Finding out how spam is getting through
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Finding out how spam is getting through - 14.Aug.2008 10:05:27 AM
|
|
|
PeteHelgren
Posts: 15
Joined: 11.Sep.2006
Status: offline
|
I have been very pleased with Mail Essentials but I still occasionally get spam that I cannot figure out how it is getting through the filter. I am on version 12 and I get 5-8 spam emails a day, out of hundreds for my email address, that come through.
My detection settings have the IP Whitelist, Keyword whitelist, Custom blacklist, DNS blacklist, email/domain whitelist, SPAM URI, and keyword checking, in that order listed. The email that comes through definitely has keywords that *should* be blocked so my only conclusion is that a whitelist setting is allowing it to pass. Yet, the IP's, Keywords, Domains, and email addresses appear nowhere in the whitelists.
How do I "trace" how these very few emails are getting through when they have such obvious (and obnoxious) filtered words in them. The only thing I noticed is that they have an "In-Reply-to" value in the header although these emails are clearly not in reply to anything.
Any help would be appreciated.
Pete
|
|
|
|
|
RE: Finding out how spam is getting through - 14.Aug.2008 10:24:36 AM
|
|
|
John Letourneau
Posts: 1124
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
Pete,
What build of GFI MailEssentials 12 are you currently running? If you are on build 20080623 there is a log called ase_action.gfi_log.txt in ..\Program Files\GFI\MailEssentials\DebugLogs. Take the message ID of the spam message that was delivered to you and search this log for it. These logs do overwrite themselves so check the .bak file as well. If the message falls within the timeframe of these logs (each line is timestamped) and you can not find the message ID listed anywhere this would lead me to believe the message was simply not blocked. If the message was blocked by any modules or whitelisted it will show in this log. Let me know what you find.
_____________________________
Regards,
John Letourneau - Senior Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: Finding out how spam is getting through - 14.Aug.2008 12:11:13 PM
|
|
|
PeteHelgren
Posts: 15
Joined: 11.Sep.2006
Status: offline
|
Thanks John. Looks like I am a little back level on 12 so I'll download and update to the latest build and then monitor the mail and scan the debug logs afterward if I have an issue.
Thanks for the tip. I'll follow up in a few days.
Pete
|
|
|
|
|
RE: Finding out how spam is getting through - 18.Aug.2008 4:12:59 PM
|
|
|
PeteHelgren
Posts: 15
Joined: 11.Sep.2006
Status: offline
|
John,
I installed the latest ME12 build and took a look at the log file you indicated. The message ID IS in the log and it shows as Module: Whitelist; Action: WHITELISTED. Yet, when I look for the IP address, the email address the subject keywords or the body keywords I can't see anything in the text of the email that would allow it through. Is there any way to find out which of the whitelist policies it applied and what whitelisted items are in the email that allowed it through? If not, that would be a great enhancement so we could diagnose our own issues without involve anyone else.
|
|
|
|
|
RE: Finding out how spam is getting through - 18.Aug.2008 4:54:44 PM
|
|
|
PeteHelgren
Posts: 15
Joined: 11.Sep.2006
Status: offline
|
SOLVED!
Waiting for a reply I did a little more poking around the logs and I found the whitelist log and, using the date/time stamp in the ase log, I was able to see the queries that looked for whitelist entries. Turns out that there is one email address that is whitelisted to allow all mail through and this address was used in either the CC: or BCC: entry. A nice enhancement would be to ONLY examine the To: field when determining whether an email should go through to an individual or not. The CC and BCC entries should be ignored, IMHO.
Thanks for the info. At least I know what is going on.
|
|
|
|
|
RE: Finding out how spam is getting through - 18.Aug.2008 5:06:10 PM
|
|
|
PeteHelgren
Posts: 15
Joined: 11.Sep.2006
Status: offline
|
On second thought, that was a dumb idea. Sometimes the CC or BCC is the way the email was sent to the recipient. Blocking that option would dump the emails as well.
I may move my keyword filter up above the whitelist and hope that no one I know sends an email that has a "bad" word in it.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
waiting for an easy method to identify whitelisted emails - I'm sure it would reduce the workload for GFI Support staff too!