Spam Filter ISP Support - Possible problem with whitelist process

Print Page | Close Window

Possible problem with whitelist process

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5960
Printed Date: 02 April 2025 at 12:43am

Topic: Possible problem with whitelist process

Posted By: Terry
Subject: Possible problem with whitelist process
Date Posted: 29 January 2007 at 5:12pm

It appears that when a spammer sends to many recipients the blocking process may have a problem. We have some email addresses that we set up as unfiltered because they are shared accounts and critical quarantined items were being missed....now it looks like an email that includes them in the recipient list may forward on to others after them in the list of recipients yet be blocked for those before. In a perfect world the spam message should only go to those recipients that are unfiltered....right? Here is a log entry showing the sequence that happened. The mailto:T6Planners@portptld.com - T6Planners@portptld.com is the unfiltered email address.

01/29/07 13:05:26:256 -- (4048) Connection from: 89.53.51.117 - Originating country : Germany
01/29/07 13:05:56:100 -- (4048) Resolving 89.53.51.117 - Q3375.q.pppool.de
01/29/07 13:05:56:584 -- (4048) - SPF analysis for pppool.de done: - none
01/29/07 13:05:56:600 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:05:56:943 -- (4048) - MAPS search done... 521 The IP 89.53.51.117 is Blacklisted by combined.njabl.org. Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html - http://njabl.org/dynablock.html --
01/29/07 13:05:56:943 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:billwyattnn@portptld.com - billwyattnn@portptld.com will be rejected
01/29/07 13:06:01:818 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:01:818 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:maracb@portptld.com - maracb@portptld.com will be rejected
01/29/07 13:06:03:584 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:03:584 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:oestem@portptld.com - oestem@portptld.com will be rejected
01/29/07 13:06:06:475 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:06:475 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:matheb@portptld.com - matheb@portptld.com will be rejected
01/29/07 13:06:12:303 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:12:303 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:daniem@portptld.com - daniem@portptld.com will be rejected
01/29/07 13:06:14:178 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:14:178 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:riedeh@portptld.com - riedeh@portptld.com will be rejected
01/29/07 13:06:15:350 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:15:350 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:baumak@portptld.com - baumak@portptld.com will be rejected
01/29/07 13:06:16:631 -- (4048) Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:16:646 -- (4048) 89.53.51.117 - Mail from: mailto:cindymokyava@pppool.de - cindymokyava@pppool.de To: mailto:maitlk@portptld.com - maitlk@portptld.com will be rejected
01/29/07 13:06:17:896 -- (4048) Bypassed all rules for: mailto:T6Planners@portptld.com - T6Planners@portptld.com from mailto:cindymokyava@pppool.de - cindymokyava@pppool.de ( Whitelisted EMail Address To)
01/29/07 13:06:21:771 -- (4048) Bypassed all rules for: mailto:3dolberd@portptld.com - 3dolberd@portptld.com from mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:24:225 -- (4048) Bypassed all rules for: mailto:crosst@portptld.com - crosst@portptld.com from mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:28:740 -- (4048) Bypassed all rules for: mailto:nelsoj@portptld.com - nelsoj@portptld.com from mailto:cindymokyava@pppool.de - cindymokyava@pppool.de
01/29/07 13:06:50:943 -- (4048) EMail from mailto:cindymokyava@pppool.de - cindymokyava@pppool.de to mailto:billwyattnn@portptld.com - billwyattnn@portptld.com , mailto:maracb@portptld.com - maracb@portptld.com , mailto:oestem@portptld.com - oestem@portptld.com , mailto:matheb@portptld.com - matheb@portptld.com , mailto:daniem@portptld.com - daniem@portptld.com , mailto:riedeh@portptld.com - riedeh@portptld.com , mailto:baumak@portptld.com - baumak@portptld.com , mailto:maitlk@portptld.com - maitlk@portptld.com , mailto:T6Planners@portptld.com - T6Planners@portptld.com , mailto:3dolberd@portptld.com - 3dolberd@portptld.com , mailto:crosst@portptld.com - crosst@portptld.com , mailto:nelsoj@portptld.com - nelsoj@portptld.com was queued. Size: 28 KB, 28672 bytes
01/29/07 13:06:54:600 -- (4048) Disconnect

ps...we are on version 3.1.3.605

Replies:

Posted By: LogSat
Date Posted: 29 January 2007 at 5:16pm

This is a known behavior. When a recipient is whitelisted the email will be delivered regardless of the results of the other filters (except the antivirus). If the email is addressed to multiple recipients, SpamFilter is not able to "split" the email and block it for some whiole delivering it for others, so all recipients will be receiving an email is one of them is whitelisted.

This behavior will change in the new SpamFilter v3.5 that will be released within a month or two (a beta is already available).

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Desperado
Date Posted: 30 January 2007 at 1:38pm

As a work-around, we always use the ":tag" option when we whitelist so that the other accounts at least get a tag in their subject to filter on localy.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Posted By: Terry
Date Posted: 30 January 2007 at 2:26pm

I should probably already know this...but what is the :tag option on whitelist.

Posted By: LogSat
Date Posted: 30 January 2007 at 5:35pm

Desperado,

Now that is a good idea! Had we thought about it ourselves, we may not have programmed the new splitting feature in the 3.5 version!

Terry, for your question, please see the following section of the readme.html help file:

Unfiltered Emails - Any local email address listed here will cause SpamFilter to bypass all blacklist rules for it. If you have any users who do not want to have their email filtered, enter them here. Wildcards (* and ?, same rules as DOS wildcards) are allowed. You can also use file:///C:/My%20Documents/Delphi%20Projects/SpamFilter/readme.html#Bayesian%20Statistical%20Filtering - Regular Expressions (RegEx). This list supports the :TAG option to bypass the default "pass all" rule for entries on this list. If an entry is in the form user@domain1.com:TAGSUBJECT it will cause all emails sent to user@domain1.com to be accepted and then delivered to that user no matter what. However emails that are classified as spam by the various filters will have the prefix "SPAM:" added to the subject line. If an entry is in the form user@domain1.com:TAG it will cause all emails sent to user@domain1.com to be accepted and then delivered to that user no matter what. However emails that are classified as spam by the various filters will have the header "X-SF-SPAM:Y" added to them.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: WebGuyz
Date Posted: 31 January 2007 at 12:00am

Desperado wrote:

As a work-around, we always use the ":tag" option when we whitelist so that the other accounts at least get a tag in their subject to filter on localy.

So what you saying is if a single spam is sent to 5 regular users and one whitelisted user and I had used the :TAG on the whitelisted user, All 6 of these users would have the "X-SF-SPAM:Y" added to their headers and the email would be allowed thru?

How does that help? If I have a content filter check for the "X-SF-SPAM:Y" tag then all (including the whitelisted entry) would be stopped. Maybe its just late but I don't understand how that helps.

Any enlightenment would be appreciated.

-------------
http://www.webguyz.net

Posted By: Desperado
Date Posted: 31 January 2007 at 10:55am

Terry,

Actually, The message is delivered ... yes an annoyance ... but with a tag (in our case "Possible Spam:" in the subject line. Our users are aware of this tag and use their mail client to filter on that wording or in some (actually most) cases, their mail servers themselves can filter them out.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Print Page | Close Window