[mailop] antispam service recommendations?

[Mark Jeftovic]

Hi, we're looking for recommendations for an antispam service we can
layer in front of our hosted IMAP offering.


We've tried a few services so far and our testing has found serious
deficiencies.

Requirements:

* hosted or virtual appliance
* quarantine with management (auto-purge options)
* prefer content based filtering over RBLs, having serious
false-positive issues with RBLs - bonus for being able to enable/disable
individual RBL's by domain/user
* tag-only mode
* user defined white-lists
* anti-virus filters
* API
* white-labelling a plus but not a requirement

Any feedback, experiences recommendations would be appreciated.

- mark

-- 
Mark Jeftovic 
Founder & CEO, easyDNS Technologies Inc.
http://www.easyDNS.com



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Jay Hennigan]

On 7/17/17 11:59 AM, Stefano Bagnara wrote:


Please, show the data.. I take your "top 10 list from spamhaus" and I
compare it with the top email senders (not spam, but email) from
senderbase:
https://www.talosintelligence.com/reputation_center/email_rep#top-senders-owner
(sort by volume, desc).


That list shows the largest email senders, in order. Spam is a subset of 
email. As we know, it's a rather large subset. Huge unrepentant spam 
factories indeed generate a lot of email. As of now, Rede Brasileira de 
Comunicacao Ltda is number five on that list, right behind the two 
flavors of OVH. Locaweb Serviços de Internet S/A, also from Brazil, is 
number nine.


I seriously doubt that there is sufficient non-spam email coming from 
two Brazilian ISPs to make anywhere close to numbers five and nine on 
that list. Chronic abusers who send enough spam to make the top ten of 
that list are prolific abusers indeed, and should be dealt with accordingly.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Brandon Long via mailop]

On Mon, Jul 17, 2017 at 10:51 AM, Simon Forster 
wrote:

> On 17 Jul 2017, at 16:59, Stefano Bagnara  wrote:
>
> On 17 July 2017 at 16:57, Simon Forster  wrote:
>
>
> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
>
> Senderscore,
> senderbase, uce-protect, spamhaus, spamcop and other sources are not
> publishing informations that declare OVH worse than others direct
> competitor in EU.
>
>
> 
>
> ovh.net at #9. Some of their listings are fairly obnoxious stuff which
> should be dealt with quickly.
>
> Summary: Spamhaus seems to be saying they’re quite bad.
>
>
> That page is a moving target and I rarely see OVH there, BTW, now that
> I look it I see
> #1 Microsoft
> #4 Amazon
> #9 Google
> #10 OVH
>
> So, it is clear to me that this is also about volume, so big
> legitimate senders ARE ALSO on the big spam sender list, or Google is
> a worse option than OVH. Is there anyone blocking Google or Microsoft
> network at all? ;-)
> Remeber that OVH is one of the largest sender around, so it is
> expected to be there: that report is just "largest" not "worst". OVH
> is big, like Google and Microsoft and Amazon are big senders... If you
> see "non-big senders" in that list, then THEY are worst spammers, IMO.
>
> So, IMHO that report is not a report that let us say OVH is worst than
> "Put your other ISP here", unless you think that "big == bad" and in
> that case OVH is in company with Microsoft and Google.
>
> PS #1 on the same page is Microsoft — but that looks more like someone
> finding a way to game their signup process to get snowshoe spamming set up
> on Microsoft's networks. IIRC, there’s a gang rotating around big providers
> doing this — so different… quality of problem.
>
>
> You don't "convince" me on the "poor microsoft is on that list by
> mistake because someone is tricking them... " neither: if the report
> is good then Microsoft is the worst provider and Amazon and Google are
> worst than OVH, too. Otherwise that report is not to be used for this
> reason.
> Do you have a "quality excuse" for Google and Amazon, too, so that
> they are not to be considered "worse than quite bad”?
>
>
> So there’s a misalignment of perspective here. Probably my fault ‘cause I
> was picking you up on one point in your original email.
>
> Let’s draw a distinction between “corporate” outbounds, where “corporate”
> outbounds are MTAs managed by the entity concerned, and hosting space.
> Think Gmail and Hotmail outbounds for “corporate” outbounds.
>
> OVH generally has a poor reputation as evinced by others — whether from
> corporate outbounds or just their (hosting) space, others will have to
> confirm.
>
> Microsoft, Google and Amazon and working hard to get bad reputations for
> their hosting space but I think it’s generally agreed that they do quite a
> good job managing spam from their corporate outbounds. Thing is though,
> Microsoft and Amazon display some indications that they care about abuse of
> their infrastructure — abuse on the hosting side. There seems to be some
> desire to fix the problems.
>

