Jump to content

Bojan

Members
  • Content Count

    15
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Bojan

  • Rank
    Member
  1. Yes, they named by a Marx Brothers fan (not me, a colleague of mine in DNS department . Anyways, sorry for not replying for a while. I finally managed to communicate with SpamCop admins (*HUGE* thanks to Don for contacting me). We're currently working on this. The main reason why our servers got black listed is that they sent e-mail to spam traps. After checking those e-mails, Don pasted couple of them to me and they are all out of office replies (guess what, it's holiday season). Of course, in the perfect world, we wouldn't be doing this, but there is absolutely no way I can control what users do in an organization this big. Now, the other thing that seems problematic is that Don says some e-mails have incorrect headers (headers are not complete) so SpamCop can't see what the real source of the e-mail is (it looks like our gateway is the source, instead of an internal machine). We're trying to figure out what's wrong here (I will be brave and say that it's impossible for our gateway to mess this up). I will post again when we find more. Thanks for help to all of you for support in this issue. Bojan
  2. Sure, I just sent you an e-mail - let me/us know what happens. Bojan
  3. Heh, ok, and I understand that people usually "attack" SpamCop without even checking things they should have done. Well, you are partially (if not completely) correct here. "Personally" I'm maybe ok, but from my work point of view I'm not. I know I can say that this has nothing to do with me and that SC Deputies didn't reply etc, but believe me, when an e-mail from someone high up (like a vice chancellor) gets rejected because of this, guess who will be the one to blame. I put *A LOT* of effort into this. Before we had a gateway which was dumb. Now we have an enterprise class gateway which is easy to expand if needed, can do whatever we want and offers nice AV and anti-spam protection for our users. I personally am flooded with e-mails, as I do various other things, as a volotneer as well. But I always reply to every e-mail. Maybe it takes me 2 or 3 days sometimes to reply. But I do. So I think that the thing that Deputies didn't reply back, after I sent 3 e-mails and 2 times used the web form, is rude. I don't want to sound rude, but again, I am disappointed with lack of support for them (I believe that I showed that I do care about my servers and that I do want to work on them). Sigh, sorry for long posts - it's (luckily) a quiet day here, as most of the users are on leave and the Uni is closed for students. Bojan
  4. Hi Will, First of all, thanks for understanding my position here (some other people seem to have problems with this). That seems to be only a part of the problem. I just noticed that in one message that was pasted in a previous post, because it had ***spam*** in the subject field, and that's what our gateway does when it detects a spam message. Yes, I went again through are received headers and they are completely 100% according to RFC 822. If SC can't parse that properly, SC is broken whatever you say. That being said, I'm sure SC parses them ok, but doesn't trust anything except the latest hop, which will be our gateway, of course (as you said as well). I agree that only thing that can help me if I can get ahold of the deputies - nothing happened there though (16 days w/out a reply now from the first e-mail I sent). Both - however, we have pretty good internal controls so, if I knew the IP address of the machine which sent the e-mail, I could trace the owner. But, w/out knowing the destination e-mail address, I can't go through the logs to find who sent it. Technically I can do this without any problem. But, politically, this has to be approved first. And getting approval for dropping something at the gateway because it had something in the header is *very*, *very* difficult. Thanks, I appreciate that someone understands my problem. I will probably try to contact the destination ISPs, at first those local here in NZ, as it seems that majority of e-mails will go there. I completely agree. And this all will take a lot of time and effort. The problem that I have hanging is that my servers are being blacklisted. And I can't do anything about it. Bojan
  5. Hi Derek, Please see reply below from Telarin where he nicely put it out. I know that there is no excuse for users, but increasing awareness of 46.000 users is very very difficult, and very very slow. From public reports my server sent 3 (three) e-mails to spam traps. In my opinion, that's not enough to blacklist someone (sure, there might be things that I don't know of yet). Again, it's a very very slow process. We aren't the biggest University in the world, but we have a lot of users and our gateways process a lot of e-mails - it's very difficult to police that (as Telarin nicely said). Now that you nicely said that I have to "take more control and be more responsible about what is going out through [my] server", do you care to say how? I don't have a server for 10 people that I can control. My servers process, as I said, 500.000+ e-mails per day (sometimes can go to a million). How do I take more control over that, except by increasing user awareness (which is not technical). Sorry, I wasn't completely clear here. I didn't mean rejecting during the SMTP session (which is a 5** code as you said), I meant rejecting with a filter based mechanism such as Sieve. Sieve can discard or reject a message. Yes, I know and completely agree that rejection is stupid and makes no sense. Again, it's difficult to explain that to users (I might go through our mailbox servers to see if I can disable Sieve reject). I'm really not in a nice situation here. Don't get me wrong, I like SC and I support it, but I think that, at least in my case, it's over zealous. I also think that we're doing much better comparing to other Universities, and think it's not fair towards us to be on the blacklist that easy. Bojan
  6. Btw, something else that I remembered. This first report, from Sunday looks pretty interesting. First, it has ***spam*** in the subject, which is what our e-mail gateway does when it receives e-mails. It does not scan outgoing e-mails for spam, so this e-mail arrived to us first and then somehow was sent to SpamCop. Having Re: in the subject makes me believe that it was either a user on our network that replied, or some stupid filter (yes - we have users who setup their filters to catch spam marked e-mails and then, instead of discarding them or putting them in a different folder, they actually *reject* them). This whole thing is still very very weak for me - I know you said that those are only thing publically available (there might be more that we can't see), but if those 3 e-mails in 3 months made our machine to be blacklisted, it doesn't make much sense does it? Off to sleep now. Thanks again for useful discussion and for your good will to help. Cheers, Bojan
