Re: [swinog] IronPort E-Mail Reputation
Patrick, Obviously Italy and Germany are not too much exotic, according to my location, but it might be for people in Thailand... :-)* *To get you started quickly:* 4) Loopback* AOL http://postmaster.info.aol.com/ MSN/Hotmail http://postmaster.msn.com/Services.aspx#SenderSolutions Yahoo http://feedbackloop.yahoo.net/ Verizon http://www2.verizon.net/micro/whitelist/request_form.asp?id=isp *8) Follow up reputation lists* Fortinet http://www.fortiguard.com/antispam/antispam.html#spamlookup BarracudaCentral http://www.barracudacentral.org/lookups Cisco/Ironport http://www.senderbase.org/ Spamcop http://spamcop.net/bl.shtml Spamhaus BL http://www.spamhaus.org/lookup.lasso Your main issue is to avoid as much as possible to send spam but most of all, make sure that you do not get blacklisted, then playing with IPs and routing each ISP thru a different IP will allow you to quickly fix this, if each IP has a proper record. When a spam occur and you get a feedback or find the origin, you simply route it thru the IP of the other ISP and thus what is blacklisted at Gmail won't be at Hotmail or Yahoo and you just rotate them. It only makes sense to do it after you have found the root cause and fixed it :-) Gregory 2010/6/23 Patrick Studer > Hi Gregory > > > > Thanks for your advice. > > > > Since we don’t want sent mass of mails (excepted some newsletter with about > 50-100 addresses, which > > I will not declare as mass mails), the first 3 points are perhaps overkill > for us. > > > > 4) I’ll check for. > > 5) This are setup correct > > 6) Since the spammer didn’t reconnect from the same ip, this would not > help. The > > spammer connected every time from an other ip and just sent out a few > (20-30) mails, that > > looks almost normal to the mail server. > > 6 II) We will check, if we can implement something like this, which will > sent an alert to us. > > 7) As Rainer has written, I also think, that the password has been stolen > or be track by > > some kind of Trojan. So, strong password will note help here. > > 8) What do you mean, when you say Follow-up the other reputation > systems??? > > 9) Since this only happen one time for some years, I prefer something like > 6 II) > > > > Blocking Port 25 would be that fine. Our customer have contact over the > whole world, so blocking > > Port 25 would be a solution. And some of the connection was coming from > Italy or Germany, that > > will even not help (IMHO this aren’t exotic countries ;-). > > > > Kind Regards > > > > Parick > > > > > > *Von:* Gregory Agerba [mailto:gregory.age...@gmail.com] > *Gesendet:* Mittwoch, 23. Juni 2010 16:51 > > *An:* Patrick Studer > *Cc:* swi...@swinog.ch > *Betreff:* Re: [swinog] IronPort E-Mail Reputation > > > > Hi Patrick, > > > From my past experience delivering very often very big newsletters... > > Some advices to deliver mass of mails: > > 1) Distribute your email out of 4-5 virtual interfaces (like Exim would let > you do) and rotate them every x hours or/and randomly. > 2) Use different domain names not only FQDNs (this is what mailchimp.comdoes > to distribute their millions of emails). > 3) Use specific IPs for specific large domains, like Gmail, Yahoo, Hotmail > and rotate them every once in a while. > 4) Sign-up for loopback feed and monitor the complaint box constantly. > Yahoo and such big got that for free. > 5) Ensure you have proper RDNS, SPF and DKIM setup. > 6) Use iptablesand custom rulesets to block above a certain amount of SMTP > connections per host on port 25/587. > 6) Count your outgoing average email you send a day/ per hour, put some > cron that grep/cat/wc the logs, with threshold that triggers alarms. > 7) Educate your users for strong passwords. > 8) Follow-up the other reputation systems like Cisco, Barracuda, Fortinet, > etc.. > 9) Use dedicated IP for strange or doubtful clients. > 10) Mind shared IPs. > > You can also block port 25 from exotic countries that you do not expect to > send you emails, but they are a liability and its quite mean. > > Gregory > > > > 2010/6/23 Patrick Studer > > Hi Mickey > > That is what we already thinking about, to implement a second server on a > different ip. At the other > > hand, I don’t think that’s way I want to go. > > Since this is the first time within some years, I will check, if there is > an other way to solve this issue. > > Kind Regards > > Patrick Studer > > > > > ** > > X-NetConsulting GmbH Internet > http://www.x-netconsulting.ch > > Grosspeterstrasse 21 E-Mail > p.stu...@x-netconsulting.ch > > CH-4052 BaselTelefon+41 61 315 85 55 > > Schweiz Fax+41 61 315 85 59 > > > ** > > > ___ > swinog mailing list > swinog@lists.swinog.ch
Re: [swinog] IronPort E-Mail Reputation