You included Google in one but not the other.  In any case, GCP blocks
outbound port 25 for GCE and doesn't have a mail service, so at least on
the hosting side, they've erred on the side of opting out of the issue.

https://cloud.google.com/compute/docs/tutorials/sending-mail/

I do find it interesting that we're on that list with 90 complaints in the
past 9 months.  10 complaints per month at our volumes is a pretty trivial
number, and probably not particularly representative of the actual volume
of spam that spammers manage to send through us, unfortunately.

Brandon
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Stefano Bagnara]

On 17 July 2017 at 21:17, Eric Tykwinski  wrote:
> Of more interest to me is how is anyone proactively monitoring for spam?
> We have in place a lot of reactive methods, ie monitoring abuse boxes, FBLs, 
> and using Netflow/SiLK to track SMTP volume changes.
> I've never heard of anyone proxying all email out though, or do some 
> providers put in an SMTP block unless requested?

OVH does "sniff" port 25 traffic and applies VadeRetro scoring. If an
IP sends more than X suspect emails in a given time period then the IP
is automatically blocked from outgoing 25 port traffic.

So, OVH is one of the few "proactively tracking" outgoing smtp
traffic, but this have 2 defects:
1) doesn't track tls traffic.
2) VadeRetro does content filtering.. you don't know if a recipients
really want (*solicited*) that viagra email or not (I hoped "word
based spam filtering" was already surpassed, otherwise you won't get
this email).

Reputation is the key, but it is hard to calculate/track a "trustable"
reputation in the "outgoing" because you'd need more "reaction data"
from receivers, more feedback. FBL are very good but they are mostly
B2C and they only tell part (a small part) of the story.

Stefano

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Eric Tykwinski]

> From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Simon Forster
> Sent: Monday, July 17, 2017 10:57 AM
> To: Stefano Bagnara
> Cc: mailop
> Subject: Re: [mailop] Properly vetting an hosting provider before 
> buying/moving
>
> >  On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
> >
> >  Senderscore,
> >  senderbase, uce-protect, spamhaus, spamcop and other sources are not
> >  publishing informations that declare OVH worse than others direct
> >  competitor in EU.
>
>  
>
> ovh.net at #9. Some of their listings are fairly obnoxious stuff which should 
> be dealt with quickly.
>
>  Summary: Spamhaus seems to be saying they’re quite bad.
>
>  Simon
>  PS #1 on the same page is Microsoft — but that looks more like someone 
> finding a way to game their signup process to get snowshoe spamming set up on 
> Microsoft's networks. IIRC, there’s a gang rotating around big providers 
> doing this — so different… quality of problem.

Of more interest to me is how is anyone proactively monitoring for spam?
We have in place a lot of reactive methods, ie monitoring abuse boxes, FBLs, 
and using Netflow/SiLK to track SMTP volume changes.
I've never heard of anyone proxying all email out though, or do some providers 
put in an SMTP block unless requested?



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Michael Peddemors]

On 17-07-17 11:21 AM, Michael Wise via mailop wrote:


Looks like #1 is mostly Azure.
Bringing this to certain peoples' attention now.
...

Aloha,
Michael.



At the same time, push them to implement an 'rwhois' server for the 
Microsoft IP space ;)  Or at least try to SWIP to what parts of the the 
overall IP space are possibly designated for certain purposes..


NetRange:   23.96.0.0 - 23.103.255.255
CIDR:   23.96.0.0/13
NetName:MSFT
NetHandle:  NET-23-96-0-0-1
Parent: NET23 (NET-23-0-0-0-0)
NetType:Direct Assignment
OriginAS:   AS8075
Organization:   Microsoft Corporation (MSFT)
RegDate:2013-06-18
Updated:2013-06-18
Ref:https://whois.arin.net/rest/net/NET-23-96-0-0-1


Out of that range, for instance, 23.97.128.0/17 is allocated for Azure..
Something like that could easily be SWIP'ed, however operating an 
internal 'rwhois' server would make day to day management a little simpler.


