Jump to content
Sign in to follow this  
saba

White Lists ?

Recommended Posts

Hello,

Here's an interesting issue. We get our email for our entire domain pre-screened for spam and VIRII by a third party (MXLOGIC.COM). The problem is that

someone keeps listing their IP addresses in the SPAMCOP database.

These folks don't run mail servers, they run a mail proxy server that connects

sending servers with recipient servers in real time. Is there a way for your

service to "white list" providers like this? Their IP's never change, but

every couple of weeks we go through the same gyrations:

1) Email sent to us starts bouncing, because our outsourced mail server uses

SPAMCOP (can't talk them into turning it off for our domain...)

2) We contact MXLOGIC, they contact you, the IP gets delisted

3) a day or 2 later, the bounces stop.

4) a couple of weeks go by, back to step 1.

Can anything be done about this?

THanks

Share this post


Link to post
Share on other sites

What's the IP address or addresses of the servers in question? Are they properly processing messages without butchering the headers?

Share this post


Link to post
Share on other sites
What's the IP address or addresses of the servers in question?  Are they properly processing messages without butchering the headers?

19106[/snapback]

1) The address listed in spamcops (this time) is 66.179.109.175. It's been other ones before, MXLOGIC has three seperate /27 subnets they use for email.

2) As far as a I know, they don't alter any of the email headers. They pass them on intact to the recipient mail server, and do their checks on content before they

deliver that to the recipient. If it's bad, they close the connection.

Share this post


Link to post
Share on other sites

I'd have to see some headers. All I can go on right now it stuff found at http://mxlogic.com/resources/FAQs.html

What is an MX record?

An MX record is simply an entry in a domain name database that identifies the email server responsible for handling email for that domain – similar to a primary postal address. With the MX Logic service, you re-direct your MX record to MX Logic so all email from the outside go through MX Logic and its filtering process before it is delivered to your actual address.

Does pointing our MX record to MX Logic give you access to our email?

No. The MX Logic message processing centers act as proxies when receiving your inbound email. Messages are filtered in real-time as they are being simultaneously delivered into your messaging environment. Because MX Logic’s service is proxy-based, your messages are not stored to disk so there is no risk of lost, damaged or corrupted email.

Not sure I follow that they could manipulate the flow of data this way and not be included within the e-mail headers .. which of course, they must be based on your complaint of them constantly getting listed.

You say "they contact you" .... they must be old hands at this, as the normal signs of an issue are postings to the newsgroups (or here since the creation of this Forum) .. but I'm not sure I've ever seen this outfit mentioned before. That you then say "a couple of days later" pretty much goes with the "maximum of 48 hours after spew stops) ...????

"They don't run e-mail servers, they run proxy .." .... funny, open proxies is the latest rage for spammers, taking over compromised systems with fast connections to run their spew. The problem with tracking down the source of that spew usually ends up with the Proxy being tagged as the source, as the headers don't contain the needed connection data of where the spew really came from ... you should be starting to draw some of your own conclusions here ...

If you're ready to jump out of your chair, don't ... there's no accusations of spammer here .. just talking about issues with the header data of traffic passed via a proxy ...and again, discussion done without seeing the evidence provided by a sample header to show what is and what isn't existing within that data ...

For your sample IP address, Senderbase http://www.senderbase.org/?searchBy=ipaddr...=66.179.109.175 showing;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .... 1212%

Last 30 days .. 3.1 ....... 26%

Average ........ 3.0

With 33 systems identified as serving up e-mail, this quantum increase in the last day's volume usually indicates a spam problem. Also noting that the SpamCop "evidence" page shows nothing about spamtrap hits, only complaints. (Unusual in the above numbers scenario, but there could be other reasons ..??)

For example, traffic on 66.179.109.172 shows

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 25%

Last 30 days .. 4.3 .. 91%

Average ........ 4.0

So traffic may have shifted from this server to the one listed for instance ..??

Bottom line, "we" can't answer you here without seeing more data. But, if one was to give your "they have talked to SpamCop Admin in the past .. repeatedly .." then one would think that the header/proxy issue would have been discussed by now, and if MXLOGIC hasn't fixed their side of the issue, not sure what else anyone else could do. Whitelisting an IP address to ignore "any" bad stuff would work for exactly the amount of time it would take a spammer to find out about that action being taken ....

Possibly a silly question ... why are "you" asking for help to get around an issue with a company that you are paying money to ...???? Just where is the staff of MXLOGIC?

Share this post


Link to post
Share on other sites
I'd have to see some headers.  All I can go on right now it stuff found at http://mxlogic.com/resources/FAQs.html

Not sure I follow that they could manipulate the flow of data this way and not be included within the e-mail headers .. which of course, they must be based on your complaint of them constantly getting listed.

You say "they contact you" .... they must be old hands at this, as the normal signs of an issue are postings to the newsgroups (or here since the creation of this Forum) .. but I'm not sure I've ever seen this outfit mentioned before.  That you then say "a couple of days later" pretty much goes with the "maximum of 48 hours after spew stops) ...????

"They don't run e-mail servers, they run proxy .." .... funny, open proxies is the latest rage for spammers, taking over compromised systems with fast connections to run their spew.  The problem with tracking down the source of that spew usually ends up with the Proxy being tagged as the source, as the headers don't contain the needed connection data of where the spew really came from ... you should be starting to draw some of your own conclusions here ...

If you're ready to jump out of your chair, don't ... there's no accusations of spammer here .. just talking about issues with the header data of traffic passed via a proxy ...and again, discussion done without seeing the evidence provided by a sample header to show what is and what isn't existing within that data ...

For your sample IP address, Senderbase http://www.senderbase.org/?searchBy=ipaddr...=66.179.109.175  showing;

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ........ 4.1 .... 1212%

Last 30 days .. 3.1 ....... 26%

Average ........ 3.0

With 33 systems identified as serving up e-mail, this quantum increase in the last day's volume usually indicates a spam problem.  Also noting that the SpamCop "evidence" page shows nothing about spamtrap hits, only complaints.  (Unusual in the above numbers scenario, but there could be other reasons ..??)

For example, traffic on 66.179.109.172 shows

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 25%

Last 30 days .. 4.3 .. 91%

Average ........ 4.0

So traffic may have shifted from this server to the one listed for instance ..??

Bottom line, "we" can't answer you here without seeing more data.  But, if one was to give your "they have talked to SpamCop Admin in the past .. repeatedly .." then one would think that the header/proxy issue would have been discussed by now, and if MXLOGIC hasn't fixed their side of the issue, not sure what else anyone else could do.  Whitelisting an IP address to ignore "any" bad stuff would work for exactly the amount of time it would take a spammer to find out about that action being taken ....

Possibly a silly question ... why are "you" asking for help to get around an issue with a company that you are paying money to ...????  Just where is the staff of MXLOGIC?

All good questions - let me see if I can answer as much as I can:

1) They claim they've done all they can. I'm just trying to figure out exactly what the deal is, here. Yes, I pay them money, and I can go somewhere else to have

my domain's email screened, but they do have a good service. I'm responsible for several domains worth of email through them, and it affects all the email.

2) Here is the only snippit of data that my email senders get. THey don't get this all the time, of course, because MXLOGIC has many many IP's that they can send email out on:

=========

Hi. This is the qmail-send program at dnsmadeeasy.com.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

<my email address is here>;

66.179.109.175 does not like recipient.

Remote host said: 550 Blocked - see http://www.spamcop.net/bl.shtml?66.179.109.175

Giving up on 66.179.109.175.

==========

3) Maybe I used the wrong word, "proxy". As best as I understand how the MXLOGIC system works, this is the sequence of events:

a) you point your MX records to their servers.

B) they receive email on your behalf, and in REAL TIME, they connect

with your "physical" (IP address of) the mail server where you email is hosted.

c) All error messages that the recipient mail server generates are passed

back to the sending server. That's what the error stream listed above is.

an email message from the dnsmadeeasy.com domain was coming to me,

and my mail server rejected it, because they check the sending IP address

(which in my case is ALWAYS mxlogic) agains spamcop.net

4) the increase in volume probably has to do with the hundreds of companies

they represent. Every one of my emails has to go through their system. They

have clients with many thousands of mailboxes that are filtered through their systems. maybe they turned on a new server, who knows. They're a company with three redundant NOC's, and multiple servers at each site.

5) their engineