Print Page | Close Window

Filters not getting everything

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=2794
Printed Date: 02 April 2025 at 12:40am


Topic: Filters not getting everything
Posted By: Guests
Subject: Filters not getting everything
Date Posted: 31 January 2004 at 8:49am

I am running the trial version on a Windows 2K box.

The problem I am seeing that the keyword filter is not working.  Not at all.

The next problem has been going on for some time.  I am using Authorized_TO_Emails to filter mail.  Everything else should disconnect, yet I am seeing several SPAM slip through and it shows the SpamFilter tags in the headers.  Example:  The Authorzied To filter worked and let it in but shouldn't the keyword filter have caught the README.ZIP that I had entered?

x-sender: mailto:andrew@insightbb.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - andrew@insightbb.com
x-receiver: mailto:tim@mydomainame.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - tim@mydomainame.com
Received: from crusher ([10.228.21x.xxx]) by caltim.com with Microsoft SMTPSVC(5.0.2195.6713); Sat, 31 Jan 2004 01:28:03 -0500
Received: from 65.41.54.56 by 10.228.21x.xxx (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Sat, 31 Jan 2004 01:32:04 -0500
From: < mailto:andrew@insightbb.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - andrew@insightbb.com >
To: < mailto:tim@attractionsusa.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - >
Subject: Status
Date: Sat, 31 Jan 2004 01:34:55 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_0007_BDD2B16B.C13E4A8E"
X-Priority: 3
X-MSMail-Priority: Normal
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
Return-Path: < mailto:andrew@insightbb.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - andrew@insightbb.com >
Message-ID: < mailto:OMAOS6yDC0AHmKqyPmB0000043a@caltim.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - OMAOS6yDC0AHmKqyPmB0000043a@caltim.com >
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-OriginalArrivalTime: 31 Jan 2004 06:28:03.0953 (UTC) FILETIME=[61A7C610:01C3E7C3]
X-UIDL: 745
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

In addition, I have had several messages come through that are listed in the Block Domain file.  I have a lot of entries there, too many perhaps?

Any help would be greatly appreciated.

Thanks for such a great product.  Looking forward to paying full price soon.

-Tim


Replies:
Posted By: LogSat
Date Posted: 01 February 2004 at 10:51am

Tim,

If you post your keyword file, along with a sample message source that made it thru, we'll take a look at why it's not working as you expect.

SpamFilter will tag every email it processes, so whatever is delivered will have the X-Server tag in it. If spam slips thru (which can happen) it will of course have that tag in it. If you enter "READ ME.ZIP" in the keyword file it will not get blocked, since that word appears in the mime headers, not the message body itself. The keyword filters only look in to the subject and text body of incoming emails. The new beta version that was just released allows attachment blocking, which allows you to specify exact or wildcard filenames to block.

For the "Block Domain" msgs that slip thru, can you post your black domain entries and the headers of a message that went thru? We'd also need a copy of your spamfilter activity log for that day or (preferred), if you can cut out the section of time that shows the incomign message that will be better. With this info we'll be able to hopefully see what happens.

Roberto F.
LogSat Software

 

Posted By: Guests
Date Posted: 01 February 2004 at 12:22pm
Hi Roberto,
Here is one example of blacklisted domain:  I sent an email to you with the attached blocked domain list. It's stuck in the outgoing queue for some reason.  I have attached the BLOCKED DOMAIN text file.  The domain in question is ms21.maildealz.com and maildealz.com.  That's how I have it listed in the filter.  I also have dosser.co.uk  listed
 
The Connection Activity log shows:
 
================================
02/01/04 10:13:40:015 -- (5608) - Domain is in local blacklist file...
02/01/04 10:13:40:015 -- (5608) 81.218.246.92 - Mail from: mailto:selamborn@dosser.co.uk" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:selamborn@dosser.co.uk’ - selamborn@dosser.co.uk To: mailto:332e8b80.643f@caltim.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:332e8b80.643f@caltim.com’ - 332e8b80.643f@caltim.com will be disconnected
02/01/04 10:13:40:015 -- (5608) Disconnect
02/01/04 10:13:44:390 -- (5608) Connection from: 216.74.151.221  -  Originating country : United States
02/01/04 10:13:44:609 -- (5608) Resolving 216.74.151.221 - ms21.maildealz.com
02/01/04 10:13:44:609 -- (5608) Bypassed all rules for: mailto:HARSHAD@CAROLINABEER.COM" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:HARSHAD@CAROLINABEER.COM’ - HARSHAD@CAROLINABEER.COM from mailto:147804841.WINANYLOTTOA1@bounce.MailDealz.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:147804841.WINANYLOTTOA1@bounce.MailDealz.com’ - 147804841.WINANYLOTTOA1@bounce.MailDealz.com
02/01/04 10:13:44:828 -- (5608) EMail from mailto:147804841.WINANYLOTTOA1@bounce.MailDealz.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:147804841.WINANYLOTTOA1@bounce.MailDealz.com’ - 147804841.WINANYLOTTOA1@bounce.MailDealz.com to mailto:HARSHAD@CAROLINABEER.COM" CLASS="ASPForums" TITLE="WARNING: URL created by poster. ‘mailto:HARSHAD@CAROLINABEER.COM’ - HARSHAD@CAROLINABEER.COM was queued. Size: 8 KB
02/01/04 10:13:44:859 -- (5608) Disconnect
====================================
 
