Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Ineffective spam filters
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
I've noticed recently certain messages that are clearly spam getting past all anti-measures, so I tried creating custom rules targetting strings in the from field, but it seems the filter is ignoring the name part. So for example with this from address

From: "USAPharm" <matthew<_at_>jazztel.es>

the rule said reject anything with the "pharm" substring in from, but it's not working. Why is this (and why for that matter is SpamAssassin not catching it)?
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
I got a couple of those as well. They all were flagged as Spam for me. So you have to look at the headers, see mine below:
Quote:
X-Spam-Status: Yes, hits=8.4 required=5.0
tests=BAYES_40: -0.276,HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,
TO_NO_BRKTS_HTML_ONLY: 0.199,T_SURBL_MULTI1: 0.01,T_SURBL_MULTI2: 0.01,
T_URIBL_BLACK_OVERLAP: 0.01,URIBL_BLACK: 1.725,URIBL_DBL_SPAM: 1.7,
URIBL_JP_SURBL: 1.25,URIBL_SBL: 1.623,URIBL_SC_SURBL: 0.568,
URIBL_WS_SURBL: 1.608,TOTAL_SCORE: 8.429,autolearn=spam
X-Spam-Flag: YES
X-Spam-Level: ********

Can you post your headers?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
Thank for replying. Here's a header from one below. It seems to be something to do with the messages being forwarded by our hosting rather than delivered directly, and thus bypassing our spam blocking, but I'm not sure.

Return-Path: <Taylor.Rui6t<_at_>hotmail.com>
X-Envelope-To: info<_at_>ourdomain.com
Message-ID: <1409155826-294666240<_at_>mail.ourdomain.com>
Received: from localhost ([127.0.0.1])
by mail.ourdomain.com
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256 bits))
for info<_at_>ourdomain.com;
Fri, 21 Feb 2014 10:29:18 +0000
Received: from [183.8.193.61] (port=3033 helo=hotmail.com)
by lisa.enixns.com with esmtp (Exim 4.82)
(envelope-from <Taylor.Rui6t<_at_>hotmail.com>)
id 1WGnLy-003dal-CT
for info<_at_>ourdomain.com; Fri, 21 Feb 2014 10:29:14 +0000
From: "Taylor.Rui" <Taylor.Rui6t<_at_>hotmail.com>
Subject: =?GB2312?B?z/HB7LW80rvR+cu8v7y1xMPYyuk=?=
To: info<_at_>ourdomain.com
Content-Type: multipart/mixed;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf";charset="GB2312 "
MIME-Version: 1.0
Date: Fri, 21 Feb 2014 18:02:39 +0800
X-Priority: 3
X-Mailer: FoxMail 3.11 Release [cn]
X-enixltd-MailScanner-Information: Please contact the ISP for more information
X-enixltd-MailScanner-ID: 1WGnLy-003dal-CT
X-enixltd-MailScanner: Found to be clean
X-enixltd-MailScanner-SpamCheck:
X-enixltd-MailScanner-From: taylor.rui6t<_at_>hotmail.com
X-Spam-Status: No
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - lisa.enixns.com
X-AntiAbuse: Original Domain - ourdomain.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - hotmail.com
X-Get-Message-Sender-Via: lisa.enixns.com: mailgid no entry from get_relayhosts_entry
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
It seems you are missing the Spamassassin headers, so it has not been processed by the anti-spam engine of Kerio Connect.

You have to identify your mail flow first. Is mail coming in directly or is there a relay host / proxy inbetween? Is lisa.enixns.com a server you control?


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
lisa.enixns.com is our hosting server, which at the moment is set to act as a backup mail exchanger if our server is offline. So what seems to be happening is that a sizeable proportion of messages sent to us arrive from the backup server even though our server is on 24/7. I'm wondering if this may be being caused by the spam deterrent setting in Connect, which is currently set to 25 seconds, or possibly by not allowing more than 1 concurrent connection from an outside server at a time, but that seems less likely.

Whatever the reason, the problem then is that Connect does not do any anti-spam measures on messages that arrive this way, presumably because it's seeing them as coming from localhost, but I'm not clear why - maybe because both the hosting server and our mail server resolve to different hosts on the same domain?

I guess the simplest solution would be to disable the backup facility, but it can be very useful on occasion.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
beachmat wrote on Sat, 22 February 2014 15:14

Whatever the reason, the problem then is that Connect does not do any anti-spam measures on messages that arrive this way, presumably because it's seeing them as coming from localhost, but I'm not clear why - maybe because both the hosting server and our mail server resolve to different hosts on the same domain?


Because an IP address of that server is included in an IP address group configured in SMTP Relay settings. And the server is then considered as "local", ie. no anti-spam is applied to it with default settings.
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
ok, thanks. But I'm still not clear why some messages sent to us arrive from the backup relay when our server is on 24/7. Could the spam deterrent in Connect be causing it?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Spammers usually use secondary MX server intentionally because they expect it to have weaker anti-spam protection.
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
Ah, ok, that's what I was thinking, that it cannot be accidental that the same spam messages always come through the backup relay.
So the only option really is to disable the secondary MX server?
  •  
clan

Messages: 232
Karma: 21
Send a private message to this user
beachmat wrote on Sat, 22 February 2014 16:23
So the only option really is to disable the secondary MX server?

No, teh solution is to get spam checking on mail delivered via the secondary server. At least two solutions come to mind: 1. Setup spam protection on your secondary server. You seem to be running exim there, setting up spamassassin isn't as easy as on Kerio, but still not that hard. 2. If you don't want to do this, scan messages coming in from the secondary server. This should be as easy as removing the server from the trusted host list, or including it in an untrusted range.
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
Quote:
possibly by not allowing more than 1 concurrent connection from an outside server at a time

That seems very low to me, the standard Kerio setting is 100. What are you trying to achieve with setting this to 1?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
Yes, we can enable spam scanning on the secondary mx, which we may do, but then it would also run on the primary, and I would rather do all the anti-spam controls on Kerio. Could also set up a secondary mx elsewhere if we need to.
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
Yes, 1 is low, but who would possibly want to send 100 messages concurrently from the same IP other than someone trying to do a DOS?
  •  
beachmat

Messages: 62
Karma: 0
Send a private message to this user
I'm not sure setting the secondary server as untrustworthy is possible, if it's set in the mx for the domain, going by what Pavel said.
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
Quote:
Yes, 1 is low, but who would possibly want to send 100 messages concurrently from the same IP other than someone trying to do a DOS?

Depends on how many users you have. It can very well be that e.g. Hotmail sends multiple messages in parallel. In your setup that would mean, one goes through Kerio Connect, the others through Exim.

So even without failure of Kerio, you will constantly have some messages going through Exim, which makes troubleshooting very difficult. If you then setup a different Spam solution on Exim, it will be even more difficult to support your mail system.


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Kerio Connect 8.3. b2(2351) & beta 3
Next Topic: Renewal question: Must you renew maintenance in order to keep ActiveSync?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 14:55:20 CEST 2017

Total time taken to generate the page: 0.00511 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.