Fantastic - once fixed I suspect this will make a great article! Please let me know what, if any, additional information you would like me to provide. From what I have seen, it only appears to occur with the keywords. Attachment blocking always functions, as well as domain blocking. Of course, we do have more entries for keywords, so perhaps we have just not hit the limit with the attachment and domain blocking features. Thanks again for your assistance! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, December 10, 2002 7:26 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help) http://www.ISAserver.org Hi Edward, There does appear to be a limit on the number of entries for the SMTP Message Screener. I don't think its really a limit on the number of entries, but a limit on the size of the regkey. Sean McCormick from brainbuzz has clued me into this issue and we're trying to get it cleared up. HTH, Tom -----Original Message----- From: Edward Sullivan [mailto:esullivan@xxxxxxx] Sent: Tuesday, December 10, 2002 5:58 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help) http://www.ISAserver.org I do not think this is the cause. We do have a secondary MX in place in DNS in case of emergencies, but there is no policy enabled via the firewall to allow mail to pass and the IP address is not live either. The only SMTP policy enabled on our firewall routes all inbound SMTP traffic through the DMZ port of the firewall to the DMZ IP of the SMTP server, which ISA is configured to see as the untrusted zone. From that point the SMTP server relays to the primary Exchange server though the internal trusted NIC. I am double-checking all of the settings and policies to make sure nothing has been missed, but there is only one way for email to get in, and it is a tight fit at that! There are only two other servers with firewall policies allowing traffic in, and neither of those have SMTP installed (or policies allowing SMTP traffic)and there are NO servers with real IP addresses assigned. Any other ideas? -----Original Message----- From: Chris H [mailto:ntpro@xxxxxxxxxx] Sent: Tuesday, December 10, 2002 5:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: SMTP Filter - HELP! (NOT config help) http://www.ISAserver.org I cannot speak to ISA server's problem, but having gone through this with 2 other email packages I have found that almost always the mail is coming in from another route you are not filtering such as an old secondary MX record or another IIS server that you dont know has SMTP service running on it or a Proxy server with the SOCKS service open, etc. It took me a few weeks to finally nail everything down . . . ----- Original Message ----- From: Edward Sullivan To: [ISAserver.org Discussion List] Sent: Tuesday, December 10, 2002 6:16 PM Subject: [isalist] SMTP Filter - HELP! (NOT config help) http://www.ISAserver.org We are running ISA and IIS SMTP on our perimeter email screener, and using the SMTP Filter to screen for: Attachment types (.exe, .pif, .com, .vbs, .bat, and .scr) Domains which we receive spam from (about 100 in the list) Spam keywords (126 keywords in the list) Any message that meets SMTP filter criteria is forwarded to a spam box on our primary Exchange Server. This server is not our firewall - we are only using ISA for the email filtering functionality. The server hardware is a Dell 2550 with 512MB of RAM, and a 2 GHZ XEON Processor. Dual NIC's, of course. To me, this seems like a well-sized server for the application. My question is this - I have noticed that certain keywords are not being filtered, and that messages that contain keywords are not being forwarded to our spam address, and are instead making it to our users. Is there an effective limit to the number of keywords ISA can handle, or is there a misconfiguration somewhere? Has anyone else seen this behavior, and found a way to correct it? A bug in ISA perhaps? (Heaven forbid!) Thanks in advance for your responses! Ed Sullivan Director of Information Services esullivan@xxxxxxx <mailto:esullivan@xxxxxxx> KMA Direct Communications Confidential and Proprietary ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ntpro@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: esullivan@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: esullivan@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')