Hi Gregory Thanks for your advice. Since we don’t want sent mass of mails (excepted some newsletter with about 50-100 addresses, which I will not declare as mass mails), the first 3 points are perhaps overkill for us. 4) I’ll check for. 5) This are setup correct 6) Since the spammer didn’t reconnect from the same ip, this would not help. The spammer connected every time from an other ip and just sent out a few (20-30) mails, that looks almost normal to the mail server. 6 II) We will check, if we can implement something like this, which will sent an alert to us. 7) As Rainer has written, I also think, that the password has been stolen or be track by some kind of Trojan. So, strong password will note help here. 8) What do you mean, when you say Follow-up the other reputation systems??? 9) Since this only happen one time for some years, I prefer something like 6 II) Blocking Port 25 would be that fine. Our customer have contact over the whole world, so blocking Port 25 would be a solution. And some of the connection was coming from Italy or Germany, that will even not help (IMHO this aren’t exotic countries ;-). Kind Regards Parick Von: Gregory Agerba [mailto:gregory.age...@gmail.com] Gesendet: Mittwoch, 23. Juni 2010 16:51 An: Patrick Studer Cc: swi...@swinog.ch Betreff: Re: [swinog] IronPort E-Mail Reputation Hi Patrick, >From my past experience delivering very often very big newsletters... Some advices to deliver mass of mails: 1) Distribute your email out of 4-5 virtual interfaces (like Exim would let you do) and rotate them every x hours or/and randomly. 2) Use different domain names not only FQDNs (this is what mailchimp.com does to distribute their millions of emails). 3) Use specific IPs for specific large domains, like Gmail, Yahoo, Hotmail and rotate them every once in a while. 4) Sign-up for loopback feed and monitor the complaint box constantly. Yahoo and such big got that for free. 5) Ensure you have proper RDNS, SPF and DKIM setup. 6) Use iptablesand custom rulesets to block above a certain amount of SMTP connections per host on port 25/587. 6) Count your outgoing average email you send a day/ per hour, put some cron that grep/cat/wc the logs, with threshold that triggers alarms. 7) Educate your users for strong passwords. 8) Follow-up the other reputation systems like Cisco, Barracuda, Fortinet, etc.. 9) Use dedicated IP for strange or doubtful clients. 10) Mind shared IPs. You can also block port 25 from exotic countries that you do not expect to send you emails, but they are a liability and its quite mean. Gregory 2010/6/23 Patrick Studer Hi Mickey That is what we already thinking about, to implement a second server on a different ip. At the other hand, I don’t think that’s way I want to go. Since this is the first time within some years, I will check, if there is an other way to solve this issue. Kind Regards Patrick Studer ** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.stu...@x-netconsulting.ch CH-4052 BaselTelefon+41 61 315 85 55 Schweiz Fax+41 61 315 85 59 ** ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IronPort E-Mail Reputation
> Hi Patrick, > > From my past experience delivering very often very big newsletters... > > Some advices to deliver mass of mails: > > 7) Educate your users for strong passwords. This is useful (info/info anybody...?). But nowadays, most credentials get actively stolen by trojans - however strong they are. The problem is the original backdoor/virus infection. Which leads us back to square one of the Spam-problem: users. Rainer ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IronPort E-Mail Reputation
Hi Patrick, >From my past experience delivering very often very big newsletters... Some advices to deliver mass of mails: 1) Distribute your email out of 4-5 virtual interfaces (like Exim would let you do) and rotate them every x hours or/and randomly. 2) Use different domain names not only FQDNs (this is what mailchimp.comdoes to distribute their millions of emails). 3) Use specific IPs for specific large domains, like Gmail, Yahoo, Hotmail and rotate them every once in a while. 4) Sign-up for loopback feed and monitor the complaint box constantly. Yahoo and such big got that for free. 5) Ensure you have proper RDNS, SPF and DKIM setup. 6) Use iptablesand custom rulesets to block above a certain amount of SMTP connections per host on port 25/587. 6) Count your outgoing average email you send a day/ per hour, put some cron that grep/cat/wc the logs, with threshold that triggers alarms. 7) Educate your users for strong passwords. 8) Follow-up the other reputation systems like Cisco, Barracuda, Fortinet, etc.. 9) Use dedicated IP for strange or doubtful clients. 