Jump to content

OlegD

Members
  • Content Count

    14
  • Joined

  • Last visited

Community Reputation

0 Neutral

About OlegD

  • Rank
    Member
  1. I just beleive that there must be provided some info about reasons of listing, so abuse service of listed mailserver will have evidences and facts to identify spammer (or security problem, or misconfiguration, etc) instead of guess-work. Yes, you are right :-) I'm sorry for my English.
  2. This CAN be an issue. There is ONLY PROBABILITY of an issue. Probability isn't enough for blocking. Following is just my IMHO. If legitimate client (not open relay, that not seems to be trojaned, no unusual traffic, didn't sent spam before) needs to send some amount of mail, it's OK. Then recipients of it's message can take a decision, was this spam or not (probably with help of SpamAssassin or something like). If this is spam - well, there is abuse[at] service, RIPE contacts, etc. Abuse, using the spam headers, identify and punish spammer. There is a normal scenario with responcible abuse service, and no probability there, only facts and assurance. So, if I am is representative of an abuse service, I need facts, not probabilities, to take a RIGHT decision about a RIGHT spammer, but not simply about client that sent most of all mail messages yesterday :-) Do you understand my point of view ?
  3. Not about administration, but about SMTP protocol principles. Nope. Only recipient of message can actually decide, is message from my client a spam or not. Not me, nor some other intermediate relay. Only recipient. I just believe that spam from legitimate clients is very dufficult to control on intermediate relays. Definition of spam is different according to recipient, so only recipient can actually report about spam. Pricelist sent to subscriber isn't spam, but the same pricelist, but unexpected by recipient, is spam. Such things are just uncontrollable by intermediate relays.
  4. there are admins and there are admins. trying to read back through all of this, i can only find one reference to "not using exchange server" .... so if there was any specific guidance to be offered, is may not have appeared as the actual application/platform description hasn't been defined. (note the dialog about whether the SMTP/AUTH hack was applicable or not) The talk about a back-up server is also missing a few facts. Is the back-up an in-house asset (and could thus possibly also have (access) to the user list) or under actual control of someone else (which would then fit the scenario of not knowing who the users are) ... Strategies would of course be different, and even these situations could be further changed if one was to ask just how often the backup MX came into use ... once in a blue-moon, maybe not really an issue at all, but if two or three times a week, perhaps there's something else that had ought to be looked at ....???? Miss Betsy had previously pointed out the survey mode of analyzing things about the whole traffic picture, citing previous conditions that the e-mail server had been scrutinzed repeatedly, but it was the quantum increase in traffic noted by looking at the firewall logs that finally identified that it wasn't "authorized traffic" that was at issue. The original poster responded to this by describing the massive amounts of customer data handled, citing the "impossible" task of sorting through all the bits ... missing that it wasn't the bits being discussed, it was the that the river had hit flood stage and no one noticed because they were discussing the color of paint on the town hall ....???? 15326[/snapback] 1. I really doesn't ask any "specific guidances" that related to mail server administration. I was interested in site and blacklist mismatch and causes of listing (if any). I've got an answer. 2. Most of our backup MXses come into use nightly, when our clients switches off power in their offices :-) It's not a joke, unfortunately. Then, backup MX is a service, that provides some sort of fault-tolerance, and our clients pay for it. Additionally, we doesn't filter spam (with the exception of some DUL and ORDB checks), we only use SpamAssassin to rate mail messages, so user can decide, what to do with highly-rated mail. 3. One my client sent 5000 messages to different mailboxes in different domains, for example. Was it "flood stage of the river" or simply distribution of new pricelists to pricelist subscribers ? Did you ever administrate some large mail system ? If did, you should know, that such cases are real and not something unusual. Most of spam deliveries via such systems related to clients, not to security issues with mail system as such.
  5. All right, big thanks to all, especially Derek_T, StevenUnderwood, Ellen, Chris Parker, Miss Betsy :-) Only one objection: This is not always possible. For example, if relay acts as a backup MX for client's mailserver, and mailserver is currently down, relay accumulates mail for client's domain. Relay doesn't know about users in client's domain. But, when client's mailserver comes up, and send ETRN command, relay will send all client's mail to the mailserver. Mailserver will respond with 5xx code to every unknown address, and relay shall send an error report to sender to indicate delivery problems. This is generally accepted and standard scheme when SMTP protocol is used for delivery. Do you recommend to decline this scheme ? What fault tolerant delivery scheme you recommend in this case ?
  6. By the way, what is the source of these information (usually) ? In RIPE there are alexf[at]vsi.ru and oleg[at]vsi.ru (me) as the tech-c and alexs[at]vsi.ru as admin-c. How frequently this get updated ?
  7. I already wrote message to deputies. But, if I may, I believe that such information should be granted automatically. Such information is actually the basis of problem troubleshooting.
  8. What "firewall logs" do you mean ? I check logs daily for anomalies, but, I repeat - I have thousands of clients, they send ten thousands of mail messages for a day, with the exception of incoming mail messages. I simply can not handle such volume, simply looking to maillogs. Sent mail isn't an anomaly. Is sent message is spam or simply business message - I couldn't say this only looking to a log.
  9. I believe that this is not in my case, but anyway - I need message that sent via my relay to identify weaknesses. To deputies: Can you provide such information to admin-c or tech-c of corresponding inetnum objects in RIPE, for example ? I am a tech-c.
  10. My clients can tune an autoresponder ("away responder" for example) on their IMAP mailboxes. If this is a problem, I can turn it off. We send no virus bounces, of course. There can be only bounces like 'No such user', for example, when our mail relay acts as a backup MX for some client's mailserver. But I need headers of spam (or bounce, or autorespond message) at least to identify problem.
  11. All right, but I couldn't identify it :-) "Check evidence" (and "Remove IP") button returns the following: We have no spamtrap mail on record for 80.82.32.19. If 80.82.32.19 was listed in the past, the mail may have been expired from the spool already. So I have no evidences -> couldn't identify spammer -> he(she) will spam again. That's not good.
  12. Reason for listing in SORBS is spam from our client with IP 80.82.58.223 via our mail relay. This problem resolved approximately two weeks ago (client's machine was compromised). Our relay listed in SORBS because we treat "fine" as extortion and will not pay it. We does not agree with SORBS policy on this point. I doesn't see any responses from spamtraps at last week containing IP 80.82.32.19, only some direct mailings from our dialup clients (we have thousands of them, so it doesn't seems strange to me). I doesn't have any Exchange server under my control. So, if my host listed, I should know, why, isn't it ? Thanks for contacts, I'll try to ask deputies.
  13. Hm-m. Is several days (approximately 3 days) a sufficiently long time for an web page update ? Yes, reasons for listing - that's what I expected to see on the Web page.
  14. Hi all, Mail server with IP 80.82.32.19 is blacklisted in DNS: oleg$ host 19.32.82.80.bl.spamcop.net 19.32.82.80.bl.spamcop.net has address 127.0.0.2 But on your site (http://www.spamcop.net/w3m?action=checkblock&ip=80.82.32.19): 80.82.32.19 not listed in bl.spamcop.net Why ?
×