Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Master Untangler
    Join Date
    Oct 2007
    Posts
    109

    Default SPAM getting through but not logged

    Untangle 9.2
    Spam Blocker (full version)
    I have tarpitting turned on.

    What I've been noticing lately is that when I check the Exchange 2010 logs, I see a bunch (a lot) of emails that get through, but if I'm looking at the Untangle Event Log, I can't find such emails. It's like they slipped through the Untangle un-logged but got caught up in Exchanges SPAM filter.


    Any ideas? I know I can call support on this one since its paid for, but I'd like to get an idea of whats happening from here first.

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    4,735

    Default

    cptech,

    What ports do you receive Mails on?

    Untangle will only filter port 25.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    19,755

    Default

    And if you told Exchange to allow encrypted sessions over TCP 25, those will bypass Untangle as well.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Oct 2007
    Posts
    109

    Default

    Default port 25.
    I'm using an IP Block List provider of spamhaus and barracuda in the Exchange.
    Example: I open the Exchange log and the last entry is: phyllisaurore@gillette.com < It's spam as the Exchange SPAM filter blocks it with 550 5.7.1 Recipient not authorized, your IP has been found on a block list",BlockListProvider,zen.spamhaus.org

    But if I try to look for the sender in the Untangle Event Log, I can not find this sender.
    As you can see in my event log sorted alphabetically via sender:
    Last edited by cptech; 03-21-2012 at 12:39 PM.

  5. #5
    Master Untangler
    Join Date
    Oct 2007
    Posts
    109

    Default

    Sky-night: please elaborate on what you mean. I'm no Exchange wizard, I just keep it chugging along and keep people happy.

    It's good that the Exchange is catching these and blocking them, but I only manage 3 Exchange servers that I can add an RBL to. The rest are older Sendmail servers that I don't have much control over on how it's configured. If they are slipping through here, who knows what's slipping through at other sites.

    Lately users from many sites has been telling me the amount of SPAM has increased. No actual measurements, but it is more. I feel I'm chasing a ghost here.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    19,755

    Default

    You need to take a look at your SMTP connector. It's very easy to get this stuff goofed up.

    TCP 25 should only allow unauthenticated, unencrypted communications. This is your "default" smtp connector, and it is configured to accept unsolicited mail from the world. This is the service that Untangle filters.

    TCP 587 is generally used for encrypted SMTP. Some administrators will forward this port and put encrypted mail sessions here.

    The key to remember is, Exchange allows you to do encrypted and non-encrypted sessions on the same connector. So if you ticked the wrong box you could be allowing unencrypted sessions over TCP 587, as well as encrypted sessions over TCP 25.

    Both sets of sessions WILL NOT BE FILTERED by Untangle!

    The ideal SMTP configuration for any mail server, is unencrypted public SMTP over TCP 25, this connector is specifically configured to deny ALL AUTHENTICATION. You do not want remote users using this port to send mail. If you don't do this, you'll have users subject to spam filtration themselves and things will break.

    Encrypted SMTP should be on TCP 587, and this connector should NOT accept unauthenticated requests, this port is there for encrypted mail transfer from your users to the SMTP servers. This is also optional! Exchange 2007 deprecated the use of IMAP and POP3. Exchange assumes you want to use Exchange clients. OWA and Outlook Anywhere features are completely separate. However, some servers have POP3/IMAP/SMTP access for non-Windows clients. If you have this need, and you also want encrypted SMTP, this is the place to put it. The important thing is to not allow unsolicited access. If you allow unsolicited access to an encrypted SMTP service, the spammers will find it, and they will use it, because they know most SMTP spam tools cannot filter encrypted traffic. Untangle is no exception here.

    You are correct in that you are chasing ghosts. However, an audit of your Exchange server's public access and security profile is NEVER a waste of time. Exchange is huge, and powerful, and hilariously easy to misconfigure. If you need more assistance with the product, there are buckets of training sites out there, and you've got consulting resources to hire to get it fixed right now. I can't really provide any more information than I currently have on the subject, (at least for free over a forum, and without looking at your servers myself) and technically all of this is outside of the scope of Untangle.

    What you're really after, is an audit of your Spam vulnerability. Untangle is involved, but as I'm sure you see, it's far from the only variable, and in the end is actually only a very small component of an otherwise complex machine.
    Last edited by sky-knight; 03-21-2012 at 01:41 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Mateo, CA
    Posts
    14,120

    Default

    Quote Originally Posted by cptech View Post
    Default port 25.
    I'm using an IP Block List provider of spamhaus and barracuda in the Exchange.
    Example: I open the Exchange log and the last entry is: phyllisaurore@gillette.com < It's spam as the Exchange SPAM filter blocks it with 550 5.7.1 Recipient not authorized, your IP has been found on a block list",BlockListProvider,zen.spamhaus.org

    But if I try to look for the sender in the Untangle Event Log, I can not find this sender.
    As you can see in my event log sorted alphabetically via sender:
    Well if the mail isn't sent then Untangle won't have anything to scan or log.
    It sounds like your mail server rejected the sender before they even sent the message, and in this case there is nothing for Untangle to log.
    Last edited by dmorris; 03-21-2012 at 02:23 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Master Untangler
    Join Date
    Oct 2007
    Posts
    109

    Default

    dmorris: so you're saying, the email will get to Exchange, Exchange rejects it, since Exchange rejects it, the Untangle won't log it? But why won't Untangle log it if it passes through to the Exchange for that to log.

    I though email went in this way: internet>Untangle>Exchange

    If what you are saying is correct, then it makes sense as all the email I see in the Exchange log are rejects that don't show up in Untangle's log.

  9. #9
    PCS
    PCS is offline
    Master Untangler
    Join Date
    Mar 2008
    Posts
    189

    Default

    What does your tarpit log show? Are you perhaps using Google's DNS servers on your Untangle? I also seem to remember that if your Untangle gets overwhelmed it can time out and pass messages without checking.

  10. #10
    Master Untangler
    Join Date
    Oct 2007
    Posts
    109

    Default

    Tarpit off, tarpit on; no difference
    DNS set to ISP's DNS
    Load average .4-.8

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2