My two cents..

(yes, we already know about the published ranges via website)

But, based on our monitoring statistics, I would still say you are a 
long way from being number #1 ;)


I think that (link) is more about issues that haven't been responded to 
or addressed, rather than spam sources..





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic

A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] btinternet.com blacklist

[Tim Starr]

An overall admirable response, keep up the good work. Just 2 questions:

1) Why not put TLDR at top?
2) Why allow email to be sent at all from "unmanaged servers"?

-Tim

On Mon, Jul 17, 2017 at 7:44 AM, Hetzner Blacklist 
wrote:

> I just got back from a 2 week holiday and have been reading this thread
> with a lot of interest. I thought I would respond and try to explain the
> situation from our perspective. I could write an entire essay on this,
> but I have tried to be as concise as possible, though it is still a wall
> of text.
>
> Am 11.07.2017 um 13:00 schrieb Felix Schwarz:
> > If I'm not mistaken also Hetzner's mail admins are reading this list
> so maybe
> > they can convice their management to do something about the bad
> reputation.
>
> Management was convinced over a year ago. Our internal abuse processing
> and handling was reviewed, and made stricter. I will admit that we used
> to be too lenient in that regard, but that is no longer the case (at
> least not intentionally).
>
> The results have been very encouraging. The leading blacklist and
> reputation providers that have easy network/ASN lookups show a decrease
> of at least 60% in “bad” IPs within our network within the last year.
> This applies to Spamhaus, SpamCop, SORBS, UCEPROTECT, Senderbase (now
> Talos Intelligence) and the Microsoft SNDS. The amount of abuse
> complaints we get has also decreased substantially. All of this, even
> though we are continually growing.
>
> I’ve been in contact with a number of people this past year and many of
> them have acknowledged that our network no longer deserves a bad
> reputation. However, I can fully understand that not everybody will
> agree, and I believe there are 3 main reasons for that.
>
> 1) Historical. I wil be the first to admit that in the past we were too
> lenient with spam-handling, and there was more spam leaving our network
> than there should have been. This can mean that if somebody gets spam
> from our network today, they think "great, Hetzner hosting another
> spammer", even though the message was due to a compromised account (see
> point 2), and the overall amount of spam is much lower than it was
> historically.
>
> 2) Constant spam. Due to the nature of our business (IAAS provider), the
> fact is that there will always be a certain level of spam leaving our
> network. Brandon actually mentioned exactly this.
>
> Am 10.07.2017 um 21:37 schrieb Brandon Long:
> > They may not even be renting directly to spammers, but their users are
> > getting compromised and sending spam and other crap from their
> servers.  We
> > see clickbot and other fraud farming from those IP ranges as well.
> >
> > It is an unfortunate situation, and challenging, no doubt.
>
> We have over a million IP addresses, and the vast majority of those are
> allocated to unmanaged servers. Short of blocking all email
> communication from our network, there are always going to be customers
> sending emails, and thus there will always be some who send spam. Our
> job is to minimize that as much as possible. Anybody who has worked an
> abuse desk will know how hard that is, especially at an IAAS provider
> like ourselves.
>
> We don’t intentionally harbor any spammers, and any that manage to get
> through our checks (we block dozens of new orders a day) and start
> sending spam, are soon terminated. We have a few email marketers, but
> the vast majority of the spam leaving our network is from compromised
> accounts, for which we can do very little.
>
> 3) Perspective. As with so many things in life, what you think of
> something depends greatly on your point of view, and the assumptions and
> expections you (sometimes subconsciously) bring along. If somebody
> assumes that there should be zero spam leaving our network, they will
> always be disappointed.
>
> I believe a perfect example of these different perspectives is found
> within this thread.
>
> Am 11.07.2017 um 09:11 schrieb John Levine:
> > Hetzner gushes spam, and I've had most of their
> > IP ranges totally blocked for years.
>
> Am 13.07.2017 um 20:15 schrieb John Levine:
> > Look for yourself:
> >
> > http://www.taugh.com/sp.php?c==78.47.0.0=78.47.255.255=puavppaxru
>
> First of all, thank you for that link John, I appreciate you sharing
> that information. It’s always good to have additional information about
> our network, and I will be checking that link regularly.
>
> I have no idea what assumptions John has, but the comment about
> “gushing” spam made me believe that the evidence would show a list of
> hundreds, if not thousands of IPs, sending spam every few days over the
> course of many months/years.
>
> What I see instead is almost exactly the opposite. This year (2017),
> there have been a total of 89 spam messages, from a mere 44 IPs (which
> currently belong to 44 separate customers of ours). These 44 IPs
> represent 0.00067% of the IPs in the /16 range (65,536 IPs total). None
> of the IPs sent spam regularly, 

