Jump to content

Senderbase listing, trying to make sense of it


technion

Recommended Posts

I thought about heading my post as 'middle of the night ramblings' because after pointing out that there is a difference between the scientist and the engineer, I started on several entirely different thoughts!

<ramble on>I haven't seen the term 'collateral damage' used lately, but in the beginning of blocklists, lots of 'innocent' people were blocked, non-spammers and legitimate mailing lists or merchants who just didn't know about confirmed subscription, but blocklist users insisted that the sending end was the place to stop spam and that web hosting companies and ISPs had to develop policies to prevent spammers and that the receiving end had the right to block all traffic based on whatever criteria they wanted (my server, my rules). The same attitude probably is still evident at SB and is reinforced especially since they are making money at it - entrepreneurs are not very prone to care about how their products adversely affect others - particularly non-customers.

So although the research scientist does care about the fringes, the engineer builds with tolerances for error and then you add in the bottom line of the marketplace and you don't get responsiveness to individual problems (or even, collective problems such as the environment offline).

techion mentioned a couple of posts back about how being knowledgeable helped in convincing other server admins that you are white hat so then I went there.

It's all very interesting - but not much help for techion - spamcop started out as more of a cooperative among small server admins who pooled their spam to get a better blocklist. Now it is part of the senderbase business for larger server admins who can afford to pay someone to manage their blocklists.

Endurance is a solution also, just as no decision is a decision.

<ramble off>

Miss Betsy

Link to comment
Share on other sites

  • Replies 70
  • Created
  • Last Reply

Hello,

I found this post when trying to find something out about Senderbase.

It seems that, around the time of this original posting, we started getting blocked by a number of organizations. We finally found out that common element was the organizations use Senderbase.

When I enter our IP address (66.132.141.17), I see that our score is "Neutral", but it also shows a lot of other IP addresses that are in the IP network (we have a dedicated server with a large web hosting company), and many of those IP addresses have "Poor" scores.

Are the scores from those other IP addresses affecting how organizations view our specific IP address?

Thanks in advance for any assistance,

Steve

Link to comment
Share on other sites

...Are the scores from those other IP addresses affecting how organizations view our specific IP address?
Can't talk for SenderBase but the IP addresses should stand alone and IronPort themselves rely heavily on IP address to tag spam sources (but nobody, including SenderBase/IronPort to judge by their disclaimers, can vouch for exactly how individual networks might use SB information). You might like to check your domain on the lookup as well - http://www.senderbase.org/senderbase_queries/rep_lookup Again, how people use the information is anyone's guess.
Link to comment
Share on other sites

Following up on my earlier post... My mail server 98.124.190.3 is still listed at senderbase as "Poor". I too had tried joining the IronPortNation forum, but since I'm not an IronPort customer, I didn't make any headway. By the way, did you ever hear anything from your attempt to join, Wazoo?

This morning I phoned IronPort (their main phone number listed on their website on the Contact page), and told the operator that I was having a problem with senderbase. She asked if I had opened a case, and I told her no. So, she took my IP address, my name, company name, email address, and phone number. She said someone would contact me within 2 hours, and I was so overjoyed that I stupidly didn't ask her for the case number. It's now been 5 hours with no response. I tried phoning again about an hour and a half ago, and got the "no one is available, please leave a message" recording. So I left a message, but of course no response yet.

I am about at my wit's end! Ever since this problem started last month (when I moved my servers to a new co-location facility because the old co-lo went out of business on short notice), I presumed that the cause was the appearance of a mail server on a previously-unused IP address. I thought of trying to ask my facility if I could change IP addresses (though I shiver at the problem of renumbering my network again so soon!), but if the problem is indeed due to a mail server appearing on a new IP address, that won't solve the problem.

It's still the case that my mail server IP address is not listed on any block lists. It's still the case that senderbase does not notice that my forward and reverse DNS match. It's still the case that I've not received any notices of abuse from anywhere. I can't figure out any other reason for the senderbase reputation other than the newness of this IP address.

It does seems coincidental that technion's problem started about March 15. We were moving our servers to the new co-lo on March 13 and March 14, so probably the first emails from the server at the new IP would have been March 14. I'm wondering if something in the senderbase policy changed about that date?

Upon careful re-reading of this thread, I noticed that technion seemed to get some relief after he sent to SB from another email account. So, I've just emailed SB from an earthlink account. Maybe that will help.

Thank you all for the comments so far!

