Spam Filter Missing An Entire Domain?

Question asked by Brian Davidson - 3/11/2015 at 1:59 PM

Unanswered

I have a problem that dates back now several version of SM related to spam filtering, where certain domains or even individual email accounts seem to have no or little spam filter applied. Yes, I've checked and they are not exempt from any settings or bypassing spam filtering. We have implemented Bruce's excellent recommended spam settings. Most clients are not being bombarded by spam, but a couple are being buried. Greylisting is in effect and not being bypassed for the domain.

One domain/user in particular seems to have no filtering being applied. Looking at random spam headers, some have a SmarterMail spam weight of 10-12; other very obvious spam messages have none.

One or two versions ago I opened a ticket related to this but there was no resolution really.

My question is whether it's possible for the filtering process to somehow bypass a domain due to a bad configuration file or any other explanation.

Or is it as simple as those users' email address are just being bombarded more than others so the percentage getting through is the same, but volume is higher?

I appreciate any thoughts or help.

5 Replies

Reply to Thread

Bruce Barnes Replied

3/11/2015 at 9:52 PM

Are the users allowed to override the spam settings?

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Brian Davidson Replied

3/12/2015 at 5:06 AM

The users can override the spam settings, but this one (and the other domain with particular spam issues) does not have any override. (Bruce - the only change from your spam recommendations is we delete at a score of 20 instead of 15 due to user complaints about missing emails). I tracked one spam message this morning. Here's a scenario that confounds me:

Client #1 on Domain #1
Receives a message with a spam rating of 10. Tracking in logs, I see that the message was greylisted, given a score of 10, then delivered.

Client #2 on Domain #2
Receives a message from the exact same IP and domain as client #1's message. That message is also greylisted, but never re-appears in the logs and presumably not delivered.

I can find at least one other instance like this already today where a message is delivered to client #1 and the exact same one appears to get blocked after greylisting. Thanks!

Bruce Barnes Replied

3/12/2015 at 5:44 AM

Did you check both the SMTP and the DELIVERY logs? There are spam tests which are applied in both the receiving (SMTP) process, and internal delivery (DELIVER) process.

Sometimes something passes in the SMTP portion and is then blocked in DELIVERY portion of the e-mail receiving and delivery process.

Can you provide a SENDING domain name? There might be issues with the domain.

If the sending domain is using an MX server farm, like G-Mail and Yahoo, they may have an invalid configuration issue with a single server in the farm which is causing issues only when a message is routed via that particular server.

Does one of the two clients have the address whitelisted and the other not?

Brian Davidson Replied

3/12/2015 at 5:45 AM

This is an example of a spam message with only a 10 score that seemingly should be higher. The IP is listed by Spamhaus ZEN but if I'm reading the header correctly not being applied here? We still have many messages such as this one that get low spam scores despite greylisting and all of the other filters applied.


Return-Path: <window.price@saihealth.com>
Received: from mta3.saihealth.com (saihealth.com [37.48.78.245]) by mail.{server}.com with SMTP;
   Wed, 11 Mar 2015 16:54:32 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=gamma; d=saihealth.com;
  h=To:Date:Message-Id:MIME-Version:To:From:Subject:Date:Content-type;
  b=bYj7pqJ6ykmd1uUOvznlVZMXmkyzcYL1DBgYverFIwHSrmf+iHNKaCJL+tQ5SP3ZVbD1k9zT3NyzlfSynjv6LDiSk86FaeYnKJhrj82JM56IyVe8N5xDNLUw98cTxLJ1;
Date: Wed, 11 Mar 2015 21:54:30 00100
To: <pam@hiddendomain.com>
Message-Id: <uiv.cnda@saihealth.com>
MIME-Version: 1.0
To: <pam@hiddendomain.com>
From: "Window.Price" <window.price@saihealth.com>
Subject: Affordable Replacement Windows
Date: 11 Mar 2015 21:54:30 +0100
Content-type: text/html; charset="us-ascii"
X-SmarterMail-Spam: SPF_Pass, Spamhaus - SBL 2, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 10

Bruce Barnes Replied

3/12/2015 at 7:05 AM

The sending domain, saihealth.com has only an IP ADDRESS in the SMTP GREETING and the SmarterMail server from which it is being sent from does not have a valid rDNS record.

Here's the error message from WWW.DNSREPORTS.COM

Malformed greeting or no A records found matching banner text for following servers, and banner is not an address literal. RFC5321 requires one or the other (should not be a CNAME). If this is not set correctly, some mail platforms will reject or delay mail from you, and can cause hard to diagnose issues with deliverability. Mailserver details:

37.48.78.245 | WARNING: The hostname in the SMTP greeting does not match the reverse DNS (PTR) record for your mail server. A technical violation of RFC5321

We, along with many other large ISPs automatically bounce inbound messages for lack of a valid rDNS mapping.

Back to Community Threads

Please leave this box unchecked

5 Replies

Reply to Thread

Tags

Related Knowledge Base Articles