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Stefano Bagnara]

On 17 July 2017 at 19:51, Simon Forster  wrote:
> [...]
> But I digress. To an extent your point is fair enough. Big hosters are more
> likely to end up on the “worst” lists. However, there’s a qualitative
> element which is not so readily apparent. You can extrapolate it from some
> of the datasources if you want to but it’s not quite so easy as looking at a
> top 10 list.

I'm good at math.. give me some hints on how to extrapolate it. This
is the point of this thread. Everyone say OVH is bad.. I don't care if
OVH is good or bad (you may think I'm defending OVH, but in fact I had
a lot of issues not related to spam and I more often blamed them than
defended them in public.. so OVH is just a reference), but I'd like to
understand HOW, using public data, we can prove (or NOT) that. If we
can't prove that then anyone can tell whatever he prefer or whatever
give him more profit.

> Also, there’s a number of big hosting outfits failing to make the list.
> Yeah, so maybe you do need to be a big hoster to get on some of these lists
> but comparatively, some of them do a poor job of managing abuse.

Please, show the data.. I take your "top 10 list from spamhaus" and I
compare it with the top email senders (not spam, but email) from
senderbase:
https://www.talosintelligence.com/reputation_center/email_rep#top-senders-owner
(sort by volume, desc).
You see talos put Microsoft as the largest sender, then we have Amazon
and then OVH with 2 different networks.
So, the 3 largest players are also in the "top 10 from spamhaus" and
this doesn't surprise me at all... this doesn't prove OVH is the worst
provider, nor that Microsoft or Google are worse than OVH.

Also "number of incidents" may not be the best scoring because not all
of spamhaus incidents have the same relevance.

> And some do a poor job and give every indication of not really caring that
> they’re doing a bad job.

I'm just asking how to read the public data (I've sampled senderscore,
senderbase, spamcom, spamhaus, sorbs, trendmicro, but feel free to add
new resources if I missed them) so I can check on my own that OVH is
worse than "put your hosting provider here".

I personally receive a lot of unsolicited email from well known
providers and their IP are "green" on many of those systems, but I
don't pretend that my tiny sample is statistically significant to
define good and bad senders, that's why I'd like to see more public
resources from big receivers, large spam traps owners, large spam
reporting platforms. At the same time I know there is always something
new to learn, so the data may be already there, and I hope someone
will point me there (the top 10 list in spamhaus is not THAT data, and
your "corporate"/"qualitative" argument is subjective untill you bring
data supporting it).

Stefano

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Michael Wise via mailop]

Looks like #1 is mostly Azure.
Bringing this to certain peoples' attention now.
...

Aloha,
Michael.
-- 
Michael J Wise
Microsoft Corporation| Spam Analysis
"Your Spam Specimen Has Been Processed."
Got the Junk Mail Reporting Tool ?

-Original Message-
From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Stefano Bagnara
Sent: Monday, July 17, 2017 9:00 AM
To: mailop 
Subject: Re: [mailop] Properly vetting an hosting provider before buying/moving

On 17 July 2017 at 16:57, Simon Forster  wrote:
>
> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
>
> Senderscore,
> senderbase, uce-protect, spamhaus, spamcop and other sources are not 
> publishing informations that declare OVH worse than others direct 
> competitor in EU.
>
>
>  spamhaus.org%2Fstatistics%2Fnetworks%2F=02%7C01%7Cmichael.wise%40
> microsoft.com%7Cc5b113a653ad4b7037ed08d4cd2e417e%7C72f988bf86f141af91a
> b2d7cd011db47%7C1%7C0%7C636359045932016735=tTtE6R6rgXhYn%2BNNlVO
> 8r4UUjWgPhYFsg%2Frj30nl%2FTc%3D=0>
>
> ovh.net at #9. Some of their listings are fairly obnoxious stuff which 
> should be dealt with quickly.
>
> Summary: Spamhaus seems to be saying they’re quite bad.