Link to comment
Share on other sites

...Following up on my earlier post... My mail server 98.124.190.3 is still listed at senderbase as "Poor". ...
Looking at http://www.senderbase.org/help/main it occurs to me to ask, what is your domain's reputation? You may have inherited some 'baggage' with your IP address due to other/previous users on that address (clutching a straws here) but that should not affect your domain (noting this feature is commented as "still under development") and may have little to do with mail anyway. Does the volume from the IP address ("email magnitude", 2.0 ~200 messages a day) equate to your usage since moving? You may need to talk to your ISP about a new IP address, assuming yours is, quite properly, a static allocation (as the rDNS would indicate) - or you may be able to send through an ISP network smarthost.
Link to comment
Share on other sites

technion's data changed yet again on this look-ip

http://www.senderbase.org/senderbase_queri...g=61.14.113.190

Hostname: smtp.cocaus.org

SenderBase reputation score Neutral

Date of first message seen from this address 2008-03-04

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 1.7 .. -60%

Last month .. 2.1

steveb's data point .. seems to have been zapped ????? Is this the correct IP Address?

http://www.senderbase.org/senderbase_queri...g=66.132.141.17

no host name listed

SenderBase reputation score Neutral

Date of first message seen from this address unknown

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 0.0

westryn's data point;

http://www.senderbase.org/senderbase_queri...ng=98.124.190.3

Hostname: mail3.westryn.net

SenderBase reputation score Poor

Date of first message seen from this address 2009-03-17

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 2.0 .. 15%

Last month .. 2.0

http://www.senderbase.org/senderbase_queri...3ASearch=Search

WHOIS Information: No whois info available or in an unreadable format.

By the way, did you ever hear anything from your attempt to join, Wazoo?

Denied .... customers and partners only. Trying something else.

Link to comment
Share on other sites

Our IP address, for whatever reasons, links to 66.132.141.15, which is what Senderbase shows. Apparently, our score went from Poor to Neutral this week so the problem's disappeared, for now.

Which I checked it when our score was "Poor" so maybe I could have seen a reason for why we may have been classified as Poor!

Steve

Link to comment
Share on other sites

Our IP address, for whatever reasons, links to 66.132.141.15, which is what Senderbase shows.

I'm lost. This is not the IP Address you provided in your first post and I sure don't understand your words "linked to" and "that's what SenderBase shows" ....????? Your query should have been referencing an e-mail server which should be sitting at a specific IP Address, not "linked to some address" ....

http://www.senderbase.org/senderbase_queri...g=66.132.141.15

Hostname: mail.groupoe.com

SenderBase reputation score Neutral

Date of first message seen from this address 2007-12-18

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 0.73

This would definitely fit the "low volume" description in the data I added to the Wiki earlier.

Link to comment
Share on other sites

Hooray! My email server is now listed "Good". Late yesterday afternoon I received an email from a support person at IronPort (using the support[at]senderbase.org email address). He said he recalled my original email two weeks ago, and had responded at that time, but I never received any email from them (I had even monitored my mail logs to ensure I wasn't somehow blocking their response!). He said he was responding based on my phone call to IronPort. He said that my (new-to-me) Class C had sent spam or malicious emails in the past, and that was the reason for the Poor rating. He asked some questions about how I got the Class C, etc. I responded with an email answering all his questions.

About an hour ago I received another email stating that my rating had been upgraded, but warning that it would go down again should there be any spam complaints. I was away from my computer, so I just saw the email a few minutes ago. Sure enough, the rating on my mail server is now Good.

So, it looks like the reason that I was initially rated Poor was due to long-past activity on the Class C before I acquired it at my new co-location facility.

Based on IronPort's emails, I believe that the reason they responded was because I phoned IronPort. I surmise (just based on a hunch here) that they might basically ignore first contacts on the assumption that actual spammers would give up and look for another IP address that's easier to exploit. Only a person whose business is in danger of imploding because their customer emails cannot be delivered will continue pursuing a resolution. That's only my guess. But it does also seem consistent with technion's experience. I also wonder if senderbase people monitor this forum, and perhaps our postings here have also helped.

Thank you all for your comments and suggestions, and I hope my experience will help some other wrongly-accused legitimate mail server administrators make sense of what is happening.

Link to comment
Share on other sites

<snip>

Thank you all for your comments and suggestions, and I hope my experience will help some other wrongly-accused legitimate mail server administrators make sense of what is happening.

...And thank you for taking the time to return to post the great news. Congrats on your persistence and the good result! Based on this reply, I am marking this "thread" as "Resolved."
Link to comment
Share on other sites

...And thank you for taking the time to return to post the great news. Congrats on your persistence and the good result! Based on this reply, I am marking this "thread" as "Resolved."

Removed that tag ... the Topic starter still hasn't weighed in on things yet .... I'm still waiting on a response to my last e-mail to IronPort/SenderBase. etc.

Link to comment
Share on other sites

Well, our IP address (66.132.141.15) is, for whatever reason, getting a "Poor" Senderbase score.

Is there anything in their search results page which can explain some reason(s) for a bad score?

Thanks in advance,

Steve

Link to comment
Share on other sites

Well, our IP address (66.132.141.15) is, for whatever reason, getting a "Poor" Senderbase score.

Is there anything in their search results page which can explain some reason(s) for a bad score?

Have you looked through the 4 pages of information here for the several people who were in the same situation and as far as we know are now all set?

This is a spamcop board (not senderbase) and while we don't mind trying to help people out or pointing them in the right drection, we need the majority of the work to be done by the person with the problem.

Link to comment
Share on other sites

Well, our IP address (66.132.141.15) is, for whatever reason, getting a "Poor" Senderbase score.

