Spam Filter ISP Support - Some mails not scanned

Some mails not scanned

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6192
Printed Date: 17 January 2026 at 2:49am

Topic: Some mails not scanned

Posted By: jeroentiem
Subject: Some mails not scanned
Date Posted: 10 August 2007 at 4:36am

Hi,

How is it possible that i get mails that are not scanned by the spamserver?

Received: from singnet.com.sg [121.6.28.58] by mycomp01.mycomp.com with ESMTP
(SMTPD32-7.15) id A5A76830034; Fri, 10 Aug 2007 06:12:23 +0200
Message-ID: < mailto:000b01c7db82$dfd88950$00000000@singnet.com.sg - 000b01c7db82$dfd88950$00000000@singnet.com.sg >
From: "Latoria Banks" < mailto:biglittlaeaxed@slauk.com - biglittlaeaxed@slauk.com >
To: "Lester" < mailto:info@mycomp.com - info@mycomp.com >
Subject: Heya, this is the one
Date: Fri, 10 Aug 2007 12:15:55 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-RCPT-TO: < mailto:info@mycomp.com - info@mycomp.com >
Status: R
X-UIDL: 383485193

A scanned mail looks like this:

Received: from mail2.mycomp.com [xx.xx.xx.140] by mycomp01.mycomp.com with ESMTP
(SMTPD32-7.15) id AFD45BF0038; Fri, 10 Aug 2007 10:20:36 +0200
Received: from 200.82.37.216 by mail2.mycomp.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy); Fri, 10 Aug 2007 10:20:33 +0200
Received: from 63.173.74.5 (HELO mailserver.ferndalelabs.com)
     by mycomp.com with esmtp (BAFUWHDVHOFN VFYOI)
     id jW2qOg-oa44x-Aq
     for mailto:info@mycomp.com - info@mycomp.com ; Wed, 08 Aug 2007 05:23:26 +0200
Message-ID: < mailto:000301c7d96b$7b921dd0$c85225d8@Dana - 000301c7d96b$7b921dd0$c85225d8@Dana >
From: "Dana A. Soto" < mailto:Dana@ferndalelabs.com - Dana@ferndalelabs.com >
To: "Marco T. Walters" < mailto:info@mycomp.com - info@mycomp.com >
Subject: New survey
Date: Wed, 08 Aug 2007 05:23:26 +0200
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: < mailto:jqocdj@ferndalelabs.com - jqocdj@ferndalelabs.com >
X-SF-HELO-Domain:
X-RCPT-TO: < mailto:info@mycomp.com - info@mycomp.com >
Status: U
X-UIDL: 383485196

Jeroen

Replies:

Posted By: WebGuyz
Date Posted: 10 August 2007 at 8:46am

Not all spammers follow the rules and use your MX records to send emails. Many try to send directly to your mail server bypassing SF altogether or send to a backup MX if you have one that is not SF protected.

You can block your mail servers port 25 or redirect it at the firewall to forward to SF and turn on SMTP authentication in SF. If your customers aren't doing SMTP auth now this can be a big pain, but its worth it to make sure what your describing does not happen.

-------------
http://www.webguyz.net

Posted By: sorfjord
Date Posted: 22 August 2007 at 2:07pm

Hi jeroentiem,

We just realized that someone is forging our domain ferndalelabs.com in spam. I found your posting with our server info in it. Have you received a lot of spam from our domain? If so, when did it start? Does your software give any other information on the route of the spam. We just want to get as much info as we can to make it stop!!

Thanks

Posted By: LogSat
Date Posted: 22 August 2007 at 5:40pm

sorfjord,

I can't speak on behalf of jeroentiem in regards to the frequency of the spam. However, looking from the headers he posted, this is the one showing the IP of the sender of the forged email:

Received: from 200.82.37.216 by mail2.mycomp.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy); Fri, 10 Aug 2007 10:20:33 +0200

As a side note, we recommend you implement SPF (Sender Policy Framework - see www.openspf.org) in the DNS for your domain. SPF is used by antispam vendors to reject emails that come from unauthorized sources. In simple terms, via DNS you establish what IPs are allowed to send emails on your behalf. Any email not coming from those IPs is treated as spam by email servers that support SPF.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: jeroentiem
Date Posted: 22 August 2007 at 6:49pm

WebGuyz thanks for your help, i blocked the port 25 on the end mailserver. All mx trick spam mails are blocked at this time. :-)

Sorfjord,

Two logs of your domain used for spamming:

08-10-07 10:20:28:391 -- (1188) Connection from: 200.82.37.216 - Originating country : Argentina
08-10-07 10:20:30:016 -- (1188) Resolving 200.82.37.216 - host216.200-82-37.telecom.net.ar
08-10-07 10:20:30:454 -- (1188) Mail from: mailto:jqocdj@ferndalelabs.com - jqocdj@ferndalelabs.com
08-10-07 10:20:30:454 -- (1188) - SPF analysis for ferndalelabs.com done: - none

08-22-07 02:58:03:665 -- (3560) Connection from: 189.137.187.25 - Originating country : Mexico
08-22-07 02:58:07:118 -- (3560) - IP address is from a blacklisted country...
08-22-07 02:58:07:118 -- (3560) 189.137.187.25 - Mail from: mailto:jqocdj@ferndalelabs.com - jqocdj@ferndalelabs.com To:

Jeroen (a happy, now registered, user of the logsat spamfilter)

Posted By: sorfjord
Date Posted: 27 August 2007 at 1:19pm

Thanks for the info.