That page is a moving target and I rarely see OVH there, BTW, now that I look 
it I see
#1 Microsoft
#4 Amazon
#9 Google
#10 OVH

So, it is clear to me that this is also about volume, so big legitimate senders 
ARE ALSO on the big spam sender list, or Google is a worse option than OVH. Is 
there anyone blocking Google or Microsoft network at all? ;-) Remeber that OVH 
is one of the largest sender around, so it is expected to be there: that report 
is just "largest" not "worst". OVH is big, like Google and Microsoft and Amazon 
are big senders... If you see "non-big senders" in that list, then THEY are 
worst spammers, IMO.

So, IMHO that report is not a report that let us say OVH is worst than "Put 
your other ISP here", unless you think that "big == bad" and in that case OVH 
is in company with Microsoft and Google.

> PS #1 on the same page is Microsoft — but that looks more like someone 
> finding a way to game their signup process to get snowshoe spamming 
> set up on Microsoft's networks. IIRC, there’s a gang rotating around 
> big providers doing this — so different… quality of problem.

You don't "convince" me on the "poor microsoft is on that list by mistake 
because someone is tricking them... " neither: if the report is good then 
Microsoft is the worst provider and Amazon and Google are worst than OVH, too. 
Otherwise that report is not to be used for this reason.
Do you have a "quality excuse" for Google and Amazon, too, so that they are not 
to be considered "worse than quite bad"?

Stefano

___
mailop mailing list
mailop@mailop.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchilli.nosignal.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fmailop=02%7C01%7Cmichael.wise%40microsoft.com%7Cc5b113a653ad4b7037ed08d4cd2e417e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636359045932016735=WFm3TKIADzdzU1sBTSdjEqtiz3klPdmGhVZDVJkdkvQ%3D=0
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Simon Forster]

> On 17 Jul 2017, at 16:59, Stefano Bagnara  wrote:
> 
> On 17 July 2017 at 16:57, Simon Forster  > wrote:
>> 
>> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
>> 
>> Senderscore,
>> senderbase, uce-protect, spamhaus, spamcop and other sources are not
>> publishing informations that declare OVH worse than others direct
>> competitor in EU.
>> 
>> 
>> 
>> 
>> ovh.net at #9. Some of their listings are fairly obnoxious stuff which
>> should be dealt with quickly.
>> 
>> Summary: Spamhaus seems to be saying they’re quite bad.
> 
> That page is a moving target and I rarely see OVH there, BTW, now that
> I look it I see
> #1 Microsoft
> #4 Amazon
> #9 Google
> #10 OVH
> 
> So, it is clear to me that this is also about volume, so big
> legitimate senders ARE ALSO on the big spam sender list, or Google is
> a worse option than OVH. Is there anyone blocking Google or Microsoft
> network at all? ;-)
> Remeber that OVH is one of the largest sender around, so it is
> expected to be there: that report is just "largest" not "worst". OVH
> is big, like Google and Microsoft and Amazon are big senders... If you
> see "non-big senders" in that list, then THEY are worst spammers, IMO.
> 
> So, IMHO that report is not a report that let us say OVH is worst than
> "Put your other ISP here", unless you think that "big == bad" and in
> that case OVH is in company with Microsoft and Google.
> 
>> PS #1 on the same page is Microsoft — but that looks more like someone
>> finding a way to game their signup process to get snowshoe spamming set up
>> on Microsoft's networks. IIRC, there’s a gang rotating around big providers
>> doing this — so different… quality of problem.
> 
> You don't "convince" me on the "poor microsoft is on that list by
> mistake because someone is tricking them... " neither: if the report
> is good then Microsoft is the worst provider and Amazon and Google are
> worst than OVH, too. Otherwise that report is not to be used for this
> reason.
> Do you have a "quality excuse" for Google and Amazon, too, so that
> they are not to be considered "worse than quite bad”?


