Spam Filter Missing An Entire Domain?
Question asked by Brian Davidson - March 11, 2015 at 1:59 PM
Unanswered
I have a problem that dates back now several version of SM related to spam filtering, where certain domains or even individual email accounts seem to have no or little spam filter applied. Yes, I've checked and they are not exempt from any settings or bypassing spam filtering. We have implemented Bruce's excellent recommended spam settings. Most clients are not being bombarded by spam, but a couple are being buried. Greylisting is in effect and not being bypassed for the domain.
 
One domain/user in particular seems to have no filtering being applied. Looking at random spam headers, some have a SmarterMail spam weight of 10-12; other very obvious spam messages have none.
 
One or two versions ago I opened a ticket related to this but there was no resolution really.
 
My question is whether it's possible for the filtering process to somehow bypass a domain due to a bad configuration file or any other explanation. 
 
Or is it as simple as those users' email address are just being bombarded more than others so the percentage getting through is the same, but volume is higher?
 
I appreciate any thoughts or help.

4 Replies

Reply to Thread
0
Are the users allowed to override the spam settings?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Did you check both the SMTP and the DELIVERY logs?  There are spam tests which are applied in both the receiving (SMTP) process, and internal delivery (DELIVER) process.
 
Sometimes something passes in the SMTP portion and is then blocked in DELIVERY portion of the e-mail receiving and delivery process. 
 
Can you provide a SENDING domain name?  There might be issues with the domain. 
 
If the sending domain is using an MX server farm, like G-Mail and Yahoo, they may have an invalid configuration issue with a single server in the farm which is causing issues only when a message is routed via that particular server.
 
Does one of the two clients have the address whitelisted and the other not?
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
This is an example of a spam message with only a 10 score that seemingly should be higher. The IP is listed by Spamhaus ZEN but if I'm reading the header correctly not being applied here? We still have many messages such as this one that get low spam scores despite greylisting and all of the other filters applied.


Return-Path: <window.price@saihealth.com>
Received: from mta3.saihealth.com (saihealth.com [37.48.78.245]) by mail.{server}.com with SMTP;
   Wed, 11 Mar 2015 16:54:32 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=gamma; d=saihealth.com;
  h=To:Date:Message-Id:MIME-Version:To:From:Subject:Date:Content-type;
  b=bYj7pqJ6ykmd1uUOvznlVZMXmkyzcYL1DBgYverFIwHSrmf+iHNKaCJL+tQ5SP3ZVbD1k9zT3NyzlfSynjv6LDiSk86FaeYnKJhrj82JM56IyVe8N5xDNLUw98cTxLJ1;
Date: Wed, 11 Mar 2015 21:54:30 00100
To: <pam@hiddendomain.com>
Message-Id: <uiv.cnda@saihealth.com>
MIME-Version: 1.0
To: <pam@hiddendomain.com>
From: "Window.Price" <window.price@saihealth.com>
Subject: Affordable Replacement Windows
Date: 11 Mar 2015 21:54:30 +0100
Content-type: text/html; charset="us-ascii"
X-SmarterMail-Spam: SPF_Pass, Spamhaus - SBL 2, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 10
 
0
The sending domain, saihealth.com has only an IP ADDRESS in the SMTP GREETING and the SmarterMail server from which it is being sent from does not have a valid rDNS record.
 
Here's the error message from WWW.DNSREPORTS.COM
 
Malformed greeting or no A records found matching banner text for following servers, and banner is not an address literal. RFC5321 requires one or the other (should not be a CNAME). If this is not set correctly, some mail platforms will reject or delay mail from you, and can cause hard to diagnose issues with deliverability. Mailserver details:

37.48.78.245 | WARNING: The hostname in the SMTP greeting does not match the reverse DNS (PTR) record for your mail server.  A technical violation of RFC5321
 
We, along with many other large ISPs automatically bounce inbound messages for lack of a valid rDNS mapping.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread