Phone Lines icon GFI Support

Articles in this section

How to determine why the Anti Spoofing spam filter blocked or allowed a message

Author: Luis Fernandes Updated

Answer

If you are questioning why an email was blocked or allowed by the Anti-Spoofing module and would like more information, you can find further details in the log file for that filter. Use the following procedure to find the log and information regarding your message within it, and then use the examples below to interpret why the message was either blocked or allowed:
  1. Find the message ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab
  2. Open the ase_antispoofing.gfi_log file in notepad from  ..\GFI\MailEssentials\AntiSpam\DebugLogs
    • This log is for the Anti Spoofing Module and corresponds to the Configuration > Anti-Spam > Anti Spam Filters > Anti Spoofing in the interface and the antispoofing_ip_list table within the config.mdb
  3. Do a search for the Message ID from the dashboard or the email headers
    • Note: The Message IDs have been removed from the example log files below.
    • Note: The bolded lines are the important ones in the log files for determine what has happened and why.
 
There are two main parts to this log.  The first loads the information for the module, the second scans the individual emails.  
 

Loading the settings:
 

>> Load config
Loading enable flag...
Module enabled.
Loading allow authenticated connections flag...
Module will skip processing if message is authenticated.
Loading domains...
No. of local domain entries: [2] - This is the number of domains being scanned.  Configuration > General > General Settings > Local Domains
Loading all trusted IPs...
>> Load antispoofing IPs
Recordset entry [x.x.x.x] - This is the IPs listed in the module as allowed, if this is blank, there are no IPs listed.
<< Load antispoofing IPs
>> Load perimeter IPs
<< Load perimeter IPs
No. of trusted IP entries: [4] - Total number of entries
<< Load config
 

Email was allowed by the module:
 

Connecting IP [x.x.x.x]
SMTP mail sender address [ham@gfitest.com]
SMTP mail sender domain is NOT associated with a local user account
Message is NOT spoofed

Note: To block an invalid sender, remove the IP address from the configuration.
 

Email was blocked by the module:
 

Connecting IP [x.x.x.x]
SMTP mail sender address [spam@gfitest.com]
SMTP mail sender domain is associated with a local user account
Message IS spoofed
Stopping ASE chain [2]...

Note: To allow a valid sender, add the IP address to the configuration.
 

Module is disabled:
 

Antispoofing is disabled...
 
Note: The Connecting IP is the IP address of the sending server.