Pete,

The order with which the black/white lists are tested cannot be changed. All the white lists are checked first. If a match is found, the blacklists are skipped, the email recipients are accepted, and SpamFilter is ready to accept the data command. If none of the whitelists are matched, then the blacklists are currently searched in order below.

   1. Allowed Domains
   2. Local Domain BlackList
   3. Local Emails Blacklist
   4. Local Emails TO Blacklist
   5. Not in Authorized TO Emails
   6. Country Blacklist
   7. Reject No Reverse DNS
   8. Reject Empty Mail From
   9. Reject Same To From Email address
  10. Reject Same To From Domain
  11. Recipient Count > Max RCPTTO
  12. MAPS check
  13. Attachment Filter
  14. Keywords
  15. Bayesian Filtering

The only exception to the whitelist is the "whitelist keyword check". In order for that to work, the message has to be received first, and for this reason even if the senders is blacklisted by other filters, the email will still be received so that it can be checked against the keyword whitelist.

To answer your question then, once any blacklist "hits", all further blacklist checks are skipped.

Roberto F.
LogSat Software

Kevin,

In order to use a file/keyword filter, the mesage has to be received in its entirety so the body content can be retrieved. For this reason these filters are used last, as it is much faster to block the email by looking at the IP/sender/domains since these are seen immediatley, before the mail content is sent.

Roberto F. LogSat Software

>To answer your question then, once any blacklist "hits", all >further blacklist checks are skipped.To answer your question then, once any blacklist "hits", all >further blacklist checks are skipped.To answer your question then, once any blacklist "hits", all >further blacklist checks are skipped.further blacklist checks are skipped.further blacklist checks are skipped.

Thank you for your detailed reply.

I seem to have set up a situation where having SPF filtering turned on results in more unwanted messages getting through Spamfilter than if it is turned off:

I have published an SPF record for the 'glos.ac.uk' domain with 'softfail'. (I'm still trying to round up all the users sending mail from this domain through servers other than the main University one.)

A machine out on the Net has become infected with the Bagle virus and is sending us a stready stream of messages, many of which have the from address forged to appear from 'glos.ac.uk' addresses. The IP addresses these messages are coming from has been blacklisted by Spamhaus. With the SPF filter off they are rejected. If the SPF filter is on, with the option to pass 'softfail' messages, then the messages forged to be from 'glos.ac.uk' addresses are passed through. The pass softfail result from the SPF filter means that the Spamhaus blacklist is not checked.

For this reason I have switched off the SPF filter.

Please could the Sender Policy Framework filter be given a lower priority than the MAPS lookups, so a message's SPF status is only checked if its point of origin has not been blacklisted.

Pete,

You were absolutely correct in your observations. Thank you for all your log analysis, we were able to reproduce the problem. It turned out that if the SPF filter returned a softfail or neutral, the MAPS RBL and the local IP blacklist checks were not being performed.

We found that the bug was present in all versions up to 2.1.2.391. In build 2.1.2.392 we patched an issue with the MX filter that had the side effect of fixing the issue you discovered. It was not until you pointed out the problem however that we noticed that there was indeed a problem, and that it was "inadvertently" fixed starting from build 2.1.2.392.

If you login the registered user are of the website you'll be able to download the latest build (393), which should solve the issue.

Thanks again for the report.

Roberto F. LogSat Software