Reputation-based Antispam – Is it flawed?

Posted bysalubrium Leave a comment on Reputation-based Antispam – Is it flawed?

I hate spam, it’s the needless bane of my existence. Spam, spammers and Microsoft vulnerabilities are the scourge of the internet. I spend way more time trying to stop spam than I want to. It’s not like it’s exciting work or anything.

Anyway, onto the story. A mail server that I administer recently started getting a lot of bounced messages from some Major  ISP’s  here in Australia.  I try to telnet to port 25 to send a test email via command line to see what the deal is and I get:

telnet filter.iinet.net.au 25
Trying 203.0.178.192…
Connected to filter.iinet.net.au (203.0.178.192).
Escape character is ‘^]’.
554 iinet-mail.icp-qv1-irony3.iinet.net.au
Connection closed by foreign host.

That’s very bad, not good. Why? Why is it so bad? This server that just dropped my smtp connection ‘like it just don’t care’ is an Antispam Email Appliance called Ironport. Ironport runs some antispam software called Brightmail. Brightmail was taken over by Symantec (so it will probably be no good for anything soon). Ironport / Brightmail is / was aimed at ISP’s from the very beginning and so there’s a LOT of implementations out there, which for me means *BANG* suddenly my users can’t send to a lot of ISP’s out there, and of course, a lot of ISP’s means A LOT MORE users – that’s bad news for me. The problem is that each Brightmail implementation looks (and reports) to a central database to determine a host’s reputation. Having a bad reputation is much worse than getting yourself on an RBL (DNS Blacklist) somewhere. Suddenly every Brightmail server out there just starts dropping your smtp connection with a generic 554 error. No if’s, no but’s, no ‘give me a 2nd chance to correct my wrongdoings’.

Oh but I must be a spammer of have an exploited script on my server right? Well, maybe yes, maybe no. I’ll let you decide but I will tell you what I DO have that I strongly believe is much the root of the problem

  1. Customers with mailing lists that do not deal with bounced messages properly. When someone uses say PHPList by default, it sends it’s emails using PHP from apache – let’s say it sends it’s emails as nobody@mydomain.com – and the postmaster gets the bounces. Ok, bad postmaster didn’t call the people to tell them to sort out their mailing list software – bad me.
  2. We recently started hosting an ‘association’ where everyone who is a member happens to get their own free email address – yippee. The problem is, they don’t get their own MAILBOX, they just get a forwarder to their own email somewhere out there in ISP land. Now, the silly person who set that up didn’t turn on spam scanning (because their ISP’s do it for them) and now my server is forwarding hundreds of spam to the recipients at the ISP. Does the ISP care? No, my server is seen as the source of that spam – Lesson number 2 – Don’t forward lots of mail to lots of ISP’s without spam scanning.
  3. Forums being bombarded by illegitimate signups – these spammers bots put false addresses in there. Each time my server sends an email to a non-existant address at an ISP, that is another bad reputation tick on my server’s little black book.

This isn’t the days where one can just go to your local, friendly DNSBL and ask to be removed. Now you have a ‘reputation’ in some companies not-so-little database out there in the wilderness. Who do I ask to be removed from? The ISP? which one; Symantec? yeah right; Senderbase? Give it a try

Anyway, I am rather annoyed about this whole saga right now. As far as my clients are concerned, it’s only OUR server that is blocked by ALL those innocent ISP’s. Who’s listening? nobody.

and by the way? Where’s the full FAQ of what all the information at senderbase.org means, anyway? On forums, everyone talks as if they know what it all means, is it really me who doesn’t really understand exactly what “DNS Verify” means over at the senderbase.org site?

From reading Ironport documentation, DNS Verify = a two way DNS lookup: 1st is an rDNS/PTR lookup on your IP, and then an A record lookup on the record that was returned on the PTR lookup. Well go figure mine are fine, ok, return identical results but do you think I can get a “DNS Verify” to say “Y” over at senderbase.org?

Oh, you can go and get “Third Party Certified” over at Etrust – for a small, handsome sum btw – Fork over $1500 just to get your email accepted?

It’s now days later and I am still blocked.. if you sense that I am a bit pissed about this whole thing, I am. I really don’t know whether to blame myself or not.

Technorati Tags: , , ,

Published by salubrium

I am a Systems Administrator based in Sydney, Australia with some hugely varied interests: Topics covered are Virtualization, Web Hosting, Remote Desktop, Security and Backups, PHP, Python, MVC Frameworks, SEO

Leave a comment

Your email address will not be published. Required fields are marked *