LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

Hi,
How is it possible that i get mails that are not scanned by the spamserver?
Received: from singnet.com.sg [121.6.28.58] by mycomp01.mycomp.com with ESMTP
  (SMTPD32-7.15) id A5A76830034; Fri, 10 Aug 2007 06:12:23 +0200
Message-ID: <000b01c7db82$dfd88950$00000000@singnet.com.sg>
From: "Latoria Banks" <biglittlaeaxed@slauk.com>
To: "Lester" <info@mycomp.com>
Subject: Heya, this is the one
Date: Fri, 10 Aug 2007 12:15:55 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-RCPT-TO: <info@mycomp.com>
Status: R
X-UIDL: 383485193 
A scanned mail looks like this:
Received: from mail2.mycomp.com [xx.xx.xx.140] by mycomp01.mycomp.com with ESMTP
  (SMTPD32-7.15) id AFD45BF0038; Fri, 10 Aug 2007 10:20:36 +0200
Received: from 200.82.37.216 by mail2.mycomp.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy); Fri, 10 Aug 2007 10:20:33 +0200
Received: from 63.173.74.5 (HELO mailserver.ferndalelabs.com)
     by mycomp.com with esmtp (BAFUWHDVHOFN VFYOI)
     id jW2qOg-oa44x-Aq
     for info@mycomp.com; Wed, 08 Aug 2007 05:23:26 +0200
Message-ID: <000301c7d96b$7b921dd0$c85225d8@Dana>
From: "Dana A. Soto" <Dana@ferndalelabs.com>
To: "Marco T. Walters" <info@mycomp.com>
Subject: New survey
Date: Wed, 08 Aug 2007 05:23:26 +0200
MIME-Version: 1.0
Content-Type: text/html;
        charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-SF-RX-Return-Path: <jqocdj@ferndalelabs.com>
X-SF-HELO-Domain:
X-RCPT-TO: <info@mycomp.com>
Status: U
X-UIDL: 383485196 
Jeroen

Edited by LogSat - 11 August 2007 at 11:21am

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
jeroentiem Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 August 2007 Location: Netherlands Status: Offline Points: 3	Post Options Post Reply Quote jeroentiem Report Post Thanks(0) Quote Reply Topic: Some mails not scanned Posted: 10 August 2007 at 4:36am
	Hi, How is it possible that i get mails that are not scanned by the spamserver? Received: from singnet.com.sg [121.6.28.58] by mycomp01.mycomp.com with ESMTP (SMTPD32-7.15) id A5A76830034; Fri, 10 Aug 2007 06:12:23 +0200 Message-ID: <000b01c7db82$dfd88950$00000000@singnet.com.sg> From: "Latoria Banks" <biglittlaeaxed@slauk.com> To: "Lester" <info@mycomp.com> Subject: Heya, this is the one Date: Fri, 10 Aug 2007 12:15:55 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 X-RCPT-TO: <info@mycomp.com> Status: R X-UIDL: 383485193 A scanned mail looks like this: Received: from mail2.mycomp.com [xx.xx.xx.140] by mycomp01.mycomp.com with ESMTP (SMTPD32-7.15) id AFD45BF0038; Fri, 10 Aug 2007 10:20:36 +0200 Received: from 200.82.37.216 by mail2.mycomp.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy); Fri, 10 Aug 2007 10:20:33 +0200 Received: from 63.173.74.5 (HELO mailserver.ferndalelabs.com) by mycomp.com with esmtp (BAFUWHDVHOFN VFYOI) id jW2qOg-oa44x-Aq for info@mycomp.com; Wed, 08 Aug 2007 05:23:26 +0200 Message-ID: <000301c7d96b$7b921dd0$c85225d8@Dana> From: "Dana A. Soto" <Dana@ferndalelabs.com> To: "Marco T. Walters" <info@mycomp.com> Subject: New survey Date: Wed, 08 Aug 2007 05:23:26 +0200 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy X-SF-RX-Return-Path: <jqocdj@ferndalelabs.com> X-SF-HELO-Domain: X-RCPT-TO: <info@mycomp.com> Status: U X-UIDL: 383485196 Jeroen Edited by LogSat - 11 August 2007 at 11:21am

WebGuyz Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 09 May 2005 Location: United States Status: Offline Points: 348	Post Options Post Reply Quote WebGuyz Report Post Thanks(0) Quote Reply Posted: 10 August 2007 at 8:46am
	Not all spammers follow the rules and use your MX records to send emails. Many try to send directly to your mail server bypassing SF altogether or send to a backup MX if you have one that is not SF protected. You can block your mail servers port 25 or redirect it at the firewall to forward to SF and turn on SMTP authentication in SF. If your customers aren't doing SMTP auth now this can be a big pain, but its worth it to make sure what your describing does not happen.
	http://www.webguyz.net

sorfjord Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 August 2007 Status: Offline Points: 2	Post Options Post Reply Quote sorfjord Report Post Thanks(0) Quote Reply Posted: 22 August 2007 at 2:07pm
	Hi jeroentiem, We just realized that someone is forging our domain ferndalelabs.com in spam. I found your posting with our server info in it. Have you received a lot of spam from our domain? If so, when did it start? Does your software give any other information on the route of the spam. We just want to get as much info as we can to make it stop!! Thanks

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4106	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 22 August 2007 at 5:40pm
	sorfjord, I can't speak on behalf of jeroentiem in regards to the frequency of the spam. However, looking from the headers he posted, this is the one showing the IP of the sender of the forged email: Received: from 200.82.37.216 by mail2.mycomp.com (LogSat Software SMTP Server - Unlicensed Evaluation Copy); Fri, 10 Aug 2007 10:20:33 +0200 As a side note, we recommend you implement SPF (Sender Policy Framework - see www.openspf.org) in the DNS for your domain. SPF is used by antispam vendors to reject emails that come from unauthorized sources. In simple terms, via DNS you establish what IPs are allowed to send emails on your behalf. Any email not coming from those IPs is treated as spam by email servers that support SPF.
	Roberto Franceschetti LogSat Software Spam Filter ISP

jeroentiem Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 10 August 2007 Location: Netherlands Status: Offline Points: 3	Post Options Post Reply Quote jeroentiem Report Post Thanks(0) Quote Reply Posted: 22 August 2007 at 6:49pm
	WebGuyz thanks for your help, i blocked the port 25 on the end mailserver. All mx trick spam mails are blocked at this time. :-) Sorfjord, Two logs of your domain used for spamming: 08-10-07 10:20:28:391 -- (1188) Connection from: 200.82.37.216 - Originating country : Argentina 08-10-07 10:20:30:016 -- (1188) Resolving 200.82.37.216 - host216.200-82-37.telecom.net.ar 08-10-07 10:20:30:454 -- (1188) Mail from: jqocdj@ferndalelabs.com 08-10-07 10:20:30:454 -- (1188) - SPF analysis for ferndalelabs.com done: - none 08-22-07 02:58:03:665 -- (3560) Connection from: 189.137.187.25 - Originating country : Mexico 08-22-07 02:58:07:118 -- (3560) - IP address is from a blacklisted country... 08-22-07 02:58:07:118 -- (3560) 189.137.187.25 - Mail from: jqocdj@ferndalelabs.com To: Jeroen (a happy, now registered, user of the logsat spamfilter)

sorfjord Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 22 August 2007 Status: Offline Points: 2	Post Options Post Reply Quote sorfjord Report Post Thanks(0) Quote Reply Posted: 27 August 2007 at 1:19pm
	Thanks for the info.

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Some mails not scanned