Results 1 to 5 of 5
  1. #1
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default SpamWithLongSubjectLines

    I am running v8.1 Premium with Commtouch. However, messages with long subject lines are being allowed through. The subject lines are never the same and the body includes a link and some random text. See attached example.

    The distinguishing part of the messages is the long subject line. Any ideas how to filter these? I would prefer not to manually enter rules in SA since they would likely be broken/replaced during an upgrade.

  2. #2
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    Anybody have any ideas???

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default

    Hello. I was suffering from the same problem. This was the ONLY spam that was getting through to me. I talked with Untangle tech support and found out something very interesting and the solution to the problem.

    Tech support suggested I take a look in the spam filter event log and see what those incoming messages were being listed as, and their scores, etc. Turns out, those messages didn't show up at all. Strange huh? Not if you consider the fact that Untangle does not scan SSL encrypted e-mail.

    Come to find out, my e-mail server was allowing incoming encrypted e-mail on port 25. It just so happens, the only spammers using that "feature" was the ones that were sending those exact same kind of messages as you listed above.

    For me, I allow my users to send e-mail on port 465 using authentication, and if they want to use encryption. My mail server is postfix, and it required me going into the master.cf file and overriding the default main.cf parameters for the smtp port.

    I changed master.cf in the following way to prevent authentication and SSL on port 25.

    smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    -o smtpd_tls_security_level=none
    -o smtpd_sasl_auth_enable=no

    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING

    This prevents anybody sending mail to port 25 from authenticating, and from using SSL. This prevents my authenticated users from sending mail through port 25, and prevents spammers from using SSL to bypass my spam filter.

    Hope that helps you out.
    Last edited by appleoddity; 05-28-2011 at 09:06 PM.

  4. #4
    Untangler
    Join Date
    Apr 2009
    Posts
    60

    Default

    Well, I'm back to say that even though I plugged two holes in my mail server (Allowing SSL on port 25, and allowing incoming mail delivery on my alternate port from unauthenticated clients) this type of mail is still getting through.

    It now shows up in the event log, but surprisingly it literally has negative scores for spam. Unfortunately, untangle refuses to put the spam headers in the messages for me to look at. So, its back to tech support on Tuesday.

    I'll follow up then.

  5. #5
    Master Untangler
    Join Date
    Dec 2008
    Location
    Dallas, TX
    Posts
    337

    Default

    After your original post I went back and checked my logs for a few of these messages. It appears that the messages I am receiving are coming in unencrypted on the standard SMTP port 25. Most of them appear to be sent through hotmail accounts.

    I have also noted the same negative spam score on these messages from Untangle. In addition, the passed messages are being sent to my mail server which has an integrated SpamAssassin module where they are also scored as negative or 0.

    It should be a fairly straight forward task to create a rule that detects the runon subject lines. I would prefer not to create a manual SA rule that would probably be overwritten with updates. I also think that everybody would benefit from this type of rule if it was included in the Untangle distribution.

    I don't get more than two or three of these per day so I have not been willing to put too much time into getting it resolved. Please let me know what support has to say after you contact them on Tuesday.
    Last edited by itcinc; 05-29-2011 at 10:10 PM. Reason: typo and rewording

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2