Help. Mailing blacklists...

This topic was created by m0rt .

  1. Anonymous Coward
    Anonymous Coward

    Help. Mailing blacklists...

    Hi.

    Some background. Last week someone who has a mailing account with one of my domains, which in tern is hosted on a mate's server, had his email password lifted from his XP laptop and subsequently that account was used to send out a near a million spam messages. Or attempted to, I caught it with 847k still to go. So one clean up later, and blacklist maintainer grovelling notwithstanding, I have been getting the IP address, which also holds a few other domains I hasten to add, off the blacklists. I attempted to reply to my wife, who uses hotmail, and get a message back stating that the ip was blocked.

    This I understand. It is, ultimately my responsibility. So I contact Live.com via their recommended route. I get an email stating they will investigate upon my reply. So I give them the run down on what happened and what I have done since etc.

    I get an email back which basically states:

    "We have reviewed your IP(s) (8.8.8.8*) and determined that messages are being filtered (i.e. sent to the Junk folder) based on the recommendations of the SmartScreen® Filter.

    Email filtering is based on many factors, but primarily it's due to mail content and recipient interaction with that mail. Because of the proprietary nature of SmartScreen® and because SmartScreen® Filter technology is always adapting and learning more about what is and isn't unwanted mail, it is not possible for us to offer specific advice about improving your mail content. However, in general SmartScreen® Filter evaluates specific words or characteristics from each e-mail message and weights them, based on their likelihood to indicate that a message is unwanted or legitimate mail.

    Unfortunately, after reviewing the information you provided and in compliance with our mail policies, we are unable to offer immediate mitigation for your deliverability issue. However, we have some specific recommendations for you to consider that can help you to improve deliverability over time. "

    Now, this is reads a little false. First off, the message clearly states:

    "Connected to 8.8.4.4* but sender was rejected. Remote host said: 550 OU-002 (COL0-MC4-F5) Unfortunately, messages from 8.8.8.8* weren't sent. Please contact your Internet service provider since part of their network is on our block list"

    So this pretty much indicates that there *is* a list and it isn't the content of the email, which was pretty much what the Live.com rep was stating. ALso, prior to this, the original email in response to my raised request stated:

    "Our investigation has determined these IP(s) are being blocked based on the recommendations of Symantec's BrightMail filter.

    We will be happy to work directly with Symantec on your behalf to investigate and possibly resolve this problem. Symantec will re-evaluate your IP and remove the block if appropriate."

    Which kind of shows up the other email to be a little disingenuous.

    I *know* that the internet is a very big place and my piddling little problem is just that, and that spammers are the scum of the earth, however, I can't email my wife. Or reply to my wife. (On this address). My friend, who kindly let me host my domain on his server, has all his domains treated similarly as the domain is shoved somewhere in Microsoft's hit list. If it was similar to Bing, I wouldn't car. But because hotmail have a fair whack of all mailboxes, it is kind of a big deal.

    If anyone has had a similar experience, I would really appreciate some advice. This being the Reg, I understand that I will get some abuse and I accept that. But please temper it with something useful.

    *My little joke

    PS - If anyone has experience of creating qmail mail send rate triggers, I would be grateful if you could contact me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Help. Mailing blacklists...

      Change your IP address and make sure it has a matching Sender ID policy. Wizard for that is here:

      http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

      To stop it happening again, set a rate limit and apply a throttling policy on your Exchange server:

      To create a new policy where the users can send to 100 recipients a day and no more than 1 message per minute, you would use this command:

      New-ThrottlingPolicy -Name LimitMessagesSent -RecipientRateLimit 100 -MessageRateLimit 1

      To assign it to a user, use this command:

      Set-Mailbox -Identity user_alias -ThrottlingPolicy LimitMessagesSent

      To apply it to every user in your Users OU do:

      Get-Mailbox -OrganizationalUnit Users | Set-Mailbox -ThrottlingPolicy LimitMessagesSent

      1. Trixr

        Re: Help. Mailing blacklists...

        Dude, where on earth does it say he uses Exchange? In fact, he specifically references Qmail.

        I don't know about throttling policies in Qmail, but it's trivial in Postfix. Which makes this post about as useful as the one I'm replying to here.

        I agree with the other suggestions of trying to change your IP and browsing through the RBL lists to see if anyone's got you clobbered on one of those as well.

