Spam Filter ISP Support - whitelist issue 2

Print Page | Close Window

whitelist issue 2

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6116
Printed Date: 01 July 2025 at 2:55pm

Topic: whitelist issue 2

Posted By: Dan B
Subject: whitelist issue 2
Date Posted: 22 June 2007 at 12:49pm

Roberto,

We are seeing email messages getting caught even when the person is set as bypass whitelist to table. The user mailto:christi@thisdmain.org - christi@thisdmain.org is set to be bypass white listed. Below are logs showing that it's working most of the time but she is still getting some messages caught.

This is showing the user is set to bypass and receiving email from bl country.
Working Correctly

06/21/07 03:17:07:609 -- (1480) - IP address is from a blacklisted country...
06/21/07 03:17:07:609 -- (1480) 221.156.75.32 - Mail from: mailto:coldair@balloonco.com - coldair@balloonco.com To: mailto:christi@thisdmain.org - christi@thisdmain.org will be rejected
06/21/07 03:17:09:000 -- (1480) Bypassed all rules for: mailto:christi@thisdomain.org - christi@thisdomain.org -- from mailto:coldair@balloonco.com - coldair@balloonco.com (Whitelisted EMail Address To)
06/21/07 03:17:09:000 -- (1480) Start virus scan
06/21/07 03:17:09:015 -- (1480) Starting queueing procedures
06/21/07 03:17:09:015 -- (1480) EMail from mailto:coldair@balloonco.com - coldair@balloonco.com to mailto:christi@thisdomain.org - christi@thisdomain.org was queued. Size: 1 KB, 1024 bytes
06/21/07 03:17:09:015 -- (1184) Sending email from mailto:coldair@balloonco.com - coldair@balloonco.com to mailto:christi@thisdomain.org - christi@thisdomain.org --
06/21/07 03:17:09:468 -- (1184) EMail from mailto:coldair@balloonco.com - coldair@balloonco.com to mailto:christi@thisdomain.org - christi@thisdomain.org -- was forwarded to mail.thisdomain.org:25

Here are the logs that show it begin caught.
Not Working Correctly

06/21/07 03:18:55:937 -- (1184) Connection from: 81.155.36.31 - Originating country : United Kingdom
06/21/07 03:18:57:062 -- (1184) - SPF analysis for philacricket.com done: - none
06/21/07 03:18:57:062 -- (1184) Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com
06/21/07 03:18:57:062 -- (1184) - MAPS search done... 521 -1 The IP 81.155.36.31 is Blacklisted by combined.njabl.org. Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html - http://njabl.org/dynablock.html --
06/21/07 03:18:57:062 -- (1184) 81.155.36.31 - Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com To: mailto:christi@thisdomain.org - christi@thisdomain.org will be rejected
06/21/07 03:18:57:265 -- (1184) Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com
06/21/07 03:18:57:265 -- (1184) 81.155.36.31 - Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com To: mailto:david@thisdomain.org - david@thisdomain.org will be rejected
06/21/07 03:18:57:437 -- (1184) Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com
06/21/07 03:18:57:453 -- (1184) 81.155.36.31 - Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com To: mailto:lenny@thisdomain.org - lenny@thisdomain.org will be rejected
06/21/07 03:18:57:609 -- (1184) - EmailTO is not in AuthorizedTOEmail list...
06/21/07 03:18:57:625 -- (1184) 81.155.36.31 - Mail from: mailto:kafphilacricketfuv@philacricket.com - kafphilacricketfuv@philacricket.com To: mailto:webmaster@thisdomain.org - webmaster@thisdomain.org will be disconnected
06/21/07 03:18:57:625 -- (1184) Blacklist cache - Updated limbo counter for 81.155.36.31
06/21/07 03:18:57:796 -- (1184) SFDB - Added 81.155.36.31 - Response: Error=0
06/21/07 03:18:57:796 -- (1184) Disconnect

