Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,129

    Default

    Dirk, correct me if I'm wrong but doesn't another anti-spam solution that terminates the SMTP session early when it identifies spam, and thereby prevents Spam Blocker from completing its scan, negatively impact Spam Blocker's ability to learn?

    This circumstance seems to me to be like running both Web Filter and Web Filter Lite at the same time. It created confusing results so we don't allow that anymore.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    Those are fair as well. The reason I asked about resubmission is looking at solutions like SpamAssassin and DSPAM both offer a way to send missed mail back into the system for retraining/etc.

    My Postfix server is set up to only call servers on technical details/mistakes. Initially we had it doing spam "scanning" but it was all of the IT Dept manually updating map files versus an add-on (DSPAM,etc). Once we got Untangle, we decided to put that to rest. Postfix would do technical only and Untangle would handle the content. If the mail is making it into our Exchange box, then it had to have gotten past both Postfix and Untangle.

    We had thought at one point we had the Untangle box in the wrong place. We had: Exchange <--> Untangle <--> Postfix <--> Internet. We were seeing all kinds of problems with that set up. I want to say that even mail leaving out system was being scanned even though the "scan outbound mail" parameter was off. I'm perfectly willing to admit I've made a configuration mistake on my side. I just want to know why the mail that's getting through is getting though. As you've said, we'll get to the bottom of it.

  3. #13
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sky-knight View Post
    Dirk, correct me if I'm wrong but doesn't another anti-spam solution that terminates the SMTP session early when it identifies spam, and thereby prevents Spam Blocker from completing its scan, negatively impact Spam Blocker's ability to learn?

    This circumstance seems to me to be like running both Web Filter and Web Filter Lite at the same time. It created confusing results so we don't allow that anymore.
    It depends on when it terminates the connection. Even if it terminated it very early based on IP I don't think it would have a significant impact on learning. On any decent sized server it gets PLENTY of learning input.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #14
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    sky-night: As I was typing my reply to dmorris, that very thought crossed my mind. Since Untangle is running in bridge mode its essentially packet sniffing the traffic. If the SMTP conversation gets terminated prematurely on a spam message, I can absolutely see how that would mess up the spam engines ability to learn.

    I can try eliminating the bulk of the checks I'm performing (require HELO, must be able to look up domain, etc.) so its basically a straight relay (I'd leave my valid recipient list in place).

    Is it possible to run Untangle as an MTA itself? Or is it designed more to be a companion system?

  5. #15
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    Now sure if this will muddy the waters or not, but the talk of it terminating early has me wondering the impact it has on the engine. Here's what my restriction list looks like:

    smtpd_recipient_restrictions =
    reject_non_fqdn_sender -- Don't accept mail if the sender isn't an FQDN
    reject_unknown_sender_domain - Don't accept mail if we can't determine the sender domain
    reject_non_fqdn_recipient - Don't accept mail if the recipient isn't an FQDN
    reject_unknown_recipient_domain - Don't accept mail if we can't determine the recipient domain
    check_client_access cidr:/etc/postfix/files/checks_internal_networks.cidr - If its an internal server, make sure its playing by IT's rules
    permit_mynetworks - If it's one of my mail servers, let the mail pass now
    check_helo_access pcre:/etc/postfix/files/checks_helo.pcre - Don't try to impersonate my mail relay
    check_sender_mx_access cidr:/etc/postfix/files/checks_bogus_mx.cidr - If your IP address is not a public/valid one, reject it
    check_sender_access hash:/etc/postfix/files/checks_not_our_domain_as_sender.hash - Don't try to send email in claiming to be from me
    reject_unauth_destination - Reject mail for unauthorized destination
    check_recipient_access hash:/etc/postfix/files/role_account_exceptions.hash - Email addresses we always want to accept (postmaster, etc)
    check_sender_access hash:/etc/postfix/files/checks_sender_account_exceptions.hash - Sender domains we always want to accept
    reject_invalid_helo_hostname - If you don't have a valid HELO/EHLO hostname, reject it
    check_client_access cidr:/etc/postfix/files/postfix_reject_non_fqdn_helo_hostname.cidr - If your HELO/ELHO hostname isn't an FQDN, reject it
    check_client_access cidr:/etc/postfix/files/postfix_reject_unknown_reverse_client_hostname.cidr - Reject the request when the client IP address has no address->name mapping
    check_sender_access pcre:/etc/postfix/files/checks_malware_domains.pcre - Reject any user defined domains spam has been coming from
    check_recipient_access hash:/etc/postfix/files/checks_forbidden_to_address.hash - Manually blocked incoming adressess
    check_sender_access hash:/etc/postfix/files/checks_forbidden_from_address.hash - Manually blocked sender addresses
    check_client_access cidr:/etc/postfix/files/postfix_reject_rbl_client.cidr - White list clients for RBLs & check the lists we use
    check_sender_access pcre:/etc/postfix/files/postfix_reject_rhsbl.pcre - White list clients and check the RHBLs we use
    check_sender_access pcre:/etc/postfix/files/postfix_reject_unverified_sender.pcre - If its a problem domain, list it here to verify senders
    permit - permit mail
    #================================================
    smtpd_data_restrictions =
    reject_unauth_pipelining
    reject_multi_recipient_bounce

    RBL's I'm currently using: Barracuda Central, SpamHaus, Surriel, SpamCop, HostKarma and GBUDB
    RHBL's im using: SpamHaus and HostKarma

    Could anything I'm doing above be tripping up Untangle?

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,129

    Default

    Untangle isn't an MTA, it eavesdrops on the session made to the MTA.

    Bridge mode or router is irrelevant, all rack applications are eavesdroppers, not termination points.
    Last edited by sky-knight; 10-08-2015 at 01:46 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by Steve.Cena View Post
    Could anything I'm doing above be tripping up Untangle?
    Yes, I would expect all that stuff to negatively impact Untangle's ability to learn as it ultimately removes spam from the system before untangle sees it.
    (just like tarpitting documented here: http://wiki.untangle.com/index.php/S...ocker#Settings)

    Again, I would ask why did spam blocker score email X with a score of Y?
    Look at the events!
    If the bayes gave it a BAYES_80, then all the discussion about bayes learning is irrelevent because it scored that sample fairly well.
    If its not in the events then spam blocker did not even scan it so spam blocker's entire configuration is irrelevant.

    Pick a sample and debug it.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #18
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    I just got that answer from your support team:

    Looking at the last 50,000 Events in the Spam Blocker logs there's a pretty strong pattern of most messages getting flagged with BAYES_00. Which means the Bayesian filter sees that message's probability of being spam is 0 - 1%. This may be why you are getting so much spam coming through.

    This is a simple fix from the Postfix standpoint. I just need to copy my main.cf and strip it down to nothing (essentially, permit_all).

    As to why the scores are so low, I agree with your statement that the pre-emptive blocking done by the mail relay is interfering with Untangles ability to learn.

  9. #19
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    I figured as much I didn't think Untangle went that far, or had plans to. I know some anti-spam systems can act as an MTA.

  10. #20
    Untanglit
    Join Date
    Oct 2015
    Location
    Rochester,NY
    Posts
    29

    Default

    And we've settled it. (Hopefully)

    Our spam database will be reset on Untangle, and I'm going to remove 99.9% of the checks from the Postfix box (valid recipient still staying, etc.). We get most of our junk mail over the weekend so hopefully will do this as close to 5PM as possible. User base has been informed of what they might see come Monday morning.

    *fingers crossed*!!!!!

    Thanks to everyone for all the comments/etc. I'll update this post when I get some more hard data after the reset/retraining phase.

Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2