        1. Eddy Ito

          Re: Help. Mailing blacklists...

          The man page for qmail-spamthrottle is here and, although I've not done it personally, it doesn't look particularly difficult.

    2. Bronek Kozicki

      Re: Help. Mailing blacklists...

      Check you IP against multi-RBL and then try to remove your IP from each individual RBL.

    3. Bloakey1

      Re: Help. Mailing blacklists...

      Hi.

      Been there done that for various people and also gone through the hoops below.

      The quickest way is to get an account with authsmtp and using that for the time being while you resolve the issue.

      I have no connection to company above etc.

  2. Anonymous Coward
    Anonymous Coward

    Aha. Bot.

    'Tanaya' contacted me again.

    "Hello,

    My name is Tanaya and I work with the Outlook.com Deliverability Support Team.

    We understand that you have additional questions regarding how to improve the content of your mail and, thereby, improve deliverability of your email to Outlook.com users.

    For your background, deliverability to a user's inbox is based on many factors including the reputation of the sending IP(s), the format of the mail and also user settings and preferences."

    This was in response to my query about the list. So I think I can safely say this is automated.

    Not terribly good show.

    1. Aitor 1

      Re: Aha. Bot.

      You won't get out of the list. Ever. You might get out of some lists, but not all.

      They have their good reasons, but alas,bad luck. Been there, and it sucks.

    2. Voland's right hand Silver badge

      Re: Aha. Bot.

      A safe bet is that this is' Cortana's twin sister (without all the cute armour and makeup).

      AFAIK your chances to get removed off Hotmail blacklist once you get on it are about the same as to see Lucifer driving to work on a snowplough. You will find that changing the IP (even if this means changing hosting) is easier.

  3. Ben Liddicott

    Join MAILOP

    Join the Mail Operators List, and ask there.

    mailop@mailop.org

    http://chilli.nosignal.org/mailman/listinfo/mailop

  4. Gordan

    RBLs generally work in two ways as far as removal goes:

    1) Removal requests (many require a payment to process removals)

    2) Time based auto-removal

    Just about all have 2), and most have 1).

    You can try to chase 1) where available, but ultimately some will retain the IP until 2) takes place. So all you can really do is wait 2 weeks or so for the blacklisting to expire.

    1. Alan Brown Silver badge

      > (many require a payment to process removals)

      The ones which do this aren't widely used (thankfully). Some charge for expedited removal but it's mostly to doscourage requests in the first place.

      Hotmail run their own internal BL. You'll expire out of it eventually but there's no way of being removed earlier.

      Getting out of the major BLs is easy. As you've discovered it's the thousands of sites which roll their own you need to worry about.

  5. Ben Liddicott

    OK here is what you need to do

    0. Most important. Fix the problem. It is no good trying to get de-listed if their own logs tell them you are still emitting spam. You may need to be able to tell people what happened and what you have done to fix it.

    1. It is no good asking them why you are blocked, unless you have definitively determined that it is a specific decision taken by them in your case (even automatically). More likely, you are blocked because they use a reputation service.

    2. So you need to check your status on ALL commonly used reputation services.

    3. What is a reputation service? It is someone's opinion, based on their published policies, that your IP address or email domain meets the criteria to be listed on that service - usually the criteria can be determined automatically, but sometimes the lists are curated manually. In other words, it is an expression of opinion, not an instruction to anyone to block you. Mail operators may choose to use such lists to block outright, or as part of a scoring system, and usually in combination with a whitelist/blacklist of their own. (For example you would usually whitelist your bigger customers - you don't want to lose an order for a million widgets just because an over-enthusiastic salesperson got your customer listed on one of these lists).

    4. So find out who has listed you.

    Check both your IP address and email addresses against all blacklists. Robtex is a service which can do this for you:

    https://www.robtex.com/

    So for example if your email domain is theregister.co.uk and your mail server is aspmx.l.google.com, then bung the IP address 173.194.66.26 into the box at the top, then hit the "blacklists" link and it will tell you if you are listed by any blacklists.

    Do the same with the domain.

    5. Then you need to jump through the relevant hoops with each and every blacklist which has listed you. In most cases you can get de-listed (once) by asking. But not in all cases. Some will only de-list you after a month - but these are little-used.

