had an odd one today...

a user from gmail was blocked due to the filter [(href=" http://+\d - http://+[\d ])] in the body.

the odd thing is that this isn't in the body, its in the message headers, and is the person's nat-ed ip address & private firewall passing off to gmail.

I didn't think that Spamfilter was able to check the message headers, only the body or subject?

I tried doing an reverse Allowedkeywords on this, but that didn't work... (unless I got my syntax wrong).

06/16/06 16:21:15:162 -- (10280) Found Keywords: [(href=" http://+\d - http://+[\d ])]
06/16/06 16:21:15:178 -- (10280) EMail from mailto:roxxx@gmail.com - roxxx@gmail.com to mailto:MartinC@getlost.com - MartinC@getlost.com matches content filter rules - rejected.
06/16/06 16:21:15:178 -- (10280) Disconnect

the content of the header is something like this:-

gRdjsMDa+gmJ2s84+QJYShLArqnR9DxQPLyJeaM=
Received: by 10.35.103.12 with SMTP id f12mr4362111pym;
        Fri, 16 Jun 2006 03:29:30 -0700 (PDT)
Received: by 10.35.12.7 with HTTP; Fri, 16 Jun 2006 03:29:29 -0700 (PDT)

it doesn't appear to even match what I thought was in the regex expression either ... http://numeric - http://numeric address of some sort.

Anyone?

Martin,

Are you running the latest version?  Note the release notes:
// New to VersionNumber = '3.0.1.572';
{TODO -cFix : Memory leak of about 400 bytes for every email that was forwarded}

// New to VersionNumber = '3.0.1.571';
{TODO -cFix : Redesigned how emails are added to quarantine DB - now this is handled by a separate thread, eliminating issues where MySQL database locks caused connections to queue up}
{TODO -cNew : logging for quarantined events has changed as follows:}
{ the entry "EMail from a@a.com to b@b.com was received and quarantined" has a different threadID than the thread that processes the connection }
{ added log entry "Created thread (nnnnn) to add email to quarantine" to track which quarantine thread was created in the connection thread}
{TODO -cFix : To attempt avoiding "Read Timeout" server errors when forwarding emails, we attempt to transfer emails in memory to the delivery thread, in addition to using queue spool files as a backup method}
{ -NOTE- this will prevent antiviruses that scan the FileSystem to detect and stop emails}
{TODO -cNew : Added SpoolQueueFilesToMemory SpamFilter.ini option to force emails to be spooled to disk}
{TODO -cNew : Added SpamFilter.ini option to scan multiple images for spam}
{TODO -cNew : The whitelist keyword filter now scans thru all the email's headers}

thanks, we'll just switch the option off for now.

can't see us catching that much on scanning the headers, especially if its causing false positives like this.