Here the logs show that it was caught but some of the receipents were whitelisted.
Working Correctly

06/21/07 03:19:13:984 -- (540) - SPF analysis for petermann.com done: - none
06/21/07 03:19:14:062 -- (540) Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com
06/21/07 03:19:14:062 -- (540) - MAPS search done... 521 -1 The IP 81.155.36.31 is Blacklisted by combined.njabl.org. Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html - http://njabl.org/dynablock.html --
06/21/07 03:19:14:062 -- (540) 81.155.36.31 - Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com To: mailto:christi@timetorecycle.org - christi@thisdomain.org will be rejected
06/21/07 03:19:14:390 -- (540) Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com
06/21/07 03:19:14:406 -- (540) 81.155.36.31 - Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com To: mailto:david@timetorecycle.org - david@thisdomain.org will be rejected
06/21/07 03:19:14:687 -- (540) Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com
06/21/07 03:19:14:687 -- (540) 81.155.36.31 - Mail from: mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com To: mailto:lenny@timetorecycle.org - lenny@thisdomain.org will be rejected
06/21/07 03:19:15:234 -- (540) Start virus scan
06/21/07 03:19:15:359 -- (540) Starting queueing procedures
06/21/07 03:19:15:359 -- (540) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not
06/21/07 03:19:15:359 -- (540) EMail from mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com to " mailto:christi@timetorecycle.org - christi@thisdomain.org , mailto:david@timetorecycle.org - david@thisdomain.org " was queued. Size: 1 KB, 1024 bytes

06/21/07 03:19:15:406 -- (540) Starting quarantine procedures
06/21/07 03:19:15:437 -- (540) Created thread (120) to add email to quarantine
06/21/07 03:19:15:609 -- (120) EMail from mailto:kafpetermannfuv@petermann.com - kafpetermannfuv@petermann.com to mailto:christi@timetorecycle.org - christi@thisdomain.org , mailto:david@timetorecycle.org - david@thisdomain.org , mailto:lenny@timetorecycle.org - lenny@thisdomain.org was received and quarantined. Size: 2 KB, 2048 bytes
06/21/07 03:19:15:625 -- (540) Blacklist cache - Updated limbo counter for 81.155.36.31
06/21/07 03:19:15:828 -- (540) SFDB - Added 81.155.36.31 - Response: Error=0
06/21/07 03:19:15:828 -- (540) Disconnect

I changed the domain for the local users to thisdomain.org to keep them from getting spammed.

Can you tell me why this is happening. The timing tables reloading isn't the issue because the they were updated at midnight and 4 am.

Thanks,
Dan B

-------------
Dan B

Replies:

Posted By: WebGuyz
Date Posted: 22 June 2007 at 1:55pm

What version are you running? In SFI or SFE mode?

-------------
http://www.webguyz.net

Posted By: Dan B
Date Posted: 22 June 2007 at 2:07pm

WebGuyz,

This one is running SFI mode and we have the licenses for SFE but haven't got all of our programming converted to SFE database features yet.

Dan B

-------------
Dan B

Posted By: WebGuyz
Date Posted: 22 June 2007 at 2:24pm

3.5.?

-------------
http://www.webguyz.net

Posted By: Dan B
Date Posted: 22 June 2007 at 2:33pm

I forgot that info.. Ver. 3.5.3.678

Dan B

-------------
Dan B

Posted By: LogSat
Date Posted: 22 June 2007 at 4:24pm

We're not able to reproduce this unfortunately... We simulated your scenario by using the same recipients as yours, but adding them to our "logsat.com" domain. We tried to guess your settings, but we'll get to that later.