    Generally, if you can get off all the lists, you will find you can get mail delivered again. But that's the first thing you need to do.

    Alternatively

    An alternative would be to actually move your mail domain to Google, or Outlook.com. They already do all the rate-limiting, outbound filtering of spam and other defence-in-depth measures you will need, and have developed relationships with all the other large mail providers to report abusive users.

    1. Anonymous Coward
      Anonymous Coward

      Re: OK here is what you need to do

      I've been in this situation too, for no other reason that someone in my BLOCK of IP addresses (on ADSL) had an infection or was wilfully spreading spam.

      So, for no fault of my own I was blacklisted and couldn't reach my recipient, who I then got hold of via a temp account at Google (the irony of this..). This meant that I suffered reputation damage as well as an impact on business because some jerkoff arbitrarily decided to let a robot put me on their list, with no reasonable process to be removed.

      As a small shop I don't have that sort of time to waste, but if I ever get rich, I'll sue the f*cking shirt off every single one of them who does this. I'm OK with a list that is based on solid arguments, but otherwise their ass is mine - I should not have to spend have a day mining out what initially appears to be a tech problem, only to then find it's some idiot who does not want to take responsibility for their actions harming me and customers. It's also one of the reasons I prefer grey listing and other methods (coupled with a few IP tarpits for good measure) - as soon as a 3rd party gets power over who you receive email from it seems to go to their head.

      1. Alan Brown Silver badge

        Re: OK here is what you need to do

        "I've been in this situation too, for no other reason that someone in my BLOCK of IP addresses (on ADSL) had an infection or was wilfully spreading spam."

        If you're in a residential ADSL range you're alreday in my (and many other sites) blacklists.

        Enduser ranges firing direct-to-MX are the most common source of spam. All those 0wned machines, etc.

        Forcing them to use their local ISP machine means that the problem is pushed back to the ISP - and thankfully a lot of them block outbound port25 traffic by default.

        Mail clients use different ports to SMTP servers, so blocking port25 impacts noone except those very few nutters running mail servers on their enduser equipment. They can ask nicely for a port unblock or smarthost via their ISP.

      2. Alan Brown Silver badge

        Re: OK here is what you need to do

        "As a small shop I don't have that sort of time to waste, but if I ever get rich, I'll sue the f*cking shirt off every single one of them who does this."

        I look forward to you being branded a vexatious litigant within a few days.

        Your right to send mail stops at the edge of your network. Beyond that it's strictly an "at will/goodwill" service. Noone is obliged to carry your email, for any reason and attempting to force people to do so will have blowback in ways you cannot even begin to imagine.

      3. Ben Liddicott

        Re: OK here is what you need to do

        "As a small shop I don't have that sort of time to waste, but if I ever get rich, I'll sue the f*cking shirt off every single one of them who does this."

        That's like renting a shop in a bad neighbourhood, and complaining that people don't come to your shop because they don't want to be mugged.

        So you are going to sue the people who told them it was a bad neighbourhood.

        Change neighbourhood - get a new ISP.

  6. Anonymous Coward
    Anonymous Coward

    Hi

    Outlook and Hotmail don't rely upon standard RBL lists - their anti-spam systems are run by/or use the ReturnPath reputation system - And they offer a tool that allows you to check your IP reputation on their systems - https://www.senderscore.org/

    One thing to note is this is not a hard list, i.e. your sender IP reputation will fluctuate, the trick is

    1) Don't send junk email

    2) If you are sending a lot of email, make sure its relevant

    Reason for this is, when Outlook/Hotmail receive bulk email they ask a selection of those people if the email was "legitimate", and if a lot of them answer No, then it will degrade your IPs reputation further.

    Also the reputation system works on 30 day increments, so if you can keep your IP clean for 30 days, you should notice the score start to automatically improve.

    ReturnPath run a whitelisting program, we subscribe to it as it improves the deliver-ability of our emails to customers, this effectively adds us to a whitelist on Outlook, Hotmail and Yahoo etc so we get better inbox rates. But it is expensive and our email lists have to be whiter-than-white.

    I hope that helps.

    1. Anonymous Coward
      Anonymous Coward

      1 other item to add.

      Whilst blacklisting takes many shapes, its primarily done on the IP address of the sending server - so you could always change IP addresses of the server. Or even add a 2nd IP to the box and configure your SMTP software to send via that IP, note not all software supports this, but Postfix definitely does.

