Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Odd message header blocking from NATed gm
  FAQ FAQ  Forum Search   Register Register  Login Login

Odd message header blocking from NATed gm
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25 		Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Topic: Odd message header blocking from NATed gm
    Posted: 16 June 2006 at 11:48am

had an odd one today...

a user from gmail was blocked due to the filter [(href="http://+[\d])] in the body.

the odd thing is that this isn't in the body, its in the message headers, and is the person's nat-ed ip address & private firewall passing off to gmail.

I didn't think that Spamfilter was able to check the message headers, only the body or subject?

I tried doing an reverse Allowedkeywords on this, but that didn't work... (unless I got my syntax wrong).

06/16/06 16:21:15:162 -- (10280) Found Keywords: [(href="http://+[\d])]
06/16/06 16:21:15:178 -- (10280) EMail from roxxx@gmail.com to MartinC@getlost.com matches content filter rules - rejected.
06/16/06 16:21:15:178 -- (10280) Disconnect

the content of the header is something like this:-

gRdjsMDa+gmJ2s84+QJYShLArqnR9DxQPLyJeaM=
Received: by 10.35.103.12 with SMTP id f12mr4362111pym;
        Fri, 16 Jun 2006 03:29:30 -0700 (PDT)
Received: by 10.35.12.7 with HTTP; Fri, 16 Jun 2006 03:29:29 -0700 (PDT)

it doesn't appear to even match what I thought was in the regex expression either ... http://numeric address of some sort.

Anyone?
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 June 2006 at 11:40pm

Martin,

Are you running the latest version?  Note the release notes:
// New to VersionNumber = '3.0.1.572';
{TODO -cFix : Memory leak of about 400 bytes for every email that was forwarded}

// New to VersionNumber = '3.0.1.571';
{TODO -cFix : Redesigned how emails are added to quarantine DB - now this is handled by a separate thread, eliminating issues where MySQL database locks caused connections to queue up}
{TODO -cNew : logging for quarantined events has changed as follows:}
{ the entry "EMail from a@a.com to b@b.com was received and quarantined" has a different threadID than the thread that processes the connection }
{ added log entry "Created thread (nnnnn) to add email to quarantine" to track which quarantine thread was created in the connection thread}
{TODO -cFix : To attempt avoiding "Read Timeout" server errors when forwarding emails, we attempt to transfer emails in memory to the delivery thread, in addition to using queue spool files as a backup method}
{ -NOTE- this will prevent antiviruses that scan the FileSystem to detect and stop emails}
{TODO -cNew : Added SpoolQueueFilesToMemory SpamFilter.ini option to force emails to be spooled to disk}
{TODO -cNew : Added SpamFilter.ini option to scan multiple images for spam}
{TODO -cNew : The whitelist keyword filter now scans thru all the email's headers}
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4106 		Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 17 June 2006 at 11:52am
MartinC,

Please note that SpamFilter does scan the "Received:" headers in an email (an option to turn this feature off is in the SpamFilter.ini file).

Also, as Dan mentions, in the latest builds SpamFilter is checking the "whitelist" keywords thru the complete headers as well. This is done as some admins may have specific headers in emails by trusted servers that they wish to whitelist. Scanning for whitelisted keyword throughtout the full headers allows them to do that.

This is done only for whitelists however, as experience has taught s in the past that scanning for blacklist keywords in the headers resulted in a very large number of false positives.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25 		Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 19 June 2006 at 5:12am

thanks, we'll just switch the option off for now.

can't see us catching that much on scanning the headers, especially if its causing false positives like this.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.262 seconds.

Copyright (c)2002-2025 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us