Is there anything in their search results page which can explain some reason(s) for a bad score?

If you click on that silly "Explain my reputation" link (most of which renders in a popup off the screen on my desktop), then you'll know as much as anyone else does.

That being:

Poor = A problematic level of threat activity has been observed from your IP address or domain. Your email or Web traffic is likely to be filtered or blocked*.

It's a pity when you get better (neutral) you still see this:

Neutral = Your IP address or domain is within acceptable parameters. However, your email or Web traffic may still be filtered or blocked*.

At least I haven't found anyone yet that rejects email from addresses "within acceptable parameters".

Try sending them an email from a different domain to your usual, and explain you've improved security. Don't ask for headers or anything because they won't give it to you, but if you suggest the problem should be gone, they'll hopefully tell you if it really is - in my case, they gave me a date of their single "complaint".

Link to comment
Share on other sites

If you do the summary lookup (top menu on the SenderBase site) you get this explanation:

Email Reputation Score: Poor |?| SenderBase Reputation Scores

The Reputation Score judges a source by it’s behavior

please click on the link for a full explanation

Why is the reputation Poor?

These are the most common reasons:

Your email server or a computer in your network may be infected with malware and may be used to send spam.

You may have an insecure network which is allowing other parties to use your network to send spam.

Your email server may be misconfigured and might relay spam.

You may be utilizing a dynamic IP that is not allowed to relay email directly to the Internet.

How does this affect me?

While many networks use SenderBase as a means for assessing their email traffic, SenderBase does not block email. If your email is being blocked or you feel it is not being delivered, please check with your ISP.

What can I do to improve my reputation?

The information displayed is meant to help you identify and resolve any issues that might be the cause for your IP’s poor reputation score. More Details (same hyperlink as above) are available. Once you have taken the necessary steps to fix any known issues, your reputation score should automatically improve within a short time frame.

Link to comment
Share on other sites

Updated http://forum.spamcop.net/scwik/SenderBaseReputationScore with additional data. I stated in my last e-mail to SenderBase/IronPort that I'm not sure that this data actually answers some of the traffic seen in this Topic/Discussion, but that's just me again <g>

I'd added all that data to the Wiki a while ago to make it available ... made the post here to advise folks of that action. Thanks for reading.

Link to comment
Share on other sites

I've read through the posts. I called the Senderbase number (IronPort), but they told me I have to email Senderbase, which I did the other day.

So far, they've only asked me to change a HELO value. But, from their email, they don't seem confident that will help anything. I can't believe they can't quickly see, on their end, the factor(s) giving a "Poor" rating. Relaying is not allowed, we're not any DNBL's, no malware...

Link to comment
Share on other sites

  • 6 months later...

Hello,

I too have been working thru some senderbase issues... the site had the company I work for

flagged as "POOR".

I think that we may have had a few spam eMails go out, but it was resolved.

during this time, try and eMail the support address, and also email them from

a secondary account.

As far as getting someone from senderbase to actually call you, this is possible....

we do not have the ironport/senderbase product, but I spoke to by cisco rep about this

issue and a senderbase.org supervisor called me within 1 hour.

This senderbase system is pretty hands off, and does take time to build your reputation back up,

kind of like a credit score...

if you want to get eMail's flowing as soon as possible, first fix the problem, then simply change

your sending ip (if this is possible).

I do know that customers that have ironport can make exceptions for sites, if you can get

to the remote person that manages ironport for a company that is blocking you have them add your ip.

like some of the other posters stated, I don't blame senderbase for flagging my site,

but I do blame them for holding me hostage and not giving me any clear direction

or information, stating that I must call someone else's isp is simply stupid.

senderbase has alot of tools and can give you information, here is something they sent me:

Sophos Anti-Virus Positive Rate Low – Means reporting rate of viruses from this IP is low (compared to none, medium, and high)

IPAS Positive High – Means reporting rate of spam from this IP is high (compared to none, low, medium)

SpamCop Trap Rate Max – Means that this IP had sent some messages to spam traps

I also noticed that you need to make sure your PRT record for your domain is correct as well.

Link to comment
Share on other sites

Thanks billyreubin - there certainly is a lack of information on SB matters and your filling in a few of the blanks is appreciated.

...I also noticed that you need to make sure your PRT record for your domain is correct as well.
That would be the PTR record? Yes, that (reverse DNS record) will help and not just for SenderBase - http://aplawrence.com/Blog/B961.html

In the Windows world (and there are variations on the theme):

C:\Documents and Settings\Admin>nslookup

...

> set type=mx

> iinet.net.au

Non-authoritative answer:

iinet.net.au MX preference = 10, mail exchanger = as-av.iinet.net.au

as-av.iinet.net.au internet address = 203.0.178.180

> set type=ptr

> 203.0.170.180

...

Non-authoritative answer:

180.178.0.203.in-addr.arpa name = as-av.iinet.net.au

>exit

C:\Documents and Settings\Admin>_

in-addr.arpa lookups are a little flaky for me at the moment. It took several tries before that part worked, but the above's the idea.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...