Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Internet blacklists - logging
  •  
cyberknight

Messages: 21
Karma: 0
Send a private message to this user
Already for a while, I have activated some Internet blacklist in KMS > SMTP Server > Blacklists

For example, I have checked "ORDB" for logging and blocking. How does this logging show up in the security log? I can't seem to find one instance.

Can someone show me an example log entry?
Thanks.
  •  
bronco

Messages: 131
Karma: 1
Send a private message to this user
In Debug log right-click and then choose "set log events". Switch on under Mail Server Activity the SMTP Server and under advanced switch on "Spamfilter processing". Then you will see the {smtps} in debug log. Hereby a example:

[23/May/2004 18:36:21][3104] {smtps} Server session begin; client connected from 211.115.216.222:1265
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist ORDB...
[23/May/2004 18:36:21][3104] {smtps} Address 222.216.115.211.relays.ordb.org not found in DNS blacklist ORDB
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist SpamHaus SBL...
[23/May/2004 18:36:21][3104] {smtps} Address 222.216.115.211.sbl.spamhaus.org not found in DNS blacklist SpamHaus SBL
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist BlitZed...
[23/May/2004 18:36:21][3104] {smtps} Address 222.216.115.211.opm.blitzed.org not found in DNS blacklist BlitZed
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist SpamHaus XBL...
[23/May/2004 18:36:21][3104] {smtps} Address 222.216.115.211.xbl.spamhaus.org not found in DNS blacklist SpamHaus XBL
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist SORBS...
[23/May/2004 18:36:21][3104] {smtps} Address 222.216.115.211.dnsbl.sorbs.net not found in DNS blacklist SORBS
[23/May/2004 18:36:21][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist China Blackholes...
[23/May/2004 18:36:22][3104] {smtps} Address 222.216.115.211.china.blackholes.us not found in DNS blacklist China Blackholes
[23/May/2004 18:36:22][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist Korea Blackholes...
[23/May/2004 18:36:22][3104] {smtps} Address 222.216.115.211.korea.blackholes.us found in DNS blacklist Korea Blackholes (127.0.0.2)
[23/May/2004 18:36:22][3104] {smtps} Looking up address 211.115.216.222 in DNS blacklist ComCast Blackholes...
[23/May/2004 18:36:22][3104] {smtps} Address 222.216.115.211.comcast.blackholes.us not found in DNS blacklist ComCast Blackholes
[23/May/2004 18:36:22][3104] {smtps} Sent SMTP greeting to 211.115.216.222:1265
[23/May/2004 18:36:22][3104] {smtps} Command HELO mail-kr.bigfoot.com
[23/May/2004 18:36:22][3104] {smtps} Sent reply to HELO: 250 mail.xxx.com
[23/May/2004 18:36:22][3104] {smtps} Command MAIL FROM: <tvozazdzod<at>amnzw2z.com>
[23/May/2004 18:36:23][3104] {queue} Queue injection started, id=40b0d307-0000001d
[23/May/2004 18:36:23][3104] {smtps} Sent reply to MAIL: 250 2.1.0 Sender <tvozazdzod<at>amnzw2z.com> ok
[23/May/2004 18:36:23][3104] {smtps} Command RCPT TO: <a.b<at>xxx.com>
[23/May/2004 18:36:23][3104] {smtps} Sent reply to RCPT: 550 5.7.0 Your IP address is in the Korea Blackholes database
[23/May/2004 18:36:23][3104] {queue} Queue injection canceled, id=40b0d307-0000001d
[23/May/2004 18:36:23][3104] {smtps} SMTP server session end

The xxx.com is your own server and the a.b<at>xxx.com is the local user that the spam is intended for. I am stopping for the client now around 97% of the Spam use to be 45% before the Blackhole listings. So many thanks to jshaw541.

The only thing I could not prevent in a nice way is the message "Your IP address is in the Korea Blackholes database" message that the MailServer want to sent back. I had to resort in putting the SieveErrorNotify=0 in MailServer.cfg under the Misc heading. I do not know how to do it in nice way to drop the message. So if someone has a idea? Please let me know!
  •  
cyberknight

Messages: 21
Karma: 0
Send a private message to this user
thanks for the tip, didn't knew this.

Now, I also found out why the blackholes are not working for me. Any e-mail message entering my network comes in through an Interscan Viruswall gateway in the DMZ are of the firewall, which then relays it to the KMS machine.

Therefore, I have lost any info related the originating IP address when the message arrives KMS.

P.
  •  
bronco

Messages: 131
Karma: 1
Send a private message to this user
Did you switch on under Spam Filter/Spam Rating the "Enable scanning of messages sent from trusted relay agents defined in SMTP relay options". If you do so than you will found out that it starts checking the original sender. Because bigfoot is the clients old address the mail is now forwarding to the new email domain and therefore the sender is also the bigfoot sender. But still the message is being checked and marked as seen in my example.

Rene.
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
You shouldn't need to change any log settings. If you search for lines with 'blacklist' they should come up by default.

I have an ASP page that I wrote that you can search and parse logs with. It's nice because I can put in a hyperlink as http://foo.com/foo.asp?q=blacklist or whatever I'm looking for. Great for us lazier of the bunch.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
HSK2840

Messages: 9
Karma: 0
Send a private message to this user
dynablock.njabl.org is also a very nice blacklist! It catches a lot!
Previous Topic: Apple Open Directory
Next Topic: remote pop3 download
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 18:31:49 CET 2017

Total time taken to generate the page: 0.00387 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.