• wcSAP (logs)

    From CHRIS ROSS@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Thu, 06 Apr 2006 21:17:03 -0400
    From: CHRIS ROSS
    To: ALL
    Subject: wcSAP (logs)
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1144372623.46.0@winserver.com>
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 66

    I stand corrected, I just looked at another log.

    At 00:15 on the 5th of April, wcSMTP shows 2 messages coming in from bbs@xanadubbs.ca -- one is accepted, one is refused by the filter according
    to wcSMTP:

    20060405 00:15:06 (0744) HELO: Incoming connection: rd1.dynip.com [204.225.44.16]
    20060405 00:15:06 (0744) MAIL FROM: <bbs@xanadubbs.ca>... Sender
    validation pending. Continue.
    20060405 00:15:06 (0868) HELO: Incoming connection: rd1.dynip.com [204.225.44.16]
    20060405 00:15:06 (0868) MAIL FROM: <bbs@xanadubbs.ca>... Sender
    validation pending. Continue.
    20060405 00:15:07 (0744) RCPT: Recipient Accepted: <transx@eshade.com>
    20060405 00:15:07 (0868) RCPT: Recipient Accepted: <transx@eshade.com>
    20060405 00:15:08 (0868) smtp filter result false, message discarded
    20060405 00:15:08 (0744) Accepted message from [<bbs@xanadubbs.ca>]
    to [<transx@eshade.com>]

    If I look at the wcSAP filter for the same time, I find both messages coming in, but both PASS. So why does SMTP show one as rejected?:

    20060405 00:15:06 000003b1 -------------------------------------
    20060405 00:15:06 000003b1 version : 1.62 / 1.54
    20060405 00:15:06 000003b1 calltype : SMTP
    20060405 00:15:06 000003b1 state : rcpt
    20060405 00:15:06 000003b1 cip : 204.225.44.16
    20060405 00:15:06 000003b1 cdn : rd1.dynip.com
    20060405 00:15:07 000003b1 from : <bbs@xanadubbs.ca>
    20060405 00:15:07 000003b1 hdn : rd1.dynip.com
    20060405 00:15:07 000003b1 rcpt : <transx@eshade.com>
    20060405 00:15:07 000003b1 ruid : 605
    20060405 00:15:07 000003b1 sapfilter : pass (time:20)
    20060405 00:15:07 000003b2 -------------------------------------
    20060405 00:15:07 000003b2 version : 1.62 / 1.54
    20060405 00:15:07 000003b2 calltype : SMTP
    20060405 00:15:07 000003b2 state : rcpt
    20060405 00:15:07 000003b2 cip : 204.225.44.16
    20060405 00:15:07 000003b2 cdn : rd1.dynip.com
    20060405 00:15:07 000003b2 from : <bbs@xanadubbs.ca>
    20060405 00:15:07 000003b2 hdn : rd1.dynip.com
    20060405 00:15:07 000003b2 rcpt : <transx@eshade.com>
    20060405 00:15:07 000003b2 ruid : 605
    20060405 00:15:07 000003b2 sapfilter : pass (time:10)
    20060405 00:15:07 000003b2 saprbl : pass (time:261)
    20060405 00:15:07 000003b1 saprbl : pass (time:391)
    20060405 00:15:07 000003b2 sapspf : none (time:40)
    20060405 00:15:07 000003b1 sapspf : none (time:30)
    20060405 00:15:07 000003b1 sapcep : none (time:60)
    20060405 00:15:07 000003b2 sapcep : none (time:60)
    20060405 00:15:07 000003b1 sapcbv : disabled (time:0)
    20060405 00:15:07 000003b1 result : accept (-1)
    20060405 00:15:07 000003b1 wcsap finish (681 msecs)
    20060405 00:15:07 000003b2 sapcbv : disabled (time:0)
    20060405 00:15:07 000003b2 result : accept (-1)
    20060405 00:15:07 000003b2 wcsap finish (571 msecs)


    3b1 is the first message, 3b2 is the second. Both pass, yet wcSMTP rejects one of them. Am I still missing something here?

    Chris



    --- Platinum Xpress/Win/WINServer v3.1
    * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013)
  • From HECTOR SANTOS@1:124/5013 to All on Thu Jan 31 19:18:36 2019
    Date: Fri, 07 Apr 2006 00:34:47 -0400
    From: HECTOR SANTOS
    To: CHRIS ROSS
    Subject: Re: wcSAP (logs)
    Newsgroups: win.server.smtp.&.avs
    Message-ID: <1144384581.46.1144372623@winserver.com>
    References: <1144372623.46.0@winserver.com>
    X-WcMsg-Attr: Rcvd
    X-Mailer: Wildcat! Interactive Net Server v7.0.454.5
    Lines: 130

    There are two parts to the "SPAM Stuff" in WCSMTP:

    First the SENDER sends these commands in sequence:

    1) EHLO or HELO client.domain.name
    2) MAIL FROM: <return path address>
    3) RCTP TO: <recipient address>
    4) DATA
    4.1) sender sends email
    5) QUIT


    The First 3 pieces of information is called the ENVELOPE:

    Client Domain Name
    Return Path Address
    Recipient Address

    wcSMTP will call WCSAP.WCX after step 3 done to validate the ENVELOPE.

    if WCSAP passes the envelope information, then WCSMTP allows the sender to
    go to the next step #3 to begin the DATA email transfer where the actual
    EMAIL body is transferred.

    After step 4.1, WCSMTP will call SMTPFILTER.WCX which is designed to give
    you rules for analyzing the MAIL BODY (Inside the Envelope).

    What you are seeing is SMTPFILTER.WCX returning FALSE and WCSMTP rejects the transactions:

    20060405 00:15:08 (0868) smtp filter result false, message discarded

    So you can either turn off SMTPFITLER or check out the reason why it was rejected by looking in the SMTPFILTER*.LOG log.

    SMTPFILTER is really for you guys (Sysops) to defined because it is based on mail content analysis and WCSMTP is not in the business of rejection based
    on mail content.

    But SMTPFILTER comes with and example SMTPFILTER-CHECKWORDS.WCX module which allows you to do simple WORDS checking as defined in DATA\SPAMWORDS.TXT.

    See the WCSAP/SMTPFILTER description at the web site.

    http://www.winserver.com/public/Security

    ---
    Hector











    <CHRIS ROSS> wrote in message news:1144372623.46.0@winserver.com...
    I stand corrected, I just looked at another log.

    At 00:15 on the 5th of April, wcSMTP shows 2 messages coming in from bbs@xanadubbs.ca -- one is accepted, one is refused by the filter
    according
    to wcSMTP:

    20060405 00:15:06 (0744) HELO: Incoming connection: rd1.dynip.com [204.225.44.16]
    20060405 00:15:06 (0744) MAIL FROM: <bbs@xanadubbs.ca>... Sender
    validation pending. Continue.
    20060405 00:15:06 (0868) HELO: Incoming connection: rd1.dynip.com [204.225.44.16]
    20060405 00:15:06 (0868) MAIL FROM: <bbs@xanadubbs.ca>... Sender
    validation pending. Continue.
    20060405 00:15:07 (0744) RCPT: Recipient Accepted: <transx@eshade.com> 20060405 00:15:07 (0868) RCPT: Recipient Accepted: <transx@eshade.com> 20060405 00:15:08 (0868) smtp filter result false, message discarded
    20060405 00:15:08 (0744) Accepted message from [<bbs@xanadubbs.ca>]
    to [<transx@eshade.com>]