10) Mind shared IPs. You can also block port 25 from exotic countries that you do not expect to send you emails, but they are a liability and its quite mean. Gregory 2010/6/23 Patrick Studer > Hi Mickey > > That is what we already thinking about, to implement a second server on a > different ip. At the other > > hand, I don’t think that’s way I want to go. > > Since this is the first time within some years, I will check, if there is > an other way to solve this issue. > > Kind Regards > > Patrick Studer > > > > > ** > > X-NetConsulting GmbH Internet > http://www.x-netconsulting.ch > > Grosspeterstrasse 21 E-Mail > p.stu...@x-netconsulting.ch > > CH-4052 BaselTelefon+41 61 315 85 55 > > Schweiz Fax+41 61 315 85 59 > > > ** > ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IronPort E-Mail Reputation
Hi Mickey That is what we already thinking about, to implement a second server on a different ip. At the other hand, I don’t think that’s way I want to go. Since this is the first time within some years, I will check, if there is an other way to solve this issue. Kind Regards Patrick Studer ** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.stu...@x-netconsulting.ch CH-4052 BaselTelefon+41 61 315 85 55 Schweiz Fax+41 61 315 85 59 ** Von: swinog-boun...@lists.swinog.ch [mailto:swinog-boun...@lists.swinog.ch] Im Auftrag von Mickey Coggins Gesendet: Mittwoch, 23. Juni 2010 15:46 An: Patrick Studer Cc: swi...@swinog.ch Betreff: Re: [swinog] IronPort E-Mail Reputation Hi Patrick, My suggestion is to have a pool of IP addresses you can use for your mail servers so that when this happens, you can change the DNS entries and simply stop using the IP address(es) with the bad reputation. I have been told that this is what most of the "big boys" like MessageLabs do. Trying to get all the "reputation services" to see you as a good guy again is really painful, and sometimes expensive. Just don't forget to have a valid forward/reverse DNS entry for all your mail servers. Regards, Mickey On Wed, Jun 23, 2010 at 15:33, Patrick Studer wrote: Hi Some day ago, a account of our mail server has been misused to sent out some thousand of spam mails. This could happen, because the spammer which misused the account logged in from different IPs (botnet?) over the whole world. Every time, he successfully (smtp) authenticated, he sent out a couple of mails (about 20-30). Then he disconnected and reconnected after 1-2 minutes from an other IP and sent again some 20-30 mails. This has been done for some hours, which generated some thousand of SPAM mails. Since this started Friday night and was just discovered yesterday, we was listed on one blacklist. We changed the password of the misused account and removed our server from this blacklist. We already was happy, that it's just was that simple, but we was to fast. We got then complains, that some mail system still block our mail server. After some investigation, we found out, that this mail system or mail gateways are base on Cisco IronPort. First at all, this system didn't response with a clear response (Something like 5.7.1 Your access to submit messages to this e-mail system has been rejected, isn't really helpful for an mail admin to find out why his email get blocked.) After we found out, that all this boxes are Ironport Boxes, we was pointed to the www.senderbase.org. But this site isn't very helpful. You can find out that your mail server has a bad email reputation, but that's it. A link to SpamCop on the webpage isn't helpful either, since we aren’t listed in their blacklist. The only e-mail address on the webpage seem not to be the contact for when you have a bad e-mail reputation. We thought, perhaps the Score will fall down over 24 hours, but that's not the case. So, we tried to get some help from the cisco ironport support. There answer wasn't very helpful either. They told us, that senderbase.org is a complete other company and they don't have any contact and we should try their website www.senderbase.org. Otherwise, if we don't have a IronPort box, they will not help us. Now, the question is, what can we do, do get our mails delivered to this ironport boxes? We really take care, to do all against be used for spamming or to be known as a good source for mails (spf, dkim, smtp-auth, tarpiting, etc.etc.). We think, that this reputation system isn't that great. We have one issue and get blocked for several days (or weeks) without an option to take care about the situation. Any help or suggestion would be appreciated! Kind Regards Patrick Studer ** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.stu...@x-netconsulting.ch CH-4052 BaselTelefon+41 61 315 85 55 Schweiz Fax+41 61 315 85 59 ** ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Mickey Coggins ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IronPort E-Mail Reputation