So there’s a misalignment of perspective here. Probably my fault ‘cause I was 
picking you up on one point in your original email.

Let’s draw a distinction between “corporate” outbounds, where “corporate” 
outbounds are MTAs managed by the entity concerned, and hosting space. Think 
Gmail and Hotmail outbounds for “corporate” outbounds.

OVH generally has a poor reputation as evinced by others — whether from 
corporate outbounds or just their (hosting) space, others will have to confirm.

Microsoft, Google and Amazon and working hard to get bad reputations for their 
hosting space but I think it’s generally agreed that they do quite a good job 
managing spam from their corporate outbounds. Thing is though, Microsoft and 
Amazon display some indications that they care about abuse of their 
infrastructure — abuse on the hosting side. There seems to be some desire to 
fix the problems.

The reality is that the conversation increasingly is moving away from a pure 
“spam” discussion to broader “badness” indicators — which is why we talk about 
IP and domain reputation rather than simple spam metrics.

But I digress. To an extent your point is fair enough. Big hosters are more 
likely to end up on the “worst” lists. However, there’s a qualitative element 
which is not so readily apparent. You can extrapolate it from some of the 
datasources if you want to but it’s not quite so easy as looking at a top 10 
list.

Also, there’s a number of big hosting outfits failing to make the list. Yeah, 
so maybe you do need to be a big hoster to get on some of these lists but 
comparatively, some of them do a poor job of managing abuse.

And some do a poor job and give every indication of not really caring that 
they’re doing a bad job.

Simon___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Stefano Bagnara]

On 17 July 2017 at 16:57, Simon Forster  wrote:
>
> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
>
> Senderscore,
> senderbase, uce-protect, spamhaus, spamcop and other sources are not
> publishing informations that declare OVH worse than others direct
> competitor in EU.
>
>
> 
>
> ovh.net at #9. Some of their listings are fairly obnoxious stuff which
> should be dealt with quickly.
>
> Summary: Spamhaus seems to be saying they’re quite bad.

That page is a moving target and I rarely see OVH there, BTW, now that
I look it I see
#1 Microsoft
#4 Amazon
#9 Google
#10 OVH

So, it is clear to me that this is also about volume, so big
legitimate senders ARE ALSO on the big spam sender list, or Google is
a worse option than OVH. Is there anyone blocking Google or Microsoft
network at all? ;-)
Remeber that OVH is one of the largest sender around, so it is
expected to be there: that report is just "largest" not "worst". OVH
is big, like Google and Microsoft and Amazon are big senders... If you
see "non-big senders" in that list, then THEY are worst spammers, IMO.

So, IMHO that report is not a report that let us say OVH is worst than
"Put your other ISP here", unless you think that "big == bad" and in
that case OVH is in company with Microsoft and Google.

> PS #1 on the same page is Microsoft — but that looks more like someone
> finding a way to game their signup process to get snowshoe spamming set up
> on Microsoft's networks. IIRC, there’s a gang rotating around big providers
> doing this — so different… quality of problem.

You don't "convince" me on the "poor microsoft is on that list by
mistake because someone is tricking them... " neither: if the report
is good then Microsoft is the worst provider and Amazon and Google are
worst than OVH, too. Otherwise that report is not to be used for this
reason.
Do you have a "quality excuse" for Google and Amazon, too, so that
they are not to be considered "worse than quite bad"?

Stefano

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] btinternet.com blacklist

[Simon Forster]

> On 17 Jul 2017, at 14:44, Hetzner Blacklist  wrote:
> 
> I’ve been in contact with a number of people this past year and many of
> them have acknowledged that our network no longer deserves a bad
> reputation. However, I can fully understand that not everybody will
> agree, and I believe there are 3 main reasons for that.
> 
> 1) Historical. I wil be the first to admit that in the past we were too
> lenient with spam-handling, and there was more spam leaving our network
> than there should have been. This can mean that if somebody gets spam
> from our network today, they think "great, Hetzner hosting another
> spammer", even though the message was due to a compromised account (see
> point 2), and the overall amount of spam is much lower than it was
> historically.

We talk about IP reputation.

We talk about domain reputation.

Marketing talks about brand reputation.

You’ve got to work at it to get a good reputation. And on the flip side, it’s 
darned difficult to get rid of a bad one.

