- Lyle M
To battle the sober.q trojan I refined our custom message rule set (Spam Filer:Spam Rating) to block all instances of our spam trap e-mail address (foo<_at_>foobar.com). We were "fortunate" that our spam trap address was appearing on quite a few of the incoming junk messages.
Filters were created for each of the headers that could contain the spam trap address (To, From, CC, X-Envelope-To, Sender). I used the substring option so I could specify "foo" instead of "foo<_at_>foobar.com" to ensure that all of our domain aliases were covered.
Then, with scanning of trusted relay agents enabled (the only trusted agents being our servers on our public T1 segment), I began my testing. From an external mailserver (but part of the same ISP), I sent a message that contained the header "From: foo<_at_>foobar.com" to my work account. The message never arrived, but the "last used before" column did not indicate the hit. Also, the debug log (spam filter processing) did not indicate the DENY rule was utilized. So, good that the message was blocked, bad that there is no logging to indicate what happened.
I sent the same e-mail from another external mailserver (outside our ISP) and the filter functioned as it should - entry in log, incremented "last used" counter. So, different sending mailservers produce varied results?!?
Our spamtrap address does have a mail account attached to it so senders won't get a "no mailbox" reply. If everything is working properly, there should never be any mail in the spamtrap account. Everything is not working properly. Of the 20 message headers I've checked so far, they all have foo<_at_>foobar.com in the x-envelope-to header. Although that's one of our custom rules, it is listed as unused and is obviously not blocking mail.
I'll keep pooring over the logs and turn on more options in the debug log. But, if anyone has a clue that could save me the effort, it would certainly be appreciated.
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of