    2. This Side Up

      I've had problems with hotmail and various blacklists used by ISPs. I use forwarders and mailing lists on a shared server so I don't have the option to change the IP address. Also I don't have control over other users of the server. Blocking an IP address or range of addresses is a scattergun approach which causes more problems than it solves. I have three levels of spam filtering in addition to my own eyes, so I don't need these blacklists. If you handle email in plain text it's much easier to spot spams, scams and trojans.

      1. Alan Brown Silver badge

        " Also I don't have control over other users of the server. "

        The person who owns the server does. Why aren't you complaining loudly to him, or voting woith your wallet by moving to another service provider?

  7. A J Stiles

    Don't

    Don't. E-mail is dying in the water anyway. Within five years, it will be unusable thanks to the spammers and the hackers. There will be private e-mail server appliances for communication within offices, but that's about all.

    If you want to communicate with people, you need a mobile app. Someone will put out a cross-platform Open Source construction kit, sooner or later, that will enable the creation of mobile apps that basically retrieve data over http that you might once have e-mailed ;and display it, with good integration to the phone's applications such as mapping and phone calls, very easily (address object with direct integration to the phone's address book, latitude and longitude properties, and direct map access methods; telephone number object with validate and call methods); most of the bits are already there.

    In future, instead of, say, e-mailing a spreadsheet of sales leads to your customers, you will publish something like a stack of vCards, each with addresses that can be called up on the map and phone numbers that can be dialled with a single touch; and the app to retrieve and make use of the data will be automatically generated, for whatever target architectures you select, along with the database schema and the customisation of scripts for the server. And if the phone app just happens to write a .CSV file to the SD card, so much the better .....

    1. Gordon 10

      Re: Don't

      Good lord what a pile of unhelpful crap.

      Were you even trying to be helpful or did you just reply to spout your bizzarre personal view of the future?

      I have less trouble with spam now and have had little for years on what basis do you make your crazy clajns?

      1. Christian Berger

        Re: Don't

        "Were you even trying to be helpful or did you just reply to spout your bizzarre personal view of the future?"

        There was always a strong opposition against the Internet. Previously those were the people using AOL, now it's the Facebook and mobile App crowd. There are people happily using their walled gardens, and that's fine as long as they don't expect you to move in there as well.

        As for actual advise on the issue, you probably cannot do much more than getting a different IP. Alternatively get an upstream outgoing e-mail provider. Depending on your hosting company, a different IP would be simplest.

        Then as a preventive step, try to implement some throttling. Few people are able to write more than one e-mail per minute.

    2. R 11

      Re: Don't

      Do you really believe this? If so, I cannot imagine why.

      My gmail account has been made available to numerous companies. I see almost no spam, only a steady trickle of adverts that Google dumps into their own folder automagically.

      On my own server, an email account that's about fifteen years old and which has been widely used also sees little spam, thanks to spamassassin, RBLs, and some postfix rules.

      If anything, modern anti-spam techniques mean my inbox is cleaner today than it was ten years ago.

    3. Mr Fuzzy
      WTF?

      Re: Don't

      Ah, yes. Increasing the complexity of the system is always the answer.

    4. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Re: Don't

      "E-mail is dying in the water anyway. Within five years, it will be unusable"

      That's what devs thought 10 years ago. Didn't happen. We know email's got issues but I'd like to see you invent a decentralized communication system that does any better when *everyone* is using it. But if you want to do something *useful*, the world needs better email readers after 10 years of neglect.

    6. Anonymous Coward
      Anonymous Coward

      Re: Don't

      "Don't. E-mail is dying in the water anyway."

      That must be why every web site asks me to confirm my password via carrier pigeon! I knew there was a reason!

  8. Velv
    Joke

    "I can't email my wife. Or reply to my wife"

    Am I missing something here? What's the problem?

    1. Fatman

      "I can't email my wife. Or reply to my wife"

      Is that a Bad Thing??

      </snark>

  9. binsamp

    Get a disposable email

    http://www.e4ward.com/

  10. DougMac

    Fixes

    As others have said.

    Absolute first step is to make sure it isn't happening still.

    Almost *all* current used blacklists are age based, and older entries expire out over time.

    If you keep leaking SPAM, you keep getting listed.