 
The email is below.  Can't figure this one out.  This account is getting hammered with SPAM from this domain  How can I kill them?:
x-sender: 1075618810628@mailserver2.MailDealz.com
x-receiver: HARSHAD@CAROLINABEER.COM
Received: from crusher ([10.228.215.212]) by caltim.com with Microsoft SMTPSVC(5.0.2195.6713); Sun, 1 Feb 2004 09:48:21 -0500
Received: from 216.74.151.221 by 10.228.215.212 (LogSat Software SMTP Server - Unlicensed Evaluation Copy) Sun, 1 Feb 2004 09:58:06 -0500
Received: from ms21.maildealz.com (127.0.0.1) by ms21.maildealz.com (PowerMTA(TM) v1.5); Sun, 1 Feb 2004 10:01:04 -0500 (envelope-from <147804841.WINHUNDREDE1@bounce.MailDealz.com>)
Message-ID: <147804841.1075647664871.WINHUNDREDE1@ms21.maildealz.com>
Date: Sun, 1 Feb 2004 10:01:04 -0500 (EST)
From: "WinHundred" <1075618810628@mailserver2.MailDealz.com>
Reply-To: "WinHundred" <specialoffers@MailDealz.com>
To: <HARSHAD@CAROLINABEER.COM>
Subject: HARSHAD: Cash Prize Entry Form
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="530912025.1075647664873"
X-Server: LogSat Software SMTP Server - Unlicensed Evaluation Copy
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Return-Path: <1075618810628@mailserver2.MailDealz.com>
X-OriginalArrivalTime: 01 Feb 2004 14:48:21.0750 (UTC) FILETIME=[7011D960:01C3E8D2]
X-UIDL: 691
This is a multi-part message in MIME format.
--530912025.1075647664873
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transefer-Encoding: 8bit
Content-Disposition: inline
The following is an email advertisement.
Truncated by me

Posted By: Guests
Date Posted: 02 February 2004 at 9:38am

Hi Roberto,

I have the Keyword file working but now SF seems to be ignoring or misreading the AUTHORIZED TO files.

mailto:tim@caltim.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - tim@caltim.com is in the AUTHORIZED TO file rules.  Yet it's blocking.

02/02/04 09:16:04:734 -- (6008) Connection from: 205.152.59.68  -  Originating country : United States
02/02/04 09:16:04:953 -- (6008) Resolving 205.152.59.68 - imf20aec.mail.bellsouth.net
02/02/04 09:16:04:968 -- (6008) - EmailTO is in local blacklist file...
02/02/04 09:16:04:968 -- (6008) 205.152.59.68 - Mail from: mailto:mikes@speedwaygroup.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - mikes@speedwaygroup.com To: mailto:tim@caltim.com" CLASS="ASPForums" TITLE="WARNING: URL created by poster. - tim@caltim.com will be disconnected
02/02/04 09:16:04:968 -- (6008) Disconnect

This is a real problem.  It's happening too often.  A lot of ligit mail is now getting blocked.

Posted By: LogSat
Date Posted: 02 February 2004 at 11:33pm

Tim,

The AUTHORIZED TO whitelist lists all emails addresses to which the outside world can email to. Any recipient outside that list will cause the email to be rejected. If a recipient is in the AUTHORIZED TO list, the email still has to go thru all other filtering rules to make sure it's not spam before being delivered. If it matches a rule, it will be rejected.

The whitelist to use in case you want to skip ALL filtering rules for a recipient is the "Unfiltered Emails" whitelist.

That said, if I misinterpreted your questions, please accept my apologies, and let's try again!

Roberto F.
LogSat Software

Posted By: Guests
Date Posted: 03 February 2004 at 8:44am

Hi Roberto,

That's got it.  The only question I am having now is why mail that passes all the other rules still hits the Auto_To file and is blocking emails to reciepients in the list.

Posted By: LogSat
Date Posted: 03 February 2004 at 1:50pm

To answer that we'll need to see SpamFilter's activity log showing the incoming email being processed, along with your SpamFIlter.ini and all white/black list files.

Roberto F.
LogSat Software


Print Page | Close Window