lots of spam getting through |
Post Reply |
Author | |
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
Posted: 30 July 2016 at 8:58pm |
Getting messages in the log like this through out the day...
HTTP Error in DoSFDBCheck:Connect timed out. In the meantime I am blocking a bunch of countries to help some... Here are the maps filters bl.spamcop.net, true cbl.abuseat.org, true zen.spamhaus.org, true b.barracudacentral.org, true psbl.surriel.com, true dnsbl.zapbl.com, true truncate.gbudb.net,true dnsbl.sorbs.net,true dnsbl-2.uceprotect.net,true and here is the surbl filter multi.surbl.org Also I am on the most current release 4.7.2.206 |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Hi Terry,
Those errors indicate that either the SFDB service is temporarily unavailable, or that your SpamFilter is unable to reach our SFDB webservice at http://sfdb.logsat.com. I checked our logs for the SFDB service for yesterday, and did not find any issues (at least not any obvious ones). If you'd like to upload for us your SpamFilter's activity logfile for the day this happened, you can do so here:
https://logsat.com/sfi-upload-box.asp
Please let us also know the external IP address of your SpamFilter server, so we can locate it in our webservice logs and see if we see any problems we may have missed during the superficial look we had earlier. Regards, Roberto Franceschetti LogSat Software |
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
I was wondering if we were having some internet problems getting out...I also see this kind of error a lot
Warning - SFDB_WebErrors has reached its limit, SFDB checks are paused temporarily I assume that is also related to the same problem?
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Yes - they are related. After a few timeouts, SpamFilter will stop trying querying the SFDB webservice so as to not waste any more time while processing new emails. Once a minute or so SpamFilter will poll that webservice on the side to see if it becomes available, and if so, the SFDB tests will resume automatically.
If you'd like to send the logs over we may be able to tell if it was an issue with your internet connection or our own webservices.
|
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
Roberto, being I bother you with the logs...I am going to make sure that the recent changes that were made to our edge network aren't causing this.
Could this be adding to the volume of spam making it through our filter?
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
No bother at all - we're here to help! The SFDB is usually our most efficient filter, so yes - if it's not working properly that would most likely cause an increase in spam. If you send the logs over I'll review them for ano overall health check as well, to ensure all the major filters are also working and stopping the same % of spam as we'd expect.
|
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
Okay...I have uploaded todays log...maybe that will show you something
|
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
Roberto, I had the firewall guys open up the connection to the ip address of sfdb.logsat.com and that fixed the errors we were getting. Did the address of that site change?
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Hi Terry,
As you discovered, I can confirm that neither your SDFB nor your SFDE filters were working at all for the day of the logfile. The URL used for our proprietary SFDB/SFDE/SFDC filters is http://sfdb.logsat.com. Its IP (66.181.198.110) has not changed in quite a while (years I think), even though we may occasionally temporarily move that website to different servers in the 66.181.198.nnn subnet during server maintenances and updates. The last time this happened was for about 24 hours a couple of weeks ago. As an FYI if you use the antivirus plugin we also just started using Amazon's cloud storage for faster downloads, using the URL http://aws.logsat.com. Being cloud-based, those IPs will change routinely. AS a side-note, we also finished debugging your logfile, and even without being able to use our most efficient filter (SFDB), SpamFilter seems to be working extremely well. Let me give you an example. The logfile you forwarded us shows 15,764 connection attempts. Of those connections, SpamFilter accepted and delivered only 700 emails. 255 of these emails were whitelisted, so SpamFilter identified as clean 445 emails out of 15,764. This means that SpamFilter only allowed 2.8% of your total email traffic thru. Not counting the whitelisted emails, SpamFilter thus identified as spam and blocked a whopping 97.2% of your total SMTP traffic. Now, assuming that one out of three emails you receive in your mailbox is spam (thus 33%), this still means that SpamFilter incorrectly allowed thru 33% x 445 = 148 emails. So SpamFilter would have incorrectly identified as clean only 148 emails out of 15,764. This is an accuracy of 99.1%, which is actually a very very good spam catch ratio. |
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
The log I sent you today was just for today and I had added country and additional domain blocking from last week. Would you like me to upload Thursday's log which would have had more spam make it through to the employees...I will go ahead and upload the log for you...
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Sure - we'll take a look at that one too.
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Received the 2nd log. The stats are indeed a bit worse, so your additional settings appeared to have helped quite a bit. As a reference, these are the stats for you log of the 28th:
70910 Total Connections 6986 Forwarded 1654 Whitelisted 5,332 Detected Clean 7.5% % emails allowed 92.5% % emails blocked 33.3% Assume percentage of spam in mailbox 1,776 spam emails assuming above percentage in mailbox 2.5% Percentage spam emails missed 97.5% SpamFilter accuracy and these were instead the ones for your log of the 1st: 15764 Total Connections 700 Forwarded 255 Whitelisted 445 Detected Clean 2.8% % emails allowed 97.2% % emails blocked 33.3% Assume percentage of spam in mailbox 148 spam emails assuming above percentage in mailbox 0.9% Percentage spam emails missed 99.1% SpamFilter accuracy note however that the log for the 1st only contained emails from midnight until 6AM, while the one for the 28th had emails for the entire day. This may skew the stats as during working hours more legitimate emails usually comes thru than at night, so the overall percentages of emails allowed and of the accuracy may differ if only considering the interval midnight-6AM (during which there will be less legitimate emails). |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
To be more thorough, I just re-run the stats for your log of the 28th, but this time only including entries from midnight until 6AM (just like your log for the 1st). Now the stats become very similar:
20095 Total Connections 914 Forwarded 178 Whitelisted 736 Detected Clean 3.7% % emails allowed 96.3% % emails blocked 33.3% Assume percentage of spam in mailbox 245 spam emails assuming above percentage in mailbox 1.2% Percentage spam emails missed 98.8% SpamFilter accuracy which means that my original statement:
was probably inaccurate... as there seems to be very little difference between the two days when considering the same time interval. |
|
Terry
Senior Member Joined: 06 February 2005 Status: Offline Points: 155 |
Post Options
Thanks(0)
|
that's unfortunate because some really bad ones got through and landed in several directors and senior managers inboxes.
|
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.227 seconds.