Patrick, As I'm travelling I wil contact you shortly by phone. However I will respond to some of your points by e-mail later as well. Rgds Robert Robert Bertschinger rob...@bertschinger.net Sent from my BlackBerry® device -Original Message- From: Patrick Studer Sender: swinog-boun...@lists.swinog.ch Date: Wed, 23 Jun 2010 15:33:00 To: 'swi...@swinog.ch' Subject: [swinog] IronPort E-Mail Reputation Hi Some day ago, a account of our mail server has been misused to sent out some thousand of spam mails. This could happen, because the spammer which misused the account logged in from different IPs (botnet?) over the whole world. Every time, he successfully (smtp) authenticated, he sent out a couple of mails (about 20-30). Then he disconnected and reconnected after 1-2 minutes from an other IP and sent again some 20-30 mails. This has been done for some hours, which generated some thousand of SPAM mails. Since this started Friday night and was just discovered yesterday, we was listed on one blacklist. We changed the password of the misused account and removed our server from this blacklist. We already was happy, that it's just was that simple, but we was to fast. We got then complains, that some mail system still block our mail server. After some investigation, we found out, that this mail system or mail gateways are base on Cisco IronPort. First at all, this system didn't response with a clear response (Something like 5.7.1 Your access to submit messages to this e-mail system has been rejected, isn't really helpful for an mail admin to find out why his email get blocked.) After we found out, that all this boxes are Ironport Boxes, we was pointed to the www.senderbase.org. But this site isn't very helpful. You can find out that your mail server has a bad email reputation, but that's it. A link to SpamCop on the webpage isn't helpful either, since we aren’t listed in their blacklist. The only e-mail address on the webpage seem not to be the contact for when you have a bad e-mail reputation. We thought, perhaps the Score will fall down over 24 hours, but that's not the case. So, we tried to get some help from the cisco ironport support. There answer wasn't very helpful either. They told us, that senderbase.org is a complete other company and they don't have any contact and we should try their website www.senderbase.org. Otherwise, if we don't have a IronPort box, they will not help us. Now, the question is, what can we do, do get our mails delivered to this ironport boxes? We really take care, to do all against be used for spamming or to be known as a good source for mails (spf, dkim, smtp-auth, tarpiting, etc.etc.). We think, that this reputation system isn't that great. We have one issue and get blocked for several days (or weeks) without an option to take care about the situation. Any help or suggestion would be appreciated! Kind Regards Patrick Studer ** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.stu...@x-netconsulting.ch CH-4052 BaselTelefon+41 61 315 85 55 Schweiz Fax+41 61 315 85 59 ** ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] IronPort E-Mail Reputation
Hi Patrick, My suggestion is to have a pool of IP addresses you can use for your mail servers so that when this happens, you can change the DNS entries and simply stop using the IP address(es) with the bad reputation. I have been told that this is what most of the "big boys" like MessageLabs do. Trying to get all the "reputation services" to see you as a good guy again is really painful, and sometimes expensive. Just don't forget to have a valid forward/reverse DNS entry for all your mail servers. Regards, Mickey On Wed, Jun 23, 2010 at 15:33, Patrick Studer wrote: > Hi > > Some day ago, a account of our mail server has been misused > to sent out some thousand of spam mails. > > This could happen, because the spammer which misused the account > logged in from different IPs (botnet?) over the whole world. Every time, he > successfully (smtp) authenticated, he sent out a couple of mails > (about 20-30). Then he disconnected and reconnected after 1-2 minutes > from an other IP and sent again some 20-30 mails. This has been done > for some hours, which generated some thousand of SPAM mails. > > Since this started Friday night and was just discovered yesterday, we > was listed on one blacklist. We changed the password of the misused account > and removed our server from this blacklist. > > We already was happy, that it's just was that simple, but we was > to fast. > > We got then complains, that some mail system still block our mail server. > After > some investigation, we found out, that this mail system