  7. Hi Jeff, It's an SMTP relay for the whole University. We block outgoing port 25 on our border firewall, and any machine that wants to send e-mails have to do it through our gateway. The gateway will do at least AV scan for outgoing e-mails. There are 4 machines in the cluster, all under one DNS name so we have cheap man's round robin load balancing. I built and configured those servers myself and I'm pretty sure that it's properly recording the source IP address in the received header (I would even go so far to say that I'm suspecting SpamCop Reports here). If you want, I can send you a test e-mail so you can see yourself (it's a standard postfix+amavisd-new setup). We allow normal relay only for our class B network. Students and staff can relay through the server from anywhere, providing that they successfully authenticated before. My main problem with SpamCop here is that the only reports I've seen have been for e-mails sent to spam traps. This means that I have nothing to investigate - I got no e-mail back, I don't know what spam traps are (and that's fine, SC operates like that) and I sure won't go through half a million e-mails per day to see what happened. The biggest problem for me is that our users are generating service desk calls which end up on me, and there's nothing I can do about them (sure, I tell the story that the SpamCop list has nothing to do with blocking, that it's remote site's decision to block on it ... but that all means nothing to our users). And keep in mind that we're a decent size University - ~40.000 students and 6.000+ staff. Thanks for help, Bojan
  8. Thanks for your reply. My e-mail to deputies was very similiar to what you suggested. There are actually 4 IP addresses (130.216.190.11 - .14) - 4 servers which are relays. We properly reject main domains (auckland.ac.nz for staff and ec.auckland.ac.nz for students), but there are multiple other subdomains we have to relay for and which will improperly generate a bounce - I'm aware of this but moving forward is very slow in an academic environment. Anyway, I'll try sending the e-mail to deputies again. The main problem this is that I need "ammunition" when approaching users. If there is a compromised machine on campus which is sending 1 e-mail every minute, I will never find it (as I said, the gateway processes ~500.000 e-mails per day). Thanks for your reply again. Bojan
  9. And 14 days after the initial e-mail no reply back. In total I sent 3 e-mails and used the web form twice, absolutely nothing came back. Today our system got blacklisted again: http://www.spamcop.net/w3m?action=checkblo...=130.216.190.11 The only cause listed is that it sent e-mails to spam traps. Sure, it's a gateway for 6000+ other machines. I understand that the deputies can be flooded with e-mails, but the fact that noone replied for 14 days (not even with: yes, we received your e-mail, but we are flooded so please wait) - I'm not counting people that posted here (thanks to whoever helped so far). Really disappointed, not to mention new calls that are waiting our service desk. Bojan
  10. ...Bojan, have you received a reply yet? If not, please be aware that one of the deputies has sent a private communication to one of the other "senior" Forum participants (in reply to his communication on another topic) indicating that the deputies are seriously backlogged due to new spammer tricks and the latest virus outbreak. So please have patience. I'm sure I speak for them when I say I'm sorry for the inconvenience.37899[/snapback] Yeah, I haven't received any reply back so far. I just sent another e-mail (lets call it a reminder .. Hope I'll get some reply soon. Cheers, Bojan Edit: Jeff G. fixed the quoting.
  11. Thanks a lot Steve. I'll wait for a bit more and then will let you know. It wouldn't be a big problem really, but seems like there are a lot of sites which reject e-mail based on SpamCop (we use SpamCop as well, but only as a rule in SpamAssassin, so it will give certain score to the final result). Those rejected e-mails made number of calls received by our Service Desk go pretty high and soon we'll have to issue something "official" to them. If it was something I could fix myself I'd do it immediately, but as it's spam traps which are causing our server(s) to be blacklisted, there's nothing I can do. Thanks again for your reply.
  12. Another of our servers got listed in SpamCop today. The reason is again (pasted from the web page): Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Of course, noone from SpamCop replied, either from the deputies address which Steven posted or from the Dispute form ... SpamCop is great when it works ok for you but otherwise ....
  13. Yeah - technically this is not a problem (we use postfix here, can implement almost anything with it). However, the problem is more of a political nature that I wouldn't go into. Let's just say I'm pushing this .. but where to, who knows.
  14. Thanks Steven - I'll contact them to see what I can do - I definitely don't want my servers being listed in SpamCop. One other problem we have is with NDN bounces. For couple of most used servers (student server, the official staff server) we implemented virtual domains at the front end, so it will properly reject e-mails. However, there are multiple internal servers in various faculties and departments that we have no control of, and we have to relay for them (so we can at least do AV scans, and spam scan). They result in NDN bounces as well - if I could I would stop that immediately, but it's up to the politics. Lastly, e-mail from SpamCop has some bad delays (IronGate problems?). I clicked on the delist link and it took 50 minutes to deliver the e-mail. From the headers it's visible that the delay happened from SpamCops server ... maybe it would be good to either check this (if someone from SpamCop is reading this), or to have another means for admins - I had to wait 50 minutes to delist the server, and it's peak time for users here Thanks again for your reply. Cheers, Bojan
  15. Hi, Recently I had 2 of my e-mail servers (from a cluster of 4) blocked in SpamCop. Those servers are the main mail gateway for our University, and we are pretty strict in blocking outgoing port 25 for all other machines - they have to send e-mail through the gateway, which scans for viruses in outgoing e-mails. Now, on SpamCop's webpage, the reason for being blacklisted is that someone sent e-mail to SpamCop's spam trap addresses. This gateway processes about 500.000 e-mails per day. As SpamCop's spam trap addresses are secret, I can't even trace users who did this. So what can I do here? Listing in SpamCop caused e-mails to be rejected from other hosts. The whole idea with spam traps is nice, but in my case (and probably for other gateways) it's a bit stupid - we pay the price because someone sent e-mails to them, and we can't even find out who. Any comments on this?
×