Blacklisted emails get stopped and no so stopped? RSS

1

Just checking on some spam that came through this morning from a range of IP addresses that are listed on Spamhaus ZEN and SORBS comb. list. I notice that some emails from those IP's are getting different treatments from ORF (vs. 5.0). Some are Grey Listed then passed, some are pickup as Blacklisted and others seem to clear all checks (from the same DNS Blacklisted IP)

Admission of guilt... It's on my to-do list to bring new ORF version online and start a reconfig from scratch. I've updated the current one with all its custom black and whitelists from back in the 2.5 version days. So lets say its more than dirty as config go...

It's likely some rule set is being skipped or something I've forgotten when it comes to how ORF processes mail. But I thought I'd throw it out there...


-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 24/07/2014 11:07:36 AM GMT-0400 Eastern Daylight Time
Sender Email:
Recipient Email:
Related IP: 199.116.113.229
Action: (not available)
Email Subject: (not available)

-- EVENT MESSAGE --
Recipient passed checks.

-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Pass
Severity: Information
Server: claven.dougallmedia.com
Event Source: SMTPSVC-1
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 5.0 REGISTERED

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 24/07/2014 11:07:35 AM GMT-0400 Eastern Daylight Time
Sender Email:
Recipient Email:
Related IP: 199.116.113.229
Action: Rejected
Email Subject: Please Confirm: Have you Paid Your Insurance Bill? Conf No. 15514530

-- EVENT MESSAGE --
Blacklisted by the SPAMHAUS-DBL SURBL (domain: "insuredmycareasy.com", DNS lookup result: 127.0.1.2).

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Blacklist
Severity: Information
Server: claven.dougallmedia.com
Event Source: SMTPSVC-1
HELO Domain: (not available)
Message ID:
Log Mode: Verbose
ORF Version: 5.0 REGISTERED

-------------------------------------------------------------------------------

by Barry George 4 years ago
2

@Barry George: The email was blacklisted at the On Arrival filtering point by Spamhaus DBL, which is an SURBL: the SURBL test does not check the sender IP (DNS Blacklists do that), it checks domains found in clickable links in the email body. In this case, it found that the domain "insuredmycareasy.com" present in the email body is listed in the online blacklist database of Spamhaus DBL.

Since the email body is not yet available at the Before Arrival filtering stage, the SURBL test always runs at On Arrival only, that is why the email was allowed through at Before Arrival.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed