Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Trouble with tblbl_emailsto rejections
  FAQ FAQ  Forum Search   Register Register  Login Login

Trouble with tblbl_emailsto rejections

 Post Reply Post Reply
Author
dotme View Drop Down
Newbie
Newbie


Joined: 27 October 2008
Status: Offline
Points: 20
Post Options Post Options   Thanks (0) Thanks(0)   Quote dotme Quote  Post ReplyReply Direct Link To This Post Topic: Trouble with tblbl_emailsto rejections
    Posted: 03 June 2009 at 3:37pm
We manage a fair number of domains, and implemented some user detection so we don't quarantine email for users that do not exist on the destination server.
 
By doing this, our customers do not have to create a new user on logsat any time they add a user to their mailserver. Our system therefore doesn't use the tblwl_authorizedtoemails table.
 
Instead, we put invalid users in the tblbl_emailsto list.
 
So far, so good. But today, we had a sender who sent an email to nine users on the domain, one of which was in the tblbl_emailsto list.
 
Spamfilter rejected the entire list, so the sender received an NDR stating none of the recipients were valid. And the email was rejected.
 
Logfile....
06/03/09 10:33:34:375 -- (1792) Received MAIL FROM: <store4906@senderdomain>
06/03/09 10:33:34:422 -- (1792) Received RCPT TO: charityr@example.com
06/03/09 10:33:37:203 -- (1792) Resolving 1.2.3.4 - cmsout01.mbox.net
06/03/09 10:33:43:265 -- (1792) - SPF analysis for senderdomain done: - none
06/03/09 10:33:43:265 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:203 -- (1792) - MAPS search done...
06/03/09 10:34:13:203 -- (1792) RCPT TO: charityr@example.com accepted
06/03/09 10:34:13:234 -- (1792) Received RCPT TO: davidf@example.com
06/03/09 10:34:13:234 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:234 -- (1792) RCPT TO: davidf@example.com accepted
06/03/09 10:34:13:281 -- (1792) Received RCPT TO: debbiew@example.com
06/03/09 10:34:13:281 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:281 -- (1792) RCPT TO: debbiew@example.com accepted
06/03/09 10:34:13:328 -- (1792) Received RCPT TO: ellenr@example.com
06/03/09 10:34:13:328 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:328 -- (1792) RCPT TO: ellenr@example.com accepted
06/03/09 10:34:13:375 -- (1792) Received RCPT TO: erink@example.com
06/03/09 10:34:13:375 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:375 -- (1792) RCPT TO: erink@example.com accepted
06/03/09 10:34:13:422 -- (1792) Received RCPT TO: jessm@example.com
06/03/09 10:34:13:422 -- (1792) - EmailTO is in local blacklist file...
06/03/09 10:34:13:422 -- (1792) 1.2.3.4 - Mail from: store4906@senderdomain To: jessm@example.com will be rejected
06/03/09 10:34:13:453 -- (1792) Received RCPT TO: joanns@example.com
06/03/09 10:34:13:468 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:468 -- (1792) 1.2.3.4 - Mail from: store4906@senderdomain To: joanns@example.com will be rejected
06/03/09 10:34:13:500 -- (1792) Received RCPT TO: katiec@example.com
06/03/09 10:34:13:500 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:500 -- (1792) 1.2.3.4 - Mail from: store4906@senderdomain To: katiec@example.com will be rejected
06/03/09 10:34:13:547 -- (1792) Received RCPT TO: kimb@example.com
06/03/09 10:34:13:547 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:547 -- (1792) 1.2.3.4 - Mail from: store4906@senderdomain To: kimb@example.com will be rejected
06/03/09 10:34:13:593 -- (1792) Received RCPT TO: rondat@example.com
06/03/09 10:34:13:593 -- (1792) Mail from: store4906@senderdomain
06/03/09 10:34:13:593 -- (1792) 1.2.3.4 - Mail from: store4906@senderdomain To: rondat@example.com will be rejected
06/03/09 10:34:13:953 -- (1792) Start virus scan
06/03/09 10:34:13:984 -- (1792) Starting bayesian procedures
06/03/09 10:34:14:062 -- (1792) Blacklist cache - Added 1.2.3.4 to limbo
06/03/09 10:34:14:218 -- (1792) SFDB - Added 1.2.3.4 - Response: Error=0
06/03/09 10:34:14:218 -- (1792) Disconnect
 
Does Logsat not have the granularity to deliver / process the message and simply NDR the single invalid recipient?
 
Being able to have a list of invalid recipients drastically reduces our Quarantine tables, which is great for performance. So I'd really like to be able to keep that methodology.
 
I'm just surprised that one bad user (jessm) prevented all the legitimate recipients from receiving the email...
 
Any tips/help greatly appreciated. Thanks!


Edited by dotme - 03 June 2009 at 3:53pm
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 03 June 2009 at 5:19pm
dotme,

The granularity you're looking for is present in the "Authorized TO" email whitelist. This list is used to specify the list of valid users on the system, and administrators can then choose if they want to drop the entire connection when attempts are made to deliver emails to users not in that list, or if SpamFilter should just reject the one non-existent recipient and continue accepting the others.

In your case, you're using the local emailTO blacklist to obtain the reverse of the above functionality. SpamFilter was designed so that all the blacklist are used to identify emails as spam. If any one of these blacklsits triggers a match, then the email is flagged as spam and is thus blocked. So if a recipient in the email matches an entry in the emailTO blacklist, this will indeed flag the entire email as spam, and the email will be 100% blocked. There are no workarounds for this, sorry, as this is just how SpamFilter is supposed to behave.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
dotme View Drop Down
Newbie
Newbie


Joined: 27 October 2008
Status: Offline
Points: 20
Post Options Post Options   Thanks (0) Thanks(0)   Quote dotme Quote  Post ReplyReply Direct Link To This Post Posted: 04 June 2009 at 3:40pm

Fair enough. Feature request :-)

It's a lot easier to detect invalid accounts than to guess valid ones. We were trying to get the best of both worlds, by not forcing our clients to enter every user yet still not quarantine email for "known invalids"
 
The tblbl_emailsto and tblbl_honeypotemails seem to accomplish the same thing as each other today.
 
Maybe down the road, something to consider as an enhancement... Thanks!
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.277 seconds.