Bastiaan, another year or two of good work and you may overcome people’s 
perceptions.

Point here being that it’s hard (expensive) to reposition a brand. So for all 
the guys doing it right, keep at it as the commercial side will not like it if 
you end up with a bad reputation. Short term benefit may be good but longer 
term, not so much so.

Simon___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Simon Forster]

> On 17 Jul 2017, at 13:28, Stefano Bagnara  wrote:
> 
> Senderscore,
> senderbase, uce-protect, spamhaus, spamcop and other sources are not
> publishing informations that declare OVH worse than others direct
> competitor in EU.

>

ovh.net  at #9. Some of their listings are fairly obnoxious 
stuff which should be dealt with quickly.

Summary: Spamhaus seems to be saying they’re quite bad.

Simon


PS #1 on the same page is Microsoft — but that looks more like someone finding 
a way to game their signup process to get snowshoe spamming set up on 
Microsoft's networks. IIRC, there’s a gang rotating around big providers doing 
this — so different… quality of problem.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] btinternet.com blacklist

[Hetzner Blacklist]

I just got back from a 2 week holiday and have been reading this thread
with a lot of interest. I thought I would respond and try to explain the
situation from our perspective. I could write an entire essay on this,
but I have tried to be as concise as possible, though it is still a wall
of text.

Am 11.07.2017 um 13:00 schrieb Felix Schwarz:
> If I'm not mistaken also Hetzner's mail admins are reading this list
so maybe
> they can convice their management to do something about the bad
reputation.

Management was convinced over a year ago. Our internal abuse processing
and handling was reviewed, and made stricter. I will admit that we used
to be too lenient in that regard, but that is no longer the case (at
least not intentionally).

The results have been very encouraging. The leading blacklist and
reputation providers that have easy network/ASN lookups show a decrease
of at least 60% in “bad” IPs within our network within the last year.
This applies to Spamhaus, SpamCop, SORBS, UCEPROTECT, Senderbase (now
Talos Intelligence) and the Microsoft SNDS. The amount of abuse
complaints we get has also decreased substantially. All of this, even
though we are continually growing.

I’ve been in contact with a number of people this past year and many of
them have acknowledged that our network no longer deserves a bad
reputation. However, I can fully understand that not everybody will
agree, and I believe there are 3 main reasons for that.

1) Historical. I wil be the first to admit that in the past we were too
lenient with spam-handling, and there was more spam leaving our network
than there should have been. This can mean that if somebody gets spam
from our network today, they think "great, Hetzner hosting another
spammer", even though the message was due to a compromised account (see
point 2), and the overall amount of spam is much lower than it was
historically.

2) Constant spam. Due to the nature of our business (IAAS provider), the
fact is that there will always be a certain level of spam leaving our
network. Brandon actually mentioned exactly this.

Am 10.07.2017 um 21:37 schrieb Brandon Long:
> They may not even be renting directly to spammers, but their users are
> getting compromised and sending spam and other crap from their
servers.  We
> see clickbot and other fraud farming from those IP ranges as well.
>
> It is an unfortunate situation, and challenging, no doubt.

We have over a million IP addresses, and the vast majority of those are
allocated to unmanaged servers. Short of blocking all email
communication from our network, there are always going to be customers
sending emails, and thus there will always be some who send spam. Our
job is to minimize that as much as possible. Anybody who has worked an
abuse desk will know how hard that is, especially at an IAAS provider
like ourselves.

We don’t intentionally harbor any spammers, and any that manage to get
through our checks (we block dozens of new orders a day) and start
sending spam, are soon terminated. We have a few email marketers, but
the vast majority of the spam leaving our network is from compromised
accounts, for which we can do very little.

3) Perspective. As with so many things in life, what you think of
something depends greatly on your point of view, and the assumptions and
expections you (sometimes subconsciously) bring along. If somebody
assumes that there should be zero spam leaving our network, they will
always be disappointed.

I believe a perfect example of these different perspectives is found
within this thread.

Am 11.07.2017 um 09:11 schrieb John Levine:
> Hetzner gushes spam, and I've had most of their
> IP ranges totally blocked for years.

