Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Anti-Phishing
  3. Articles

How to determine why the Anti Phishing spam filter blocked or allowed a message

Answer

If you are questioning why an email was blocked or allowed by the Anti-Phishing spam filter and would like more information, you can find further details in the log file for that filter. Use the following procedure to find the log and information regarding your message within it, and then use the examples below to interpret why the message was either blocked or allowed:
  1. Find the message ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab
  2. Open the ase_purbl.gfi_log file in notepad from  ..\GFI\MailEssentials\AntiSpam\DebugLogs
    • This log is for the Anti Phishing Filter Module and corresponds to the Configuration > Anti-Spam > Anti Spam Filters > Anti Phishing in the interface and the phishing_keyword table in the config.mdb
  3. Do a search for the Message ID from the dashboard or the email headers
    • Note: The Message IDs have been removed from the example log files below
    • Note: The bolded lines are the important ones in the log files for determine what has happened and why
There are two main parts to this log. The first loads the information for the module, the second scans the individual emails.  
 

Loading the settings:
 

Purbl AP Status: [Enabled]
Purbl (Keywords) AP Status: [Enabled]
Purbl (Blocklist) AP Status: [Enabled]
Purbl (Blocklist) Path: [L:\Program Files (x86)\GFI\MailEssentials\Antispam\Data\blocklist.db]
Purbl (Blocklist) CacheTTL: [345600000]
Phishing Keyword [paypal] - List of keywords used by the module
Preparing to load Antiphishing data ...
Anti-Phishing data is up-to-date
 

Email was allowed by the module:
 

>> Message Processing Block
MIME Sender: info@londondirect-jp.com
[0x12999dd8] _revision [574268] 
Scanning TEXT body part
>>
MimeEntity Info => CTYPE: [text/plain], CSET: [UTF-8], LEN: [5200]
Internationalized stream length: 10344
Bytes read [10344]
CModuleContext::ExtractUrls() <<
Waiting 5 minutes on threads
Done waiting...extracting unique urls...
Found unqiue url [jp.com/link]
Found unqiue url [http://www.lo]
Found [2] Unique Urls
CModuleContext::ExtractUrls() >>
URLs Extracted [2]
Phishing Keywords Check [enabled]
Phishing Blocklist Check [enabled]
Checking URL [http://www.lo]
[http://www.lo] [91089] hpts: 2  pats: 0
Checking URL [jp.com/link]
[jp.com/link] [91089] hpts: 1  pats: 0
<<
Scanning HTML body part
>>
MimeEntity Info => CTYPE: [text/html], CSET: [UTF-8], LEN: [6864]
Internationalized stream length: 13728
Bytes read [13728]
CModuleContext::ExtractUrls() <<
Waiting 5 minutes on threads
Done waiting...extracting unique urls...
Found unqiue url [jp.com/link]
Found unqiue url [http://www.lo]
Found [2] Unique Urls
CModuleContext::ExtractUrls() >>
URLs Extracted [2]
Phishing Keywords Check [enabled]
Phishing Blocklist Check [enabled]
Checking URL [http://www.lo]
[http://www.lo] [91089] hpts: 2  pats: 0
Checking URL [jp.com/link]
[jp.com/link] [91089] hpts: 1  pats: 0
<<
 
Note: Additional Phishing Keywords can be added to the Phishing filter in the configuration. The blocklist check can not be changed only the keyword.
 

Email was blocked by the module:
 

Searching for urls...DONE 
URLs Extracted [38] 
Phishing Keywords Check [enabled] 
Phishing Blocklist Check [enabled] 
[300x82.pn] [64587] hpts: 1 pats: 0 
[Istanbul.ht] [64587] hpts: 1 pats: 0 
[Lauren.Ho] [64587] hpts: 1 pats: 0 
[drpgroup.com] [64587] hpts: 1 pats: 0 
[gorkem.su] [64587] hpts: 1 pats: 0 
[http://http/www.thevenuepot.com] [64587] hpts: 1 pats: 7 
>> spammy: [http://http/www.thevenuepot.com] 
<< 
Spam detection result: [AP Keywords: not detected] [AP Blocklist: detected] 
Setting actions data ... 
Informing ASE [2]... 
Setting block report to: 'Message is a scam email phishing' 
<< Message Processing Block 
 
Notes:
  • You can also get a hit on the cache:Cache hit for URL [www.lendingtree.com][LS:432858046]
  • Keywords can be removed from the Phishing filter in the configuration or an email can be whitelisted. The cache and Blocklist cannot be altered.
     

Module is disabled:
 

Purbl (Keywords) AP Status: [Disabled]
Purbl (Blocklist) AP Status: [Disabled]
Phishing Keywords Check [disabled]
 
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments