Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam blacklist processing (How is KC handling this?)
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Looking through the spams that passed through the filter, I'm trying to figure out how the blacklists overall are being used.

Got this spam. (My info changed, spammers info not)

Return-Path: <ErinAlexander<_at_>d4637b.thelispiece.com>
X-Envelope-To: Me<_at_>MyDomain.com
X-Spam-Status: No, hits=2.2 required=5.0
tests=RDNS_NONE: 0.5,URIBL_DBL_SPAM: 1.7,TOTAL_SCORE: 2.200,autolearn=no
X-Spam-Level: **
Received: from d4637b.thelispiece.com ([159.253.249.192])
by Mail.MyDomain.com
for Me<_at_>MyDomain.com;
Thu, 5 Jun 2014 07:48:16 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Date: Thu, 05 Jun 2014 07:47:14 -0700
Message-ID: < 20140604235359.3175.71870.3457.0.111.10.7.20140604235359.317 5.71870 <_at_>d4637b.thelispiece.com>
Subject: Results speak for themselves - We tell all
From: Fast Weight-Loss Results <Erin<_at_>thelispiece.com>
To: <Me<_at_>MyDomain.com>


If I run thelispiece.com through the mxtoolbox.com blacklist checker, zen.spamhaus.org has it listed. In my KC blacklist setup, that adds 5.0 to the score making it automatically marked spam. But that check isn't listed in the headers. Rather, Spam Assassin's check of the blacklist is listed: URIBL_DBL_SPAM: 1.7.

Why was only SA used to check the blacklist that only looks at dbl.spamhaus.org? Why wasn't zen.spamhaus.org also checked?

I have another spam, carbon copy of the above except that it came from a different email address. In this case, the domain is not listed on the dbl list, but is on the zen list. But the headers do not show the hit on the zen blacklist that I have configured.

Return-Path: <PersonsName<_at_>ashlandkyfire.virtupia.com>
Received: from ashlandkyfire.virtupia.com ([159.253.249.209])
X-Spam-Status: No, hits=0.5 required=5.0
tests=RDNS_NONE: 0.5,TOTAL_SCORE: 0.500,autolearn=no
X-Spam-Level:

How are the Blacklists being processed?
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
The black list checks are done before Spam Assassin. They check on the IP address of the sending server (e.g. zen.spamhaus.org)

The DBL from Spamhaus is something different, it checks on links in the content of the mail. It is processed later.

But you should see in the headers, if zen.spamhaus.org kicks in, example:

Quote:
X-Spam-Status: Yes, hits=8.1 required=5.0
tests=DNSBL_ZEN.SPAMHAUS.ORG: 5.00,BAYES_50: 1.567,
HTML_IMAGE_RATIO_04: 1.556,HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,
TOTAL_SCORE: 8.125,autolearn=no


So in your case, you looked up the MX record of the Spam sending domain:

thelispiece.com

and this produced an IP address that is listed in zen.spmahaus.org. But the black list check is done on the sending server's IP address, not an MX record.

So the sending server for this mail was not listed in Spamhaus, that's why Kerio did not catch it.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Wouldn't the sending server be the line from the Received header?
"Received: from d4637b.thelispiece.com ([159.253.249.192])"

The mx record for thelispiece.com is 159.253.249.192
A blacklist check on both the IP of 159.253.249.192 and the domain of thelispiece.com return the following:
LISTED Spamhaus ZEN 159.253.249.192 was listed

Is the Received header not the sending server list? If so, with BOTH the domain name and the IP address being on the zen.spamhaus.org list, why was there not a blacklist add-on score for this message (should of added 5.0 to score)?
  •  
McDuck

Messages: 2
Karma: 0
Send a private message to this user
I'm having similar issues so I'm interested on the outcome of this.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Original poster here. Well, freakinvibe was nice enough to provide an answer, but beyond that I'm guessing that Kerio Support isn't going to chime in on this question.

If you are working on catching more spams, you can see in my previous posts that I suggest taking more advantage of Spam Assassin's abilities. It has a lot of power, but an out of the installation needs tweaking; which is what Spam Assassin meant to be done with the rules or configuration file setup. Some of the out of the box scoring rules will only assess a .001 score, being more of an informative score that you may want to consider revising the score amount on.

Tired of the spams still slipping through, I decided it was time to look at writing my own rules. There are other rule files that people have written and that you can just drop in if you want to. I wanted to target the spams that we were actually receiving.

Writing your own rules isn't very hard. Take a look at my recent post on how to write basic rules.
http://forums.kerio.com/t/27477//

I would still like to know the Kerio answer to the Blacklist processing question though. The domain and the IP address listed on the blacklist and in the mail headers all match up, so why wasn't it scored?
  •  
McDuck

Messages: 2
Karma: 0
Send a private message to this user
Hi MarkK,

I used this guide to use other blacklists goo.gl/05jeD2 we may look at using our WatchGuard to filter out spam as Kerio seems to be a bit hit and miss. Same issue as you the server is listed on the site but no score has been added to the email.

ill post back if I find anything of use.
  •  
freakinvibe

Messages: 1508
Karma: 58
Send a private message to this user
Quote:
The mx record for thelispiece.com is 159.253.249.192
A blacklist check on both the IP of 159.253.249.192 and the domain of thelispiece.com return the following:
LISTED Spamhaus ZEN 159.253.249.192 was listed


In the case of

thelispiece.com

it looks like the IP was listed for "Snow Shoe Spam" which is a very fluctuating target. It looks like it was not listed at the time you got the email, but later, when you did the manual Spamhaus lookup, it was there.


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: iOS devices starting to have a problem with Connect 8.3 - solved
Next Topic: Full Text Search rebuilding on it's own
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Aug 20 02:07:20 CEST 2017

Total time taken to generate the page: 0.00454 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.