After reconfiguring our network so we could use the sender's IP, and adding "christi@logsat.com" to the unfiltered emails list, this is what we got:

06/22/07 16:14:24:468 -- (3852) Connection from: 81.155.36.31 - Originating country : N/A
06/22/07 16:14:24:984 -- (3852) Mail from: kafphilacricketfuv@philacricket.com
06/22/07 16:14:25:000 -- (3852) - SPF analysis for philacricket.com done: - none
06/22/07 16:14:25:140 -- (3852) - MAPS search done... 521 The IP 81.155.36.31 is Blacklisted by zen.spamhaus.org. http://www.spamhaus.org/query/bl?ip=81.155.36.31 --
06/22/07 16:14:25:171 -- (3852) 81.155.36.31 - Mail from: kafphilacricketfuv@philacricket.com To: christi@logsat.com will be rejected
06/22/07 16:14:25:203 -- (3852) Mail from: kafphilacricketfuv@philacricket.com
06/22/07 16:14:25:234 -- (3852) 81.155.36.31 - Mail from: kafphilacricketfuv@philacricket.com To: david@logsat.com will be rejected
06/22/07 16:14:25:265 -- (3852) Mail from: kafphilacricketfuv@philacricket.com
06/22/07 16:14:25:281 -- (3852) 81.155.36.31 - Mail from: kafphilacricketfuv@philacricket.com To: lenny@logsat.com will be rejected
06/22/07 16:14:25:328 -- (3852) 81.155.36.31 - Mail from: kafphilacricketfuv@philacricket.com To: webmaster@logsat.com will be rejected
06/22/07 16:14:25:359 -- (3852) - EmailTO is not in AuthorizedTOEmail list...
06/22/07 16:14:25:406 -- (3852) Start virus scan
06/22/07 16:14:25:421 -- (3852) Starting queueing procedures
06/22/07 16:14:25:437 -- (3852) Info - some recipients were in the WhitelistedEmailsTO list. Email will be split so they receive it while the others will not
06/22/07 16:14:25:453 -- (3852) EMail from kafphilacricketfuv@philacricket.com to christi@logsat.com was queued. Size: 1 KB, 1024 bytes
06/22/07 16:14:25:468 -- (3704) Sending email from kafphilacricketfuv@philacricket.com to christi@logsat.com --
06/22/07 16:14:25:484 -- (3852) Starting quarantine procedures
06/22/07 16:14:25:500 -- (3852) Created thread (7904) to add email to quarantine

As you see, everything is working as it should, and christi@logsat.com is being forwarded the email, while it's being rejected for the others.

What we do see as a difference is that, in your case, the connection was terminated right away after the attempt to webmaster@thisdomain.org:

06/21/07 03:18:57:609 -- (1184) - EmailTO is not in AuthorizedTOEmail list...
06/21/07 03:18:57:625 -- (1184) 81.155.36.31 - Mail from: mailto:kafphilacricketfuv@philacricket.com - To: mailto:webmaster@thisdomain.org - will be disconnected
06/21/07 03:18:57:625 -- (1184) Blacklist cache - Updated limbo counter for 81.155.36.31
06/21/07 03:18:57:796 -- (1184) SFDB - Added 81.155.36.31 - Response: Error=0
06/21/07 03:18:57:796 -- (1184) Disconnect

The above is did not get quarantined, in your case. However you do have quarantine enabled, as in the other email sample you provided the email was quarantined:

06/21/07 03:19:15:406 -- (540) Starting quarantine procedures
06/21/07 03:19:15:437 -- (540) Created thread (120) to add email to quarantine
06/21/07 03:19:15:609 -- (120) EMail from mailto:kafpetermannfuv@petermann.com - to mailto:christi@timetorecycle.org - , mailto:david@timetorecycle.org - , mailto:lenny@timetorecycle.org - was received and quarantined. Size: 2 KB, 2048 bytes

I'm not aware there could be any specific setting that would cause this (mis) behavior. Is this happening on other occasions as well? It could be possible that on that one time the sender issued a disconnect before sending the email, and that is why it was never quarantined to begin with (it's wishful thinking, but still possible). If it happened other times as well, if ou could zip us the entire SpamFilter's logfile, we'd like to have a look at the one with the original email addresses.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Print Page | Close Window