    Second, as I said, almost all blacklists are age based, and you may just have to wait it out. Ie. Comcast, Yahoo run their own private ones that just take time to age out. Many of the large

    ones have a try to get out of jail page, but it doesn't do much. Timing out is most likely the answer.

    Besides Spamhaus (which takes an extraordinary level of SPAM and non-response to get on),

    most "public" RBL lists aren't used all that widely. Most of the large email providers run their own private ones based on rate of sending of the server, and repudiation, and age out older entries.

    That said, you could try to make sure you aren't listed on the remaining few public ones that might actually get use. Ie.

    http://mxtoolbox.com/blacklists.aspx

    lets you check many at once. About the only one left on this list I see in use is UCEPROTECT and BARACUDA.

    But, almost anybody that is interesting you want to send to run their own private ones, and really, you may just have to wait for your bad entries to age out, and go on.

    As you said, you'll want to implement your own rate limiting for sending (can't help you with that setup), although some of the large providers do have excellent heuristics and will be able to clamp down on your server with just a few hundred of SPAM leaking. If you run a mail server, you probably need to have monitoring and alerting enabled for any events outside of normal, so you can catch things as quickly as possible, so you can start the age-out timing process the quickest.

    1. Alan Brown Silver badge

      Re: Fixes

      "although some of the large providers do have excellent heuristics and will be able to clamp down on your server with just a few hundred of SPAM leaking."

      For known spam message bodies (SPAM is a trademark of Hormel), that clampdown can happen with quantities as low as one.

      If the same or substantially same message body is coming from multiple sources near-simultaneously. Many large systems will quarantine the bulk of them and only release if the few let through don't get spamtagged by the recipient - plus BL the senders to boot (99% of spam senders are 0wned enduser boxes, not genuine mailservers).

      A few of the more whitehat outfits do the same thing for outbound mail (in that case it usually requires the NOC check messages and release the queue). That way they never contribute to the pollution problem in the first place. If more did that, spam wouldn't be such a problem.

  11. WibbleMe

    Limit emails per domain to X amount per hour say 100, if it goes over this the server admin should get a warning message. You can do this on Linux.

    If you can limit email ports to a IP(s)

    Do a manual request; find out who is blacklisting you http://mxtoolbox.com/blacklists.aspx then you will probably have to fill in a form and wait something like 48 hours before being lifted

    To prevent future problems use a different IP for email and or website that your own server, I pay $5 a year per IP.

    Have you set up an SPF in your emails DNS?

    Consider using a email service like gmail apps $3 a month per email account "your domain as a gmail account"

    For non spam bulk email sending you can use a service like constant contact.

  12. Anonymous Coward
    Anonymous Coward

    Also aside from the ReturnPath stuff, since the specifically mentioned BrightMail.. check out the following link -

    http://goo.gl/3RoJ9l

    If the above article is correct, you should be able to get some headway my checking your IP on the BrightMail system, which you can do here -

    http://ipremoval.sms.symantec.com/lookup/

  13. Anonymous Coward
    Anonymous Coward

    MX record

    Do you have a DNS MX record for the domain name?

    Do you have a DNS PTR record for the domain name?

    Outlook (the site formally known as MSN) (and others) do reverse and MX lookups against the sender domain, to see if it's got a full DNS record, it's trying to identify spammer domains, like any good email server should. If you haven't got either of those (MX and PTR) records your emails will be rejected. Not just by Outlook either, but by some other online mail account providers, like AOL for example.

  14. Anonymous Coward
    Anonymous Coward

    Thanks for all the replies!

    I should point out that not sending spam is good. Compromised account via an XP machine was the culprit, however. Not mine...

    mxtoolbox was my first port of call after emptying qmail queue, I dealt with those.

    Hotmail, after repeatedly sending email (spamming?) MS, it seems that my mail now goes through. Could have been a time set thing though.

    My current issue is that one of the domains in use is having trouble getting through to Gmail now, however, it doesn't affect all on that IP address, which I can't quite fathom.

    I appreciate all the help, people. Some really good pointers there and I have put them to use.

    FTR - comes back clean on all the posted links...so I am hoping that the 30 day rule is the only one which is causing an issue on some major providers!

    Anyhow - one thing I have learned from this is that some sort of mail use filter is a necessity if running your own mailservers, so if something starts to send an inordinate amount of email, then that account gets put on hold and the sysadmin alerted. You have to assume that a machine not in your control will get pwned at some point, possibly revealing mailserver passwords. Natch.

