I am having a problem with a domain that I had previously blacklisted. After Blacklisting it, email from the domain still came through.

this is the section of the log file...

07/02/04 10:37:29:191 -- (7924) Connection from: 63.251.135.74 - Originating country : United States 07/02/04 10:37:29:816 -- (7924) Resolving 63.251.135.74 - ccm01.roving.com 07/02/04 10:37:29:816 -- (7924) Mail from: ESC1011304316885_1011145214232_4201@in.roving.com 07/02/04 10:37:30:941 -- (7924) - MAPS search done... 07/02/04 10:37:30:941 -- (7924) RCPT TO: srx@mydomain.com accepted 07/02/04 10:37:31:503 -- (7924) EMail from ESC1011304316885_1011145214232_4201@in.roving.com to srx@mydomain.com was queued. Size: 11 KB, 11264 bytes 07/02/04 10:37:31:503 -- (6824) Sending email from alist@bostonsalist.com to srx@m.com 07/02/04 10:37:31:582 -- (7924) Disconnect 07/02/04 10:37:31:660 -- (6824) EMail from alist@bostonsalist.com to srx@mydomain.com was forwarded to x.mydomain.com:9876

Basically, I blacklisted bostonsalist.com, but the email says it is coming from roving.com until it is forwarded. I have since blacklisted roving.com, but shouldn't this have worked with out having to do that?

I'm not sure if I understand what you mean. In my domain blacklist file I have an entry for bostonalist.com This did not stop the email from coming through. I just recently added roving.com to the same file hoping it will work since the email seems to coming from ESC1011304316885_1011145214232_4201@in.roving.com until the time that it is forwarded to my next relay (Trend IMSS).. which it then magically comes from alist@bostonsalist.com

Thanks.

"OK ... the question was meant to ask if you have used RegEx, or wildcards or just the domain name in your black list.  Also,  if you take the word-wrapping out of your posted logs, it is easier to see that this is the log for 2 messages .... one with PID 7924 and one with PID 6824 so I think you may have confused your analysis somewhat.   OR ... am I looking at 2 differant server logs?  Perhaps I am confused."

I did not use any regex, just the domain name. sorry about the word wrapping...

It is one server log and yes I noticed that about the PID numbers being different, but from as far as I can tell it is the same message. I went back through my logs and all messages (there are pleny) that initially come from in.roving.com look like this. It is weird.
I have since blocked "in.roving.com" by adding it to my domain black list file and I have confirmed that it works now.

But I am confused as to how the message initially appears to be from one email address, but then spamfilter reports it as a different from address when it forwards it to its final destination.

Thanks again.

Keizersozay,

The following line:

07/02/04 10:37:29:816 -- (7924) Mail from: ESC1011304316885_1011145214232_4201@in.roving.com

in your log snippet shows that an incoming email has arrived, and the sender specified "@in.roving.com" in the "MAIL FROM" smtp command. The MAIL FROM indicates the sender, and should be identified in the "Return-Path" email headers.

The sender however then proceeds to indicate a different email address in the "From:" email headers. The "From:" header determines what most email clients show in the "From" field, but please note that this is different from the real sender.

SpamFilter's blacklist will work only on the "MAIL FROM" email address. In the logfile you see the entry:

07/02/04 10:37:31:503 -- (6824) Sending email from alist@bostonsalist.com to srx@m.com

SpamFilter will log the "From:" header when forwarding the email to your destination smtp server rather than the MAIL FROM address so that the log will reflect the mismatch and help identifying emails that would possibly not appear in the logs, had we chosen to stick with only one of the MAIL FROM or "From:" headers.

Roberto F.
LogSat Software

Thanks Dan.