Just a little "me too" here .. you're very right to be concerned
about this kind of thing. This happened to us twice (once with an
inbound gateway server, and once with a primary POP box). It was
nothing short of devastating until we realized what was going on, and
we spent a lot of time recovering the damage. Once we let them know
what was happening, Pete was quick to add a whitelist entry into
their system, and it didn't happen again (until the second time). All
in all, I'm not overly concerned about it happening again, but if we
ever changed the IPs of those two boxes, I'd certainly have him
update the whitelist.
Just my 2 cents,
Jonathan
At 11:31 PM 10/13/2005, you wrote:
On Wednesday, October 12, 2005, 6:30:45 PM, William wrote:
WVH> Pete,
WVH> Was just wondering, I have all of my e-mail pass through an
IMGate/Postfix
WVH> machine prior to hitting my main mail server. Sometimes, e-mail
(especially
WVH> spam) gets forwarded from the secondary MX as well. If we use
the POP method
WVH> of redirecting spam to an appropriate mailbox are you just going to be
WVH> scanning the messages for content, or inspecting the headers for IP
WVH> information as well?
We will inspect all parts of the messages manually and with automated
tools. This is true of all spam that arrives at our system no matter
how it gets there.
WVH> Reason I'm asking is, I just want to make sure that one of my own servers
WVH> doesn't end up included in some type of blacklist rule. It seems like it
WVH> would take an awful lot of work on your part to ensure that any filters
WVH> don't contain IPs of one of your customer's machines, if you are scanning
WVH> header information. When you throw-in the fact that the redirect may come
WVH> from the client of an entirely different network with no link
whatsoever to
WVH> our DNS records, that would seem to make taking any header information
WVH> (except maybe the Subject or From lines) into account a very risky
WVH> proposition. Thanks!!!
Actually, we can often be very precise about the routing of messages
pulled from pop accounts.
That said, there is always a non-zero risk that an IP which is listed
in certain black lists and also arrives at one of our traps may be
added to our rulebase. This is almost always an automated process
since we have determined that manually entered IPs are prone to
errors.
If an IP on one of your servers does get tagged, then you would be
able to use to rule-panic procedure for immediate relief and once the
problem was solved it could not be recreated.
Part of our system is that it remembers every mistake we ever made and
prevents us making that same mistake again --- unless we're really,
really determined ;-)
Understand, I'm not making light of this possibility... we take all
false positive cases (real or imagined) very seriously. I do want to
point out that these cases are rare, easily solved, and nearly
impossible to repeat. I should also point out that this "risk" is not
increased by using the pop3 method.
Hope this helps,
_M
This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
