Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Blacklist - Strange Behavior (Spamming IP not blocked)
  •  
Sandlyon

Messages: 3
Karma: 0
Send a private message to this user
Hi.

I found a strange behavior in Connect 7.0.1 with blacklist management.

For example, with this one taken recently in my security log. A spammer is trying to send a mail to a domain user disguised as destination user.
[10/Jun/2010 11:58:33] IP address 94.76.74.30 found in DNS blacklist WPBL - Weighted Private Block List, mail from <userx@mydomain> to <userx@mydomain>

WPBL, Sorbs, ..., found that the sender ip is listed in their db but my server is not blocking them. It's a custom rules on keyword check which is blocking this spam which result in a notification mail sent (bounce activated in custom rules).

Kerio isn't using blacklist sites rule before custom rules or is there a configuration error from me ?

With a bit of additional searches, i noticed that it's only occurring when the sender and receiver is a domain user. Spams form external address to internal address are successfully rejected.

Anyone got the same behavior ?
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
Blacklist checks like Spamhaus are done before the custom rules.

Are your blacklists rejecting connections or are they just adding a score?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Sandlyon

Messages: 3
Karma: 0
Send a private message to this user
I tested with adding a high score (superior to my threshold).
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
It can still slip through. For example, if your threshold is 5 and you add +6 on the wpbl list, bayes, awl and others can still subtract some score which would make the mail come through.

So the best thing is if you look in the mail headers:
X-Spam-Status: Yes, hits=5.5 required=5.0
	tests=DNSBL_DNSBL.SORBS.NET: 2.00,DNSBL_B.BARRACUDACENTRAL.ORG: 2.00,BAYES_50: 1.567,
	HTML_MESSAGE: 0.001,TOTAL_SCORE: 5.568,autolearn=no

There you see who adds what. In the example above, Sorbs and Barracuda add 2 points each.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Sandlyon

Messages: 3
Karma: 0
Send a private message to this user
Ah nice, i didn't paid attention to this.

Thx for the tip.
Previous Topic: Password Expiration on local accounts
Next Topic: McAfee antivirus update
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Sep 20 00:27:33 CEST 2017

Total time taken to generate the page: 0.00506 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.