Spam Filter ISP Support - SF added X-Headers

SF added X-Headers

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6445
Printed Date: 14 July 2025 at 1:05pm

Topic: SF added X-Headers

Posted By: StevenJohns
Subject: SF added X-Headers
Date Posted: 26 March 2008 at 5:47am

Roberto,

I use SF in the tag and forward mode, forwarding all email to an internal server where we process the emails more. After we apply more filtering, we then search the email for the "X-Rejection-Reason:" header, and if it is present then it is spam and delt with accordingly. Now, I have seen several emails getting through and it appears to be related to where in the email SF inserts the headers. (I have added the headers of an example email below).

As you can see, there appears to be a crlf in the middle of the headers.....just after the Date. As far as the RFC states, this crlf indicates the start of the body of the email, however the SF headers seem to be after this point, therefore our filter does not pick up the SF headers as it assumes they are part of the email (as per RFC).

To bypass this, would it be possable to insert the headers right at the top of the email???

Cheers

From: "JESSICA LOVERN" < mailto:Lovernonline@company.com - Lovernonline@company.com >
To: < mailto:steve@stevenjohns.co.uk - steve@stevenjohns.co.uk >
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
Subject: HURRY!!! GREAT OPPORTUNITY THAT CAN GIVE US CHANCE TO EARN BIG.START NOW!!!
Message-ID: < mailto:NS1HM3SOlbpH71yEXUI0000000e@mail.protected-mail.co.uk - NS1HM3SOlbpH71yEXUI0000000e@mail.protected-mail.co.uk >
Date: 22 Mar 2008 21:40:39 +0000

US CHANCE TO EARN BIG. Join Now!!!
Sender: "JESSICA LOVERN" < mailto:Lovernonline@company.com - Lovernonline@company.com >
Mime-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Date: Sun, 23 Mar 2008 17:40:02 -0400
Reply-To: "JESSICA LOVERN" < mailto:lovern.jessica@gmail.com - lovern.jessica@gmail.com >
X-Priority: 1 (Highest)
Content-Transfer-Encoding: 8bit
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: < mailto:Lovernonline@company.com - Lovernonline@company.com >
X-SF-HELO-Domain: company.com
X-SF-Originating-IP: 122.2.22.69
X-Rejection-Reason: 16 - 557 Your domain company.com does not have a valid
MX DNS record. Disconnecting...
X-SF-SPAM:Y

Replies:

Posted By: LogSat
Date Posted: 26 March 2008 at 1:41pm

StevenJohns,

Without seeing the actual source of the email we can only make assumptions. if the email arrived with the CRLF already present, then the email's body would actually have started with the line "US CHANCE TO" and any pre-existing headers after that line would now be part of the email body. However SpamFilter is able to auto correct minor encoding errors in an email, and may have attempted to "fix" itself by understanding where the real intended headers were, and then added our own X-SF hedaers at the end of them. The email is then forwarded as received, including the mis-formatted extra CRLF (or whatever other control character may have been there).

SpamFilter will append its headers at the end of the list of the pre-existing ones, we currently have no plans to change this... but if does become a bigger problem, that may change.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: StevenJohns
Date Posted: 26 March 2008 at 3:43pm

Roberto,

I see your point of view, but I am seeing quite a few of these emails getting through and SF is missing them. My feeling is that the extra cflr has been placed there intentionally to decieve spam filters....and it appears to be working.

With reference to your comment of SF attempting to "fix" itself, well my thoughts are that that behaviour is specifically opposite to the RFC for which you state that SF complies with.

If headers are to be added, then they should be added before the very first blank line (crlf pair) as the RFC states, not where SF "thinks" it should put them.

I am sure that you are aware that the RFC specifically states that the email body starts at the very first blank line and all headers should be before this. Absolutely everything after the blank line should be treated as the email body.

If you could please insert your headers where they should go, then our secondary filters (which are RFC compliant) will be able to pick up your X-SF headers perfectly well and these spam emails will be stopped.

I would like to thank you for a great product and await in anticipation for you to fix this obvious bug.

Cheers