Resolving for URLsInMAPS: www.b2bportales.com
09/02/09 09:50:09:827 -- (7012) DNS Error:TimedOut
09/02/09 09:50:10:249 -- (7012) Resolving for URLsInMAPS: www.plastico.com
09/02/09 09:50:15:530 -- (7012) DNS Error:TimedOut
09/02/09 09:50:15:921 -- (7012) Resolving for URLsInMAPS: sm.b2bportales=
09/02/09 09:50:15:952 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error
09/02/09 09:50:15:952 -- (7012) Resolving for URLsInMAPS: www.pla=
09/02/09 09:50:15:999 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error
09/02/09 09:50:15:999 -- (7012) Resolving for URLsInMAPS: sm.b2bpo=
09/02/09 09:50:16:046 -- (7012) Error occurred during URLsInMAPS: DNS Server Reports Query Name Error
09/02/09 09:50:16:046 -- (7012) - URLs In MAPS search done...
09/02/09 09:50:16:061 -- (7012) Starting queueing procedures
09/02/09 09:50:16:077 -- (7012) EMail from bounces@sm.b2bportales.com to contact@mycompany.com was queued. Size: 5 KB, 5120 bytes
09/02/09 09:50:16:077 -- (7012) Starting bayesian procedures
09/02/09 09:50:18:717 -- (7012) Disconnect




Posted By: LogSat
Date Posted: 02 September 2009 at 4:19pm
Unfortunately the DNS timeouts are usually indeed caused by the DNS servers that SpamFilter was configured to use.

You can verify this by opening an MSDOS prompt on the server running SpamFilter, and issuing the following commands in bold (replacing 192.168.2.1 with the IP address of your DNS server). Repeat the command in red 4-5 times. If you receive the 127.0.0.2 result in blue for each time, the DNS server is responding correctly at that time. If you instead receive timeouts, they are likely indicating issues with the DNS server.


c:\>nslookup
> server 192.168.2.1
Default server: 192.168.2.1
Address: 192.168.2.1#53
>  53.208.32.80.bl.spamcop.net
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:    53.208.32.80.bl.spamcop.net
Address: 127.0.0.2



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 02 September 2009 at 5:53pm
Done that already. Didn't see anything wrong. here's mine:

Default Server:  renlive.mycompany.com
Address:  192.168.3.84

> bl.spamcop.net
Server:  renlive.mycompany.com
Address:  192.168.3.84

Name:    bl.spamcop.net
Address:  204.15.82.19

> zen.spamhaus.org
Server:  renlive.mycompany.com
Address:  192.168.3.84

Name:    zen.spamhaus.org

> 53.208.32.80.bl.spamcop.net
Server:  renlive.mycompany.com
Address:  192.168.3.84

Non-authoritative answer:
Name:    53.208.32.80.bl.spamcop.net
Address:  127.0.0.2


Posted By: LogSat
Date Posted: 02 September 2009 at 7:24pm
Could you please zip and email us your:
SpamFilter.ini file
SpamFilter's activity logfile for about 1 hour worth of emails
The text file that contains the list of your MAPS servers

So we can take a better look?


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 03 September 2009 at 9:17am
emails sent, Roberto.


Posted By: LogSat
Date Posted: 03 September 2009 at 5:06pm
Got it. Here's what we see.
From your logs, the SPF queries are working just fine, which confirms what you say in that the DNS server is working correctly.
We moved then onto the MAPS RBL list, and we see some issues there.

This is your current list:

http://bl.spamcop.net/ - - , true

http://xbl.spamhaus.org/ - - , true

http://sbl.spamhaus.org/ - - , true

http://dnsbl.njabl.org/ - - , true

http://sbl.spamhaus.org/ - - , true

http://vox.schpider.com/ - - , true

http://relays.mail-abuse.org/ - - , true

http://dialups.mail-abuse.org/ - - , true

http://blackholes.easynet.nl/ - - , true

http://blackholes.wirehub.net/ - - , true

http://sbl-xbl.spamhaus.org/ - - , true

http://sbl-xbl.spamhaus.org/ - - , true


I crossed out lists that are currently not responding to queries, and are thus causing dns timeouts when trying to reach them. In addition, I've marked in red lists that can be combined into a single list:
zen.spamhaus.org
that combines the databases of the individual lists specified by the individual MAPS RBL servers in red.

I'd thus recommend you modify your list as follows:

http://bl.spamcop.net/ - , true

zen http://xbl.spamhaus.org/ - , true

http://dnsbl.njabl.org/ - , true

http://relays.mail-abuse.org/ - , true

http://dialups.mail-abuse.org/ - , true

http://blackholes.easynet.nl/ - , true

http://blackholes.wirehub.net/ - , true


and see if that helps in reducing the dns timeouts.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Stupid
Date Posted: 03 September 2009 at 11:09pm
Thank you Roberto. I'll try that and will let you know next week.


Posted By: Stupid
Date Posted: 09 September 2009 at 3:55pm

Does it look like it's working? This actually is a spam email and somehow it passed everything.

09/09/09 04:33:10:710 -- (7720) Detected TCP Connection: 204.110.14.48
09/09/09 04:33:10:710 -- (7720) Connection from: 204.110.14.48  -  Originating country : United States
09/09/09 04:33:10:835 -- (7720) Received MAIL FROM: <JuniorGallo@stylerank.info>
09/09/09 04:33:10:913 -- (7720) Received RCPT TO: jose.rochester@mycompany.com
09/09/09 04:33:11:022 -- (7720) Resolving 204.110.14.48 - smtp-verifiedoptin48.godsheros.com
09/09/09 04:33:11:397 -- (7720) - SPF analysis for stylerank.info done: - none
09/09/09 04:33:11:397 -- (7720) Mail from: JuniorGallo@stylerank.info
09/09/09 04:33:12:053 -- (7720) - MAPS search done...
09/09/09 04:33:12:053 -- (7720) RCPT TO: jose.rochester@mycompany.com accepted
09/09/09 04:33:12:194 -- (7720) Checking SFDC
09/09/09 04:33:12:381 -- (7720) Hash cache - Added OK
09/09/09 04:33:13:350 -- (7720) EMail from JuniorGallo@stylerank.info to jose.rochester@mycompany.com passes Bayesian filter - 0% spam  (0ms)
09/09/09 04:33:13:350 -- (7720) Checking SURBL
09/09/09 04:33:13:397 -- (7720) Checking URLs in emails against MAPS
09/09/09 04:33:13:397 -- (7720) Resolving for URLsInMAPS: www.tagopia.net
09/09/09 04:33:14:131 -- (7720) - URLs In MAPS search done...
09/09/09 04:33:14:131 -- (7720) Starting queueing procedures
09/09/09 04:33:14:131 -- (7720) EMail from JuniorGallo@stylerank.info to jose.rochester@mycompany.com was queued. Size: 1 KB, 1024 bytes
09/09/09 04:33:14:147 -- (7720) Starting bayesian procedures
09/09/09 04:33:14:147 -- (7172) Sending email from JuniorGallo@stylerank.info to jose.rochester@mycompany.com --
09/09/09 04:33:14:272 -- (7720) Disconnect



Posted By: LogSat
Date Posted: 09 September 2009 at 11:13pm
SpamFilter will not be able to stop 100% of the incoming spam. This unfortunately looks like one of the cases where the spam will be missed. The remote IP 204.110.14.48 is not currently blacklisted, the reverse DNS on it is present, there are no major issue with the sender's IP, and the content did not raise any flags.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window