Spam passing checks. RSS Back to forum
@aflowers:
The Related IP address field could shows the IP related to the logged event. If the logged event was not related to the IP (e.g., email passed checks), it shows the IP address of the last host the email was relayed from. Example:
1.2.3.4 sends you an email. You have an Intermediate Host in between the sender server and ORF with IP address 5.6.7.8.
If the email passes all checks, ORF will log 5.6.7.8 in the related IP field, since that is the host it received the email from.
If the email fails on an IP-based blacklist test (e.g., DNS Blacklist), it will log 1.2.3.4., because the sender IP is related to the fact that the email got blacklisted.
If the log indicates the email passed checks, it means it was tested but passed all checks. It was definitely not whitelisted (excluded from filtering), neither by the ASWL test, nor by any of the other whitelists.
Do you see the correct source IP logged in the related IP field for IP-related events, e.g., DNS Blacklist test hits?
@Krisztián Fekete (Vamsoft):
Thanks for the reply.
Where do I look for the DNS Blacklist test?
The logfile shows when an email gets blocked, and the reason. But when it passes checks, I can't tell why one passed when it is obviously spam.
@aflowers:
"Where do I look for the DNS Blacklist test?"
I mean the log files: do you see the correct source IP logged in the Related IP field for IP-related events, e.g., DNS Blacklist test hits? (http://vamsoft.com/support/docs/knowledge-base/using-the-log-viewer)
"The logfile shows when an email gets blocked, and the reason. But when it passes checks, I can't tell why one passed when it is obviously spam."
"Email passed checks" indicates that ORF performed all blacklist tests enabled, but the email passed all of them (i.e., the sender IP was not listed in by any DNS Blacklist services you have enabled, the sender domain has A or MX records (passed the Reverse DNS Test), etc.). From ORF's point of view, there is no such thing as "obvious spam": for a human, it is easy to decide that, as you examine the email as a whole, interpreting its contents. But for automated, rule-based software, it is not that easy to classify an email spam. It is designed to look for "spammy" traits, but if there is none, it allows the email through. For a human being, an email from the dying widow of a millionaire who wants to give you money raises suspicion, for a software, it's just plain text.
Lots of spam getting into the inbox. The log shows many of them coming from the same "Related IP" address. Message is "Email passed checks.". I went into the ASWL, but there is no relation that I can see to the related ip.
I have all the recommended lookups active. Why are so many passing the checks, and how do I stop them? Any way to stop using the related IP?
Thanks in advance!