Am 13.07.2017 um 20:15 schrieb John Levine:
> Look for yourself:
>
> http://www.taugh.com/sp.php?c==78.47.0.0=78.47.255.255=puavppaxru

First of all, thank you for that link John, I appreciate you sharing
that information. It’s always good to have additional information about
our network, and I will be checking that link regularly.

I have no idea what assumptions John has, but the comment about
“gushing” spam made me believe that the evidence would show a list of
hundreds, if not thousands of IPs, sending spam every few days over the
course of many months/years.

What I see instead is almost exactly the opposite. This year (2017),
there have been a total of 89 spam messages, from a mere 44 IPs (which
currently belong to 44 separate customers of ours). These 44 IPs
represent 0.00067% of the IPs in the /16 range (65,536 IPs total). None
of the IPs sent spam regularly, and all of them stopped within a few
days. 99.99933% of IPs did not send spam.

To me, this is a clear sign that we are doing a good job. Yes, there is
a “trickle” of spam, and I would dearly love to completely cut that out,
but as mentioned above, that is unrealistic. We are trying to minimize
the amount of spam, and I believe this shows we are doing exactly that.

Now, I’m biased, and I’m obviously going to defend the 

Re: [mailop] Properly vetting an hosting provider before buying/moving

[Stefano Bagnara]

On 17 July 2017 at 07:01, Philip Paeps  wrote:
> Following this discussion a couple of weeks ago, I've been keeping track.
>
> Last week, about 55% of spam I received either came from OVH or advertised
> webpages hosted on OVH servers.  Second place spammer was 1and1, online.net
> was in third place.

Isn't this "normal" when OVH is one of the biggest provider? It should
also the one with most legitimate email: isn't it?
According to 
https://www.talosintelligence.com/reputation_center/email_rep#top-senders-owner
OVH network originate much more emails (8.2+8.1 mag) than 1and1 (7.6
mag).
If you sort by "domains" you can even see OVH is by far the largest
player with "different domains" because they have a LOT of customers.
UCE-protect says OVH have 2 million IPs. 1&1 half a million IPs.

Let's pretend OVH tomorrow is split in 10 smaller providers, then they
will send you only "5%" of your spam.. Would this improve things?
Would they be 10 better providers?

BTW:
- 55% sounds unrealistic to me and to my logs, unless you are only
counting something that has been already filtered by bot-net traffic
or by another antispam filter: what's the case?
- So, don't you receive spam from any of the networks Senderbase
declares "top spam senders"
https://www.talosintelligence.com/reputation_center/email_rep#spam-owner-senders
 or UCE-protect declares as "spammerheavens":
http://www.uceprotect.net/en/rblcheck.php or again
https://www.spamhaus.org/statistics/botnet-asn/ ?
- What is the total number for this 55% and how "Spam" have been classified?
- What is the percentage of legitimate email you received from OVH,
1and1, online.net ?

> Most of the spam was sent to spamtraps in the form of
> .  Probably spammers
> going through a dictionary of local parts and domains.
>
> One week of data is statistically probably not very interesting but it does
> raise my doubts about how effective OVH's policies are...

They simply use "Vaderetro" sniffing traffic.. so they can't really
know if something is unsolicited or not, unless they get
feedback/reports (only the sender and the recipient know this, the
sending host and the receiving host only can analyze the data received
by the other 2 parties.. and you know that the sending host will be
the less "informed" of the 4 parties). They can simply try to guess
based on the content (and urls, of course). And we all know that
content filtering is not so effective with most spam.

I understand most hosting providers hate OVH because it is cheap and
big, so it is the "enemy" (the competitor disrupting the market), but
I think the argument against OVH supporting spammers should/could be
"proved" by public numbers in order to be "strong". Senderscore,
senderbase, uce-protect, spamhaus, spamcop and other sources are not
publishing informations that declare OVH worse than others direct
competitor in EU. At least nothing my eyes can read between the
lines..

The point is:
- Are those public "reputation providers" or "public blacklists"
completely wrong? If so, why people keep using them for their
filtering or referencing them?
- If they are right, how can we read their data and understand how
Provider A compares to Provider B according to "reputation" and
deliverability issues?

Stefano

--
Stefano Bagnara
Apache James/jDKIM/jSPF
VOXmail/Mosaico.io/VoidLabs

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop