[SPAM] being attached to all subjects - ORF Forums

[SPAM] being attached to all subjects RSS Back to forum

1

Hi,

[SPAM] is being attached to all email sent to my company inbound. The mail is not spam at all and is from verified senders, this is quite urgent, please help!

by Darren Noble 8 years ago
2

@Darren Noble: Darren,

The [SPAM] tag can be attached by ORF or by an external software (it is quite commonly used). You can use the ORF Log Viewer to determine whether it was ORF that attached the tag and if so, for what reason exactly. The Message column of the log always contains which test was involved in a blacklisting and that provides pointers toward resolving the issue. Typical reasons include malformed Sender Blacklist expressions and DNS issues (see http://www.vamsoft.com/faq.asp#orfeerdnsproblems - "All inbound emails are blocked by the RDNS test, what should I do?").

We can also check the logs and your configuration if you send these to . Log files have .log extension and your configuration file is called orfent.ini. By default, these can be found in the ORF program directory, Program Files\ORF Enterprise Edition (or Program Files (x86)\ORF Enterprise Edition for 64-bit Windows systems).

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

3

Before I send any logs, here is what I've found, this email is sent from my external account and is still received as [SPAM] on the server. The message receives no worries its just we don't want this annoying tag on our subjects from proper senders. I've obviously edited the ip and domains for privacy.

DNS configuration passed no worries.

Please help!

----------------------------------------------------------------
Version: 4.4 REGISTERED
Log Mode: Verbose
Server: targetdomain.local
Source: SMTPSVC-1
Time: 16/07/2010 9:58:13 PM
Class: Whitelist
Severity: Information
Filtering Point: On Arrival
HELO/EHLO Domain:
Related IP: 192.168.x.x
Message ID:
Sender:
Recipient(s):
Subject:
Message:
Email whitelisted by the sender whitelist. Filter comment: "Received via Remote Control on 14/07/2010 11:29:05 AM".
----------------------------------------------------------------

by Darren Noble 8 years ago
4

@Darren Noble: Thank you for the update.

There is one important thing that was removed, namely whether the Subject: field in the log entry contained [SPAM]. If it did, it means the email already contained the [SPAM] tag when ORF whitelisted it, so it is coming from an external software.

If the Subject: field in the log entry did not contain a [SPAM] prefix, please let us know.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

5

@Darren Noble: This is what I get...

There is not other software installed to filter spam, however all mail passes through a FORTIGATE located at 192.168.x.x

Thanks

Version: 4.4 REGISTERED
Log Mode: Verbose
Server: domain.local
Source: SMTPSVC-1
Time: 16/07/2010 11:21:13 PM
Class: Whitelist
Severity: Information
Actions: (not available)
Filtering Point: On Arrival
HELO/EHLO Domain: (not available)
Related IP Address: 192.168
Message ID: (not available)
Email Subject: Testing spam filter
Sender: [email protected]
Recipient(s):
* [email protected]
Message:
Email whitelisted by the sender whitelist. Filter comment: "Received via Remote Control on 14/07/2010 11:29:05 AM".

by Darren Noble 8 years ago
(in reply to this post)

6

@Darren Noble: Thank you.

The log message indicates that the email in question was whitelisted. That means ORF guarantees that _as far as it is concerned_, the email will not be blacklisted or otherwise modified by ORF. Also, the [SPAM] subject tag is not present on the email at the time of arrival, so it must receive the tag after ORF.

Is not it possible that some anti-virus software or an Outlook plugin appends these tags?

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

7

@Darren Noble: It is probably the Fortigate doing it. I hate those things. First of all, ORF logs it as being received from 192.168.x.x. If that message came from an external mail server through the Fortigate, then the Fortigate is re-writing the headers to show its own IP address. I had two older Fortigate 60 units do that, and a firmware update fixed it. Second, I believe that the Fortigate will add that tag to whatever it believes is spam if you have spam filtering enabled on it. I think they are horrible firewalls. IMHO, a **far better** firewall is a WatchGuard unit. They can be locked down ***MUCH*** tighter and more easily than most others, and their proxies are transparent to whatever is behind them.

Gregg Hill

by Gregg Hill 8 years ago
(in reply to this post)

8

Sorry I should've closed this off a while ago, although the Fortigate had the spam filter enabled, I disabled it and it didnt fix it.

I then found some software on the server, installed prior to me, named mail guard utils or something.

unisntalled that, voila fixed!

by Darren Noble 8 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2