    Cheers for El Reg Editorial giving this a heads up, too...

  15. b166er

    Assign a different IP address to each domain hosted on your email server.

    Use SSL/TLS for SMTP and block port 25.

    But seriously, use the free Outlook.com or Google Apps for Business/Office 365 and save yourself the hassle. Running and maintaining an email server, unless it's purely for your own accounts or you're a masochist, is a waste of resources unless you're doing it on a very large scale.

    1. Anonymous Coward
      Anonymous Coward

      "But seriously, use the free Outlook.com or Google Apps for Business/Office 365 and save yourself the hassle. Running and maintaining an email server, unless it's purely for your own accounts or you're a masochist, is a waste of resources unless you're doing it on a very large scale."

      There's a part of me that agrees with that argument, but the flip side is the potential loss of knowledge engendered in everyone treating mail as a service, instead of a system to manage. When I look at 365, I see Exchange administration as a specialism swirling around the bowl. Many of the suggestions made in this thread were possible because of the experience gained by forum contributors managing their own mail systems, be that an SBS box on a small business network, or guys who maintain Postfix and Sendmail installations on an ISP scale.

      It's easy to say, 'dont bother running your own host" but it's a potentially dangerous point of view.

    2. Trixr

      I thoroughly agree with the recommendation to use TLS. No client machine should be able to route SMTP straight to the interwebs.

      I'm looking at you, Comcast, and the only slightly-improved botnet you "inadvertently" host.

  16. Martijn Bakker

    The problem with "reputation based" lists is that they often use undisclosed and rather fuzzy criteria. And because they monitor behaviour over longer timespans, it tends to take a while before you're automatically delisted.

    In addition to everything mentioned above, it helps to look into the DNS configuration for your domain:

    - For some email systems, your mail is less likely to be classified as spam if the reverse lookup of your IP (i.e. 8.8.8.8) resolves to somewhere in your domain. Since the mailserver hosts multiple domains, this one is not possible.

    - For some email systems, your mail is less likely to be classified as spam if there is an A or MX record for the IP of your server (i.e. 8.8.8.8) in your domain.

    - Almost everyone uses SPF. Make sure to add an SPF record to your domain listing the sending server (i.e. 8.8.8.8) as a valid origin for mail from your domain.

    All of this will help make legitimate mail from your domain seem more credible.

    Obviously, you'd do well to also prevent future abuse. Implementing rate limits, requiring authentication for SMTP connections and limiting sending of emails to just those using email addresses in your domain should help a great deal.

    Qmail can't do this (well, I can't do it with qmail and the net is full of people who have tried and failed) and it's not actively maintained.

    I would recommend that you look at replacing it with postfix. Not because it's perfect, but it's pretty easy to configure and does support all of the above through a simple configuration options.

  17. Anonymous Coward
    Anonymous Coward

    Not sure if this will help, but Spamhaus blocked my IP once (because of another machine at my ISP) and refused to remove it. Even when I contacted them, they refused to remove the block & said they would never remove it, so I complained to their upstream provider & threatened to include them in legal action.

    The block was removed a few days later.

    That trick should work with most of the RBL's..

  18. This post has been deleted by its author

  19. s. pam Silver badge

    Do you have a SPF record in your DNS?

    Symantec and others look at billions of spams daily and the major component is NOT solely the IP address but the sender reputation AND the content as a component plus the IP.

    Their SW devices are very smart and there is a reason that they're top of the leagues due to the number of honeypots they run and SPF records are a way to get your reputation back up if you're not using them.

    A SPF record in your DNS is dead simple to add:

    Domain.com. 3600 IN TXT "v=spf1 mx ip4:1.2.3.4 a:mx.hosts.com a:sending.host.com ?all"

    I'll leave it to you to change the above, update your DNS serial number and let that run a few days.

  20. Anonymous Coward
    Anonymous Coward

    I should point out that spf records were already employed... Thanks though.

  21. Anonymous Coward
    Anonymous Coward

    Happens to us as well.

    (AC to protect my employer)

    As a major university, we often have students or staff who fall afoul of phishing and let their credentials out... and then we're used as a spam relay. Our IDS picks this up pretty quick, but usually tens of thousands of spam have already escaped, and the spammers start their runs at 10pm Friday night usually to make it harder.