or mail gateways > are > base on Cisco IronPort. First at all, this system didn't response with a > clear response (Something like 5.7.1 Your access to submit messages to this > e-mail system has been rejected, isn't really helpful for an mail admin to > find out why his email get blocked.) > > After we found out, that all this boxes are Ironport Boxes, we was pointed > to the www.senderbase.org. But this site isn't very helpful. You can find > out that your mail server has a bad email reputation, but that's it. A > link to SpamCop on the webpage isn't helpful either, since we aren’t listed > in their blacklist. > > The only e-mail address on the webpage seem not to be the contact for > when you have a bad e-mail reputation. > > We thought, perhaps the Score will fall down over 24 hours, but that's > not the case. > > So, we tried to get some help from the cisco ironport support. There > answer wasn't very helpful either. They told us, that senderbase.org > is a complete other company and they don't have any contact and > we should try their website www.senderbase.org. Otherwise, if we don't > have a IronPort box, they will not help us. > > Now, the question is, what can we do, do get our mails delivered to > this ironport boxes? > > We really take care, to do all against be used for spamming or to > be known as a good source for mails (spf, dkim, smtp-auth, > tarpiting, etc.etc.). > > We think, that this reputation system isn't that great. We have one > issue and get blocked for several days (or weeks) without an option > to take care about the situation. > > Any help or suggestion would be appreciated! > > Kind Regards > > Patrick Studer > > > ** > X-NetConsulting GmbH Internet > http://www.x-netconsulting.ch > Grosspeterstrasse 21 E-Mail > p.stu...@x-netconsulting.ch > CH-4052 BaselTelefon+41 61 315 85 55 > Schweiz Fax+41 61 315 85 59 > > ** > > > > > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > -- Mickey Coggins ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] IronPort E-Mail Reputation
Hi Some day ago, a account of our mail server has been misused to sent out some thousand of spam mails. This could happen, because the spammer which misused the account logged in from different IPs (botnet?) over the whole world. Every time, he successfully (smtp) authenticated, he sent out a couple of mails (about 20-30). Then he disconnected and reconnected after 1-2 minutes from an other IP and sent again some 20-30 mails. This has been done for some hours, which generated some thousand of SPAM mails. Since this started Friday night and was just discovered yesterday, we was listed on one blacklist. We changed the password of the misused account and removed our server from this blacklist. We already was happy, that it's just was that simple, but we was to fast. We got then complains, that some mail system still block our mail server. After some investigation, we found out, that this mail system or mail gateways are base on Cisco IronPort. First at all, this system didn't response with a clear response (Something like 5.7.1 Your access to submit messages to this e-mail system has been rejected, isn't really helpful for an mail admin to find out why his email get blocked.) After we found out, that all this boxes are Ironport Boxes, we was pointed to the www.senderbase.org. But this site isn't very helpful. You can find out that your mail server has a bad email reputation, but that's it. A link to SpamCop on the webpage isn't helpful either, since we aren’t listed in their blacklist. The only e-mail address on the webpage seem not to be the contact for when you have a bad e-mail reputation. We thought, perhaps the Score will fall down over 24 hours, but that's not the case. So, we tried to get some help from the cisco ironport support. There answer wasn't very helpful either. They told us, that senderbase.org is a complete other company and they don't have any contact and we should try their website www.senderbase.org. Otherwise, if we don't have a IronPort box, they will not help us. Now, the question is, what can we do, do get our mails delivered to this ironport boxes? We really take care, to do all against be used for spamming or to be known as a good source for mails (spf, dkim, smtp-auth, tarpiting, etc.etc.). We think, that this reputation system isn't that great. We have one issue and get blocked for several days (or weeks) without an option to take care about the situation. Any help or suggestion would be appreciated! Kind Regards Patrick Studer ** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.stu...@x-netconsulting.ch CH-4052 BaselTelefon+41 61 315 85 55 Schweiz Fax+41 61 315 85 59 ** ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog