We are using MxScan for about 2 weeks now.
Works wonderfull, stille exploring lots of things.
A quick question.
We are often using the Spam Quarantine Tool to check mail correctly being 'noted' as spam. Just wondering, is it possible to automatically delete the (domain)directory (in mxscan_spam) when all messages are deleted or released? We have about 50 domains running and need to check to whole list every time. Even when there are no messages.
So we manually delete the directories after we have done our checks.
Tnx.
Hi
The directories are auto-created immediately when a message is quarantined, so it is possible that on a moderately active server even as you delete the directory it automatically gets created back again.
Instead what you can do is to check the log viewer and sort your messages according to the class. Most of the times it pretty obvious that the message is spam just by looking at the subject, sender, etc. For messages that are not so obvious you can then examine the message individually via the Quarantine Manager.
Another idea is to use MxScan to move the messages to user's Junk email folder by using the Insert Header FilterAction. The users can then check their junk email folder via webmail
Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
We buy mxscan and it works very well. Congratulations great work.
For the moment mxscan its not in production environment, we are testing with a few accounts, and in the daily report the analyses averages its growing every day, start with 0,3 seconds, and the today reports is with more than 5 seconds. What could be rough.
We buy mxscan and it works very well. Congratulations great work.
For the moment mxscan its not in production environment, we are testing with a few accounts, and in the daily report the analyses averages its growing every day, start with 0,3 seconds, and the today reports is with more than 5 seconds. What could be rough.
You can view the message logs to see what is causing the delay. Most of the time its either SpamAssassin (single threaded) or delay for the RDNSBL (make sure you are using either a local DNS server or a fast one)
Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
I have been using MxSan very successfully for several months now and it totally eclipses other solutions I've tried. I am running the latest update without any significant problems but I notice that while the release notes say that address 127.0.0.1 is no longer scanned, MxScan is still doing a full scan of outgoing email.
Now, scanning outgoing mail is a very good idea as, for example, it may help prevent employees within an organisation from sending inappropriate content or virus infected attachments. The thing that concerns me is that there seems to be a fair amount of wasted effort in the way that outgoing mail is scanned.
In my setup the mail server acts as a relay for a range of authorised addresses which represent the clients on the LAN. It is done this way because I have a number of applications which send email but which do not support authentication. Surely it is a waste of processing time and resources to perform RDNSBL tests on the internal, non-routable IP addresses of those clients. Basic sanity, content and virus scanning of outgoing mail is entirely appropriate but I can't really see the point in doing blacklist lookups for the internal private LAN addresses of clients who send mail out through the server.
ANdyK wrote:I have been using MxSan very successfully for several months now and it totally eclipses other solutions I've tried. I am running the latest update without any significant problems but I notice that while the release notes say that address 127.0.0.1 is no longer scanned, MxScan is still doing a full scan of outgoing email.
Now, scanning outgoing mail is a very good idea as, for example, it may help prevent employees within an organisation from sending inappropriate content or virus infected attachments. The thing that concerns me is that there seems to be a fair amount of wasted effort in the way that outgoing mail is scanned.
In my setup the mail server acts as a relay for a range of authorised addresses which represent the clients on the LAN. It is done this way because I have a number of applications which send email but which do not support authentication. Surely it is a waste of processing time and resources to perform RDNSBL tests on the internal, non-routable IP addresses of those clients. Basic sanity, content and virus scanning of outgoing mail is entirely appropriate but I can't really see the point in doing blacklist lookups for the internal private LAN addresses of clients who send mail out through the server.
Hi Andy
Thank you for your suggestion
The next release will not check the localhost IP 127.0.0.1 for RDNSBL
Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
We have been using MxScanME with great success for about two months. Today, a customer complained that a message was not getting through, and I noticed something odd in the mxscan-service log. MxScan ran RDNSBL checks on two different IP addresses, and I don't know where the second IP address came from. This second IP address was found in zen.spamhaus.org and so the message was blocked.
Worth noting, I had "Maximum header check depth" set to 2 (instead of the default "1"), which I suspect might mean that MxScan will scan forwarded message headers too. But I can't find any detail about that setting, so I'm not sure. Also, I do not suspect that the blocked messages contained forwarded messages.
Can someone help me interpret the following log entries and explain where this additional IP address came from?
Thanks,
-Tom R.
08/04/08 08:20:48 655B5B3CE44644A49DAE3595E5DFEE49 xxxxxxxxxxxxxxx.COM - blnVirusCheckEnabled=True ; blnFilterCheckEnabled=True
08/04/08 08:20:48 655B5B3CE44644A49DAE3595E5DFEE49 --> Starting Scanning Session for xxxxxxxxxxxxxxx.com ...
08/04/08 08:20:49 655B5B3CE44644A49DAE3595E5DFEE49 Using 216.107.0.120 as Incoming IP to check
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 ClamAV Scan Result : Clean
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Content Filter result : No Hits
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 ClamSANE Spam Result : Pass
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 SNF Scan result : Pass - 0
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Found 1 Unique Match(es) out of 1 total URL(s).
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Skipping whitelisted URIBL : w3.org
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 URIBL Spam Result : No Hits
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.BL.SPAMCOP.NET
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.DNSBL.SORBS.NET
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.DYNA.SPAMRATS.COM
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.IPS.BACKSCATTERER.ORG result = 127.0.0.2
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.PSBL.SURRIEL.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.SPAM.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.SPAM.TQMCUBE.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.ZEN.SPAMHAUS.ORG
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.BL.SPAMCOP.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.DNSBL.SORBS.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.DYNA.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.IPS.BACKSCATTERER.ORG
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.PSBL.SURRIEL.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SPAM.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SPAM.TQMCUBE.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 213.19.198.75.ZEN.SPAMHAUS.ORG result = 127.0.0.11
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 ShortCircuit HIT at RDNSBL with cumulative score of 20/20
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 RDNSBL Spam Result : Zen(20),Mxrate-Allow(-2),Backscatter(2) - 20
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 Removing message header/data/marker file
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 Completed Process in 3.141 sec(s) with FilterResult=SPAM-DELETE (20) for xxxxxxxxxxxxx
xx.com
trusnock wrote:We have been using MxScanME with great success for about two months. Today, a customer complained that a message was not getting through, and I noticed something odd in the mxscan-service log. MxScan ran RDNSBL checks on two different IP addresses, and I don't know where the second IP address came from. This second IP address was found in zen.spamhaus.org and so the message was blocked.
Worth noting, I had "Maximum header check depth" set to 2 (instead of the default "1"), which I suspect might mean that MxScan will scan forwarded message headers too. But I can't find any detail about that setting, so I'm not sure. Also, I do not suspect that the blocked messages contained forwarded messages.
Can someone help me interpret the following log entries and explain where this additional IP address came from?
Thanks,
-Tom R.
08/04/08 08:20:48 655B5B3CE44644A49DAE3595E5DFEE49 xxxxxxxxxxxxxxx.COM - blnVirusCheckEnabled=True ; blnFilterCheckEnabled=True
08/04/08 08:20:48 655B5B3CE44644A49DAE3595E5DFEE49 --> Starting Scanning Session for xxxxxxxxxxxxxxx.com ...
08/04/08 08:20:49 655B5B3CE44644A49DAE3595E5DFEE49 Using 216.107.0.120 as Incoming IP to check
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 ClamAV Scan Result : Clean
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Content Filter result : No Hits
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 ClamSANE Spam Result : Pass
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 SNF Scan result : Pass - 0
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Found 1 Unique Match(es) out of 1 total URL(s).
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 Skipping whitelisted URIBL : w3.org
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 URIBL Spam Result : No Hits
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.BL.SPAMCOP.NET
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.DNSBL.SORBS.NET
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.DYNA.SPAMRATS.COM
08/04/08 08:20:50 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.IPS.BACKSCATTERER.ORG result = 127.0.0.2
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.PSBL.SURRIEL.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.SPAM.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.SPAM.TQMCUBE.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 120.0.107.216.SUB.MXRATE.NET result = 127.0.0.3
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 120.0.107.216.ZEN.SPAMHAUS.ORG
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.BL.SPAMCOP.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.DNSBL.SORBS.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.DYNA.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.IPS.BACKSCATTERER.ORG
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.PSBL.SURRIEL.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SPAM.SPAMRATS.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SPAM.TQMCUBE.COM
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:51 655B5B3CE44644A49DAE3595E5DFEE49 No answer for 213.19.198.75.SUB.MXRATE.NET
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 213.19.198.75.ZEN.SPAMHAUS.ORG result = 127.0.0.11
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 ShortCircuit HIT at RDNSBL with cumulative score of 20/20
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 RDNSBL Spam Result : Zen(20),Mxrate-Allow(-2),Backscatter(2) - 20
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 Removing message header/data/marker file
08/04/08 08:20:52 655B5B3CE44644A49DAE3595E5DFEE49 Completed Process in 3.141 sec(s) with FilterResult=SPAM-DELETE (20) for xxxxxxxxxxxxx
xx.com
Hi tom
With a header depth of 2 MxScan will scan the received from headers and for the various routes the message took before arriving at the final destination. An example of a message route would be i.e End Client IP --> Relay Server --> MailEnable Server . This is by design. Most of the times i would recommend sticking to default setting of 1 header depth
Cheers
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
I've noticed several times that the COUNTRYFILTER result doesn't seem to agree with the X-MXScan-Country-Sequence header. In this example, MXScan reports that the message came from Venezuela, but the COUNTRYFILTER didn't score a "3" as we have it set to do for Venezuela.
trusnock wrote:I've noticed several times that the COUNTRYFILTER result doesn't seem to agree with the X-MXScan-Country-Sequence header. In this example, MXScan reports that the message came from Venezuela, but the COUNTRYFILTER didn't score a "3" as we have it set to do for Venezuela.
Are these two properties not as closely related as I am assuming they are?
Thanks,
-Tom R.
Tom
The country filter takes the last Country in the list, which in this case is the United States. So while the first hop might have been VENEZUELA, the server that "actually" delivered the message to your MailEnable server was located in the United States
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
We are using MXscan professional and have noticed that messages are being placed in quarantine (as per filter rule) while the message-sender is on the global whitelist.
The message apparently gets a message score of 7,7 (low) and is placed in the quarantine. I cannot figure out why, since the sender is on the global whitelist. Can anybody explain / help.
Support2U wrote:We are using MXscan professional and have noticed that messages are being placed in quarantine (as per filter rule) while the message-sender is on the global whitelist.
The message apparently gets a message score of 7,7 (low) and is placed in the quarantine. I cannot figure out why, since the sender is on the global whitelist. Can anybody explain / help.
tnx.
Dixon (Support2U)
Hi
The Global "settings" are only applicable for Domains that do not use a Domain/Individual Level setting. So its either one and not both.
MXSCAN :: AntiSpam & AntiVirus for MailEnable (now with Spamtrap/Honeypot!)
Built-in SpamAssassin, Clam, MessageSniffer, DNSBL, URLBL, DCC, Senderbase, SpamTrap, ShortCircuit, Content Filters, Disclamers, Archiving and more.
Visit www.mxuptime.com
