Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Spam seems to be climbing after new 384 release
  FAQ FAQ  Forum Search   Register Register  Login Login

Spam seems to be climbing after new 384 release
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
Terry View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Terry Quote  Post ReplyReply Direct Link To This Post Topic: Spam seems to be climbing after new 384 release
    Posted: 25 September 2004 at 6:14pm

I am seeing what appears to be a trend in increased spam getting through since I upgraded to release 384.  I am trying to make sense out of the log here but when I look at it it really appears that it is blocking part of the emails and accepting others from the same message?  Maybe I just don't understand this or am missing something obvious?  I will do some more research...but this this log excerpt for 3900  appear right to you or is it saying part of the transactions are going through?

Terry

09/25/04 14:45:00:220 -- (3900) Connection from: 218.128.168.126  -  Originating country : Japan
09/25/04 14:45:01:095 -- (3604) Resolving 204.9.21.68 - mail68.101stocks.biz
09/25/04 14:45:01:111 -- wrldnews.com is a domain, searching for SPF record
09/25/04 14:45:01:111 -- (3604) - SPF analysis for wrldnews.com done: - none
09/25/04 14:45:01:111 -- (3604) Mail from: LauraHarris@wrldnews.com
09/25/04 14:45:01:267 -- (3604) - MAPS search done... 521 The IP 204.9.21.68 is Blacklisted by sbl.spamhaus.org.4http://www.spamhaus.org/SBL/sbl.lasso?query=SBL19426
09/25/04 14:45:01:267 -- (3604) 204.9.21.68 - Mail from: LauraHarris@wrldnews.com To: hansej@portptld.com will be disconnected
09/25/04 14:45:01:267 -- (3604) Disconnect
09/25/04 14:45:01:611 -- (3900) Resolving 218.128.168.126 - YahooBB218128168126.bbtec.net
09/25/04 14:45:01:626 -- guay.com is a domain, searching for SPF record
09/25/04 14:45:01:689 -- (3900) - SPF record for guay.com found. analyzing: - v=spf1 -all
09/25/04 14:45:01:689 -- (3900) - SPF analysis for guay.com done: - fail
09/25/04 14:45:01:689 -- (3900) failed SPF test (fail) - Disconnecting 218.128.168.126
09/25/04 14:45:01:689 -- (3900) 218.128.168.126 - Mail from: KTXJJXZL@guay.com To: angelr@portptld.com will be rejected
09/25/04 14:45:02:064 -- (3900) Mail from: KTXJJXZL@guay.com
09/25/04 14:45:02:064 -- (3900) 218.128.168.126 - Mail from: KTXJJXZL@guay.com To: aster@portptld.com will be rejected
09/25/04 14:45:02:470 -- (3900) Mail from: KTXJJXZL@guay.com
09/25/04 14:45:02:470 -- (3900) RCPT TO: baumak@portptld.com accepted
09/25/04 14:45:02:830 -- (3900) Mail from: KTXJJXZL@guay.com
09/25/04 14:45:02:830 -- (3900) RCPT TO: brantm@portptld.com accepted
09/25/04 14:45:03:205 -- (3900) Mail from: KTXJJXZL@guay.com
09/25/04 14:45:03:205 -- (3900) RCPT TO: carmic@portptld.com accepted
09/25/04 14:45:03:970 -- (3900) Mail from: KTXJJXZL@guay.com
09/25/04 14:45:03:970 -- (3900) RCPT TO: cross@portptld.com accepted
09/25/04 14:45:05:111 -- (3900) EMail from KTXJJXZL@guay.com to angelr@portptld.com, aster@portptld.com, baumak@portptld.com, brantm@portptld.com, carmic@portptld.com, cross@portptld.com passes Bayesian filter - 0% spam  (0ms)
09/25/04 14:45:05:111 -- (3900) EMail from KTXJJXZL@guay.com to angelr@portptld.com, aster@portptld.com, baumak@portptld.com, brantm@portptld.com, carmic@portptld.com, cross@portptld.com was queued. Size: 1 KB, 1024 bytes
09/25/04 14:45:05:126 -- (1936) Sending email from KTXJJXZL@guay.com to angelr@portptld.com, aster@portptld.com, baumak@portptld.com, brantm@portptld.com, carmic@portptld.com, cross@portptld.com
09/25/04 14:45:05:142 -- (2160) Time to add Msg to Bayes corpus:0
09/25/04 14:45:05:830 -- (1936) EMail from KTXJJXZL@guay.com to angelr@portptld.com, aster@portptld.com, baumak@portptld.com, brantm@portptld.com, carmic@portptld.com, cross@portptld.com  was forwarded to 10.192.34.83:25
09/25/04 14:45:06:298 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:06:298 -- (3900) RCPT TO: crosst@portptld.com accepted
09/25/04 14:45:06:689 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:06:689 -- (3900) RCPT TO: dickis@portptld.com accepted
09/25/04 14:45:07:048 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:07:048 -- (3900) RCPT TO: dodged@portptld.com accepted
09/25/04 14:45:07:470 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:07:470 -- (3900) RCPT TO: dozone@portptld.com accepted
09/25/04 14:45:07:830 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:07:830 -- (3900) RCPT TO: ebmaster@portptld.com accepted
09/25/04 14:45:08:236 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:08:236 -- (3900) RCPT TO: ellisa@portptld.com accepted
09/25/04 14:45:08:611 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:08:611 -- (3900) RCPT TO: frisit@portptld.com accepted
09/25/04 14:45:09:017 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:09:017 -- (3900) RCPT TO: fuhrmh@portptld.com accepted
09/25/04 14:45:09:392 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:09:392 -- (3900) RCPT TO: furnid@portptld.com accepted
09/25/04 14:45:09:798 -- (3900) Mail from: fkvkbbz@stareastnet.com
09/25/04 14:45:09:814 -- (3900) RCPT TO: garcid@portptld.com accepted
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4106 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 25 September 2004 at 11:01pm
Terry,

At first sight no, it does not look right as the email should have been rejected. Without looking at all your black/white list files and SpamFilter.ini files we can't be sure though. If you can send them to support@logsat.com we'll take a look, but please note that within 3-4 hours we'll have a hurricane over our heads, and we may loose power/internet/phones for a few days as it happened twice already (we're in central florida). This may delay our technical support respoinses a bit.

One thing you can check is to make sure you have a valid 3-digit code prefixing *all* of your "Customized Items" tab under settings. If there is not a valid error code, even though an email is to be rejected, since SpamFilter does not have a valid error code to provide the remote server, it has no chouce but to accept the email anyways.

Roberto F. LogSat Software
Back to Top
Terry View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Terry Quote  Post ReplyReply Direct Link To This Post Posted: 26 September 2004 at 8:00pm

Roberto, I have emailed the files per your request.  Hope all goes okay with the hurricane...

Terry
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4106 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 28 September 2004 at 12:21am
Terry, we finally had power returned this evening. Right away we were able to verify that you're correct, your logs and settings do show a problem sometimes in cases where 3 or more recipients appear in an email.

I believe we pinpointed the problem, and have made a pre-release build available to address it. If youlogin the registered user are you will see build 385. Please note that as we just (actually as you just have) discovered the problem, we were not able to thoroughly test it yet.

The release notes for this build are as follows:

// New to VersionNumber = '2.1.1.385'; {TODO -cWish : Add label to indicate "Bayesian Probability results show up in Corpus Database tab"} {TODO -cFix : if more than 3 RCPT TO's were specfied, spam emails may have not been filtered} {TODO -cWish : Add option to specify directory path for logfiles}

Roberto F. LogSat Software
Back to Top
Terry View Drop Down
Senior Member
Senior Member


Joined: 06 February 2005
Status: Offline
Points: 155 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Terry Quote  Post ReplyReply Direct Link To This Post Posted: 28 September 2004 at 4:59pm
Thanks Roberto, I have downloaded and installed it.  I will let you know how it does. 
Back to Top
Alan View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 30 September 2004 at 7:53pm

Roberto, I also tried the new build, but I am still experiencing this same problem with the 385 build.

09/30/04 16:35:31:719 -- (425) Connection from: 199.181.164.12  -  Originating country : United States
09/30/04 16:35:31:769 -- (425) Resolving 199.181.164.12 - smtpgate.seanet.com
09/30/04 16:35:31:819 -- undivided6399dryg.com is a domain, searching for SPF record
09/30/04 16:35:32:010 -- (425) - SPF analysis for undivided6399dryg.com done: - none
09/30/04 16:35:32:010 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:808 -- (425) - MAPS search done...
09/30/04 16:35:37:808 -- (425) RCPT TO: alancom3@domain.com accepted
09/30/04 16:35:37:828 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:828 -- (425) RCPT TO: brian@domain.com accepted
09/30/04 16:35:37:848 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:848 -- (425) RCPT TO: jim@domain.com accepted
09/30/04 16:35:37:878 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:878 -- (425) RCPT TO: steve@domain.com accepted
09/30/04 16:35:38:038 -- (425) EMail from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com passes Bayesian filter - 0.0004% spam  (20ms)
09/30/04 16:35:38:078 -- (425) EMail from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com was queued. Size: 1 KB, 1024 bytes
09/30/04 16:35:38:098 -- (421) Sending email from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com
09/30/04 16:35:38:138 -- (358) Time to add Msg to Bayes corpus:0
09/30/04 16:35:38:249 -- (425) - EmailTO is in local blacklist file...
09/30/04 16:35:38:249 -- (425) 199.181.164.12 - Mail from: ahkomlqwpclrh@fastwave.net To: christina@domain.com will be disconnected
09/30/04 16:35:38:249 -- (425) Disconnect
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4106 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 30 September 2004 at 11:29pm

Alan,

Judging from these logs, everything seems to be working as expected:

Nothing is causing the email to rejected for the following entries:

09/30/04 16:35:31:719 -- (425) Connection from: 199.181.164.12  -  Originating country : United States
09/30/04 16:35:31:769 -- (425) Resolving 199.181.164.12 - smtpgate.seanet.com
09/30/04 16:35:31:819 -- undivided6399dryg.com is a domain, searching for SPF record
09/30/04 16:35:32:010 -- (425) - SPF analysis for undivided6399dryg.com done: - none
09/30/04 16:35:32:010 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:808 -- (425) - MAPS search done...
09/30/04 16:35:37:808 -- (425) RCPT TO: alancom3@domain.com accepted
09/30/04 16:35:37:828 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:828 -- (425) RCPT TO: brian@domain.com accepted
09/30/04 16:35:37:848 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:848 -- (425) RCPT TO: jim@domain.com accepted
09/30/04 16:35:37:878 -- (425) Mail from: Deeqcttoxhdpbsaz@undivided6399dryg.com
09/30/04 16:35:37:878 -- (425) RCPT TO: steve@domain.com accepted
09/30/04 16:35:38:038 -- (425) EMail from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com passes Bayesian filter - 0.0004% spam  (20ms)
09/30/04 16:35:38:078 -- (425) EMail from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com was queued. Size: 1 KB, 1024 bytes
09/30/04 16:35:38:098 -- (421) Sending email from Deeqcttoxhdpbsaz@undivided6399dryg.com to alancom3@domain.com, brian@domain.com, jim@domain.com, steve@domain.com

Up until here, even though the email may be spam as far as I can tell (if only we could have a new build that features a live human person looking at spam we'd be infallible!), none of the filters detect it as spam so it's delivered.

Note that from the logs it looks as if the sender has ended the DATA command, which forces SpamFilter to deliver the email. Rather than disconnecting and then reconnecting, the senders appears to remain connected with the same session, and starts to send more commands to send a separate email. But now the first RCPT TO command triggers one of your blacklists:

09/30/04 16:35:38:249 -- (425) - EmailTO is in local blacklist file...
09/30/04 16:35:38:249 -- (425) 199.181.164.12 - Mail from: ahkomlqwpclrh@fastwave.net To: christina@domain.com will be disconnected
09/30/04 16:35:38:249 -- (425) Disconnect

At this point, SpamFilter (correctly) immediately disconnect them. If we interpreted the logs correctly, SpamFilter is operating correctly. Please let us know if you see something wrong with our analysis.

Roberto F.
LogSat Software
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.125 seconds.

Copyright (c)2002-2025 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us