Page 1 of 1

Spam not being blocked

Posted: Mon Aug 01, 2011 8:24 am
by theywill
Hi there,

I've got a few curious scenarios in which I have 1) spam making it through to a user, where it is being blocked for others, and where 2) spam is making it through and not represented in the log.

Scenario #2
I have a whole load of spam coming from macprofessors.com. Here's an example header.

Received: (qmail 17341 invoked from network); 31 Jul 2011 21:08:37 -0500
Received-SPF: pass (mercury.everydayhosting.net: domain of macprofessors.com designates 64.120.221.40 as permitted sender) client-ip=64.120.221.40; envelope-from=obnfhk@macprofessors.com; helo=oai.macprofessors.com;
Received: from 64-120-221-40.static.hostnoc.net (HELO oai.macprofessors.com) (64.120.221.40)
by mercury.everydayhosting.net with SMTP; 31 Jul 2011 21:08:37 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=macprofessors.com;
h=From:To:Subject:MIME-Version:Message-Id:Date:Content-Type; i=obnfhk@macprofessors.com;
bh=+kD1aLHUZJGQFzwt7G1QAcpr28U=;
b=ca5TF6q9+iyVat6Mk0/k6CKKTNwidmsvfa9c3bMm1wTfbANDw7RO4F1yTwbdt7MxcyWK1wSZyMIB
wfYstYgR245rcIxAv1cnGfhN0806crkzaXDsfHoDUnnJdiRWZ1wH
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=macprofessors.com;
b=yp3bGUwDQofiLeuChYX7kTvla6TIAv7b1+3LlxzJEsBAj/I/UKSNOT2t0GDs/f/+Qz3e3W7Ii/3m
J/l1eYta6Lcw9LeLpDzY4NliTwSodvIh4/4yZUXn36G/2h92dK8n;
From: GraphicDesignSchool <obnfhk@macprofessors.com>
To: <dave@telename.com>
Subject: Earn a design degree
MIME-Version: 1.0
Message-Id: <ZGF2ZUB0ZWxlbmFtZS5jb20633@macprofessors.com>

When I ask the log for information about email from this domain, I get zero results.

Statistics for the month of July 2011
From Address: *@macprofessors.com
To Address: *

No results found.

Scenario #1

Received: (qmail 14241 invoked from network); 31 Jul 2011 13:36:39 -0500
Received-SPF: none (no valid SPF record)
Received: from unknown (HELO muzammild3b91b) (59.103.214.11)
by mercury.everydayhosting.net with SMTP; 31 Jul 2011 13:36:38 -0500
Received: (qmail 6507 by uid 507); Sun, 31 Jul 2011 11:25:23 +0800
From: "Penis Growth Free trial" <improvisatelopseed@partenaire-entreprise.fr>
To: <dave@telename.com>
Subject: Increase your level of confident
Date: Sun, 31 Jul 2011 11:14:40 +0800
Message-ID: <004401cc4fda$bd2560b0$37702210$@fr>

The log shows block after block for this domain.
2011-07-28 06:34:14 SPAM[block_lists:36] no 91.103.28.2 gw-0-2.utc.am tun53c8285bc07 climaxfastidious@partenaire-entreprise.fr georgiaplath@ssas.org
2011-07-29 01:38:39 SPAM[block_lists:36] no 94.255.109.134 host-94-255-109-134.stv.ru ws01 spinodalmentor@partenaire-entreprise.fr bob@bulldogop.com
2011-07-29 05:47:37 SPAM[block_lists:36] no 95.139.233.226 node-95-139-233-226.domolink.tula.net e2b012c57bf0402 bergoleander@partenaire-entreprise.fr bill@bulldogop.com
2011-07-30 04:17:01 SPAM[check_ip_reverse_dns] no 117.215.197.60 (null) skill2 alchemyapropos@partenaire-entreprise.fr bill@bulldogop.com
2011-07-30 04:18:16 SPAM[block_lists:36] no 122.176.155.90 abts-north-dynamic-090.155.176.122.airtelbroadband.in fino rechercheteleost@partenaire-entreprise.fr dave@telename.com

However, it doesn't show any record for the message that was delivered to dave@telename.com on 7/31.

I have lots and lots of scenario #2s, whereby the message header (from the source) indicates a sending domain and all of the records of the sending domain in the log are blocks.

There are no users in my User Exemption List.

Thanks for any help you can provide.

James

Re: Spam not being blocked

Posted: Wed Aug 03, 2011 10:46 am
by magicspam
Hello James and thank you for your detailed post.

The first question would be what platform of MagicSpam integration are you running? Plesk with Qmail? Postfix? What version of Plesk?

With Scenario #2 that you have outlined: uncaught spam: not logged by MagicSpam: There is one possible explanation. IF you are using a Postfix Integration, AND the connecting server IP is listed within Plesk (not MagicSpam) as trusted, then the MagicSpam checks will be completely bypassed.

Scenario #1 is a little vague.. to confirm.. you are seeing the "SPAM" log hits in the Plesk maillogs, but not found in MagicSpam logs? Please confirm.

Are there any events that are being logged by MagicSpam? (eg: any entries show up when you click on 'view last 50 log messages')

Thanks!