Forums & Blog

I have begun getting spam messages that make it through my spam filter. The mails have my own address as sender, but are not sent from my own server. This means that they fail the SPF check. But they are still characterized as intra-domain and make it past the spam filter.

How is this possible?? How can a message that has failed the SPF check be characterized as intradomain?

I have highlighted the SmarterMail spam header tags in red in the message I have included below. 

My settings are these:

-----------------

Bayesian Filtering 15
SPF Pass -5
SPF Fail 30
SPF Soft Fail 10
SPF Neutral 5
SPF Invalid Record 5
SPF None 0
DomainKeys Pass -10
DomainKeys Fail 30
DomainKeys None 0
Spam List: bl.csma.biz 20
Spam List: combined.njabl.org 30
Spam List: dnsbl.ahbl.org 20
Spam List: dnsbl.antispam.or.id 25
Spam List: dnsbl.sorbs.net 20
Spam List: list.dsbl.org 15
Spam List: psbl.surriel.com 25
Spam List: spam.tqmcube.com 20
Spam List: SpamCop 10
Spam List: SpamHaus SBL+XBL 10

-----------------

Return-Path: me@mydomain.com
Received: from 190-179-143-220.speedy.com.ar [190.179.143.220] by mydomain.com with SMTP;
   Sun, 28 Dec 2008 18:21:45 +0100
To: me@mydomain.com
Subject: So big my underwear is too tight
From: <me@mydomain.com>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-SmarterMail-Spam: SPF_Fail
X-SmarterMail-TotalSpamWeight: 0 (Intra-Domain)

<html>
<head>
<meta http-equiv="Content-Language" content="us">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body background="http://images.layvowif.cn/snow.gif">
<p align="center"><a href="http://hihmfxv.layvowif.cn/" mce_href="http://hihmfxv.layvowif.cn/">
<img border="0" src="http://images.layvowif.cn/new.jpg" mce_src="http://images.layvowif.cn/new.jpg"></a></p>
<div align="center">
  <table border="0" width="500" cellspacing="0" cellpadding="0" bgcolor="#B7D4FF" style="font-family: Tahoma; font-size: 10pt">
    <tr>
      <td>
      <blockquote><p><br>
        Please do not reply to this email. To contact AdsValue, please
        visit <a href="http://clran.layvowif.cn/" mce_href="http://clran.layvowif.cn/">us</a></p>
        <hr><p><font size="1">This email message was sent to me@mydomain.com. If
        you do not wish to receive further communications from AdsValue,
        click <a href="http://cedrs.layvowif.cn/unsubscribe.php?msgid=14e89083a1a6853d29" mce_href="http://cedrs.layvowif.cn/unsubscribe.php?msgid=14d6ffe1e8690c853d29">
        here</a> to unsubscribe.
        </font></p><p><font size="1">If you've experience any difficulty
        in being removed from a AdsValue email list, click <a href="http://ulajh.layvowif.cn/account.php?msgid=60ea6e222f64ff" mce_href="http://ulajh.layvowif.cn/account.php?msgid=60ea2f64ff">
        here</a> for personalized help.</font></p><hr>
        <p><font size="1">Copyright © 2008 AdsValue, Inc. All rights reserved.<br>
        16810 E Avenue Of The Fountains, Fountain Hills, AZ 85268</font></p></blockquote>
      </td>
    </tr>
  </table>
</div>
</body>
</html>

When bypassing spam checks for intra-domain email, it bypasses all spam checks, including SPF.

Using the bypass spam checks for intra-domain email is not recommended, for this reason. Anyone can send  you spam by impersonating one of youro domains.

Bypass spam for intra domain mails was set. I don't remember ever setting that, is that standard?

/jp

That is the case then. I have been a (very satisfied) SmarterMail customer for a long time.

After changing this, I still get these messages. I have now tried to restart the service to see if that is the reason.

/jp

They still came through, but then I found out that my own email address was added to the list of safe senders.

The list of safe senders is very very long, and I am pretty sure I didn't put all these addresses in that list. How did that happen? How are addresses added to that list?

/jp

 Unmark as spam will add the address of the sender to the trusted senders list.

Hey there,

 I realize this is an older thread, but I have a similar situation with our Content Filtering.  First, some background.

We're using SmarterMail Professional Edition Version 4.3.3048.  We've placed an SPF record in our DNS, and we've made sure to disable (uncheck) the "Skip spam filtering on intra-domain email" function.  We also use MS Outlook 2007 on our local systems to pull mail from the SM server, but since we only 'pull' with this client, this shouldn't affect the way the SM filters work anyway (of course I'm open to being proven wrong).

Now, we have a Trusted Senders (TS) list, but we found a way to properly create a Domain Content Filter (DCF) that filters out these 'spoofed' emails, the only thing is, there's one area that's a bit flaky, so I wanted to make sure we haven't missed anything by explaining the DCF setup.

So, we created a DCF to run against any Trusted Senders by checking the appropriate boxes  [checked 'From TS's' box under 'From Address', checked 'Subject or Body Text, box under 'Contains Specific Words or Phrases'] - and then the MAJOR trick is to make sure that the "AND - All criteria must be met" radio is chosen, NOT the OR one (I also use the "Use wildcards in search strings ( * and ? )" setting too).  Also, when you're done, we made sure this DCF is at the top of ALL the other DCF's.

So now, it's worked pretty awesome so far (we're down from 300 of these a day, to about 20 now), but there's one type of spam that's getting thru.  You know the ones with only a random Subject and just an image in the body text (i.e. some male enhancement pill), and no matter what we tried (adding basic phrases to the Subject/Body entries, with wildcards as well), they still gets thru.

 The only other difference with these ones are that they're listed in our MS Outlook as "This message was sent with High Importance", so we went back and checked the "Flagged as high priority" box under 'Other' in the DCF settings, but that hasn't helped.

I know there's always chalenges with filtering out Spam, and you never get 100% of it, but is the 'high priority' setting incorrect, and/or are there any other settings that I could use for this?

Any responses would be appreciated.

Thanks much.

Hi James,

Are you sure that is the only way? Because I just deleted this list, and new addresses have started appearing on it now. I don't really use the "mark as not spam" feature, so I am a little baffled as to how this happens.

I will try to be much more aware of this now, and keep an eye on it. I have cleared the list again, and now I'll l have to see if it starts happening again.

/jp

It is also possible to add to the trusted senders list through an event action.

As far as I know, those are the only ways to add to the trusted senders list. Without directly editing it, of course.

Hey jp, hey James,

Sorry for the intrusion into your thread - realized it wasn't that old, but still in play - my bad.

Cheers

I just installed the newest version (5.5) and had the exact same issue.

In particular, a spammer was pretending to be me.

I noticed that my domain in the trusted sender list and removed it.  And I turned off
the intra-domain skip which seems to fix the problem.

This is a bug -- not a feature.  If someone fails SPF, then they should be treated
as a non-trusted / non-'intra' domain regardless of what the email claims.

Also, It would be nice if you could set the SPF weighting higher for domains that you
control.