    We keep a block of 8 IP addresses to move our mail servers between to get around this (hey, its what the spammers do, so why should we suffer more than the jerks who are causing the problem?) and set off on the long process of getting the IP with the damaged reputation de-listed.

    Sadly, things like SPF, DKIM, and all the security configuration on your gateway is no help to prevent this as the root issue is that one of your users let their credentials out. You can maybe block certain IP ranges from using your mail servers, but we can't as we have researchers all over the world who insist on access from airport Wifi and so on.

    We also get the other side of the problem; where people are emailing us and we drop their mail for a poor reputation score. We can't whitelist them for obvious reasons and we dont control the blacklists, so they have to wait for a couple of days until they come off of the list.

    1. Trixr

      Re: Happens to us as well.

      Are you using TLS on your email? And instead of allowing academics (yes, I know what they're like) to send SMTP (or even TLS) email via random devices on random networks, this is an excuse to install some kind of web interface to your mail and insist they use that only.

      If your institution is getting its mail dropped/delayed regularly because of the open slather approach, then you've got a pretty good business case for insisting that email either gets submitted via the web interface or managed devices only.

    2. b166er

      Re: Happens to us as well.

      You could insist they use a tunnel

  22. Jim Birch

    You could move your domains onto Google etc mail servers. You would become a secure source.

    IMHO this is an appropriate punishment for sending thousands of spams. The less unaccountable, poorly-managed mail servers on the planet the better.

  23. Shannon Jacobs
    Holmes

    Why don't we put the spammers out of business?

    Might sound like a rhetorical question, but we actually could do it--IF we only had better spammer-fighting tools. At least that applies to the rational spammers who are in it for the money. Basically it depends on one ratio: The number of people who feed the spammers (with money or information) is MUCH smaller than the number of people who hate spam. It is well known that the response rate of the suckers is on the order of 1 in a million. If only 1 in a thousand of the non-suckers helped out, then there would be 1,000 people blocking each sucker. I'm not saying we can eliminate ALL spam or turn the spammers into decent human beings. I'm just saying we can make spam much less profitable and that most of the sociopaths who send the spam (and who victimized the OP in this case) would crawl under less visible rocks.

    How? I think the best approach would be an integrated anti-spammer tool built into the major email systems. There would be several rounds of analysis to classify the spam and focus on the best countermeasures, ultimately targeting ALL of the spammers' infrastructure and accomplices, and helping and protecting ALL of the spammers' victims, even the Joe-jobbed corporations. Some spam fighters may even earn enough reputation to pull the triggers, though I doubt I'd ever reach that level. I'd be too prone to blast away at any likely spammer, but I could still help with the targeting even if I couldn't be trusted with the nukes.

    If the spammers can't target the biggies, then their entire so-called enterprise collapses. Insofar as the biggies would also profit from less spam in a more valuable Internet, I can't understand what is holding them back.

    1. Alan Brown Silver badge

      Re: Why don't we put the spammers out of business?

      "At least that applies to the rational spammers who are in it for the money. "

      Many of the people who hire spammers are duped into it and will never do it again.

      Unfortunately as PT Barnum supposedly said "There's a sucker born every minute"

      Cutting off connectivity to networks which host spammers or spammer resources is the most effective way of dealing with the problem, but such networks employ unwitting "human shields" who then scream bloody murder about being "picked on". My response: "It was cheap for a reason. You can always find another provider and the fact that you managed to email me shows you already found a way around the block. I'm not paid to do your due diligence, my duty is to protect MY clients and you're not one."

  24. The Dude
    Mushroom

    Microsoft blacklist

    One of my domains mysteriously became listed in Microsoft mail filter, after years of no trouble whatsoever. It wasn't in any other blacklists, there were no spammer hacks or any misbehaving mail users... a real mystery. I sent an email to Microsoft and they fixed it in less than a day.

    This is a vastly different mentality than Symantec, which has another of my domains blacklisted in their web filter - a "hate" site, they say. I went through the usual yaddayadda with them, got the balcklist reviewed and they said they stick by their assessment (but never said why) and sent me email from their lawyers.

    Moral of the story: Microsoft will fix problems, Symantec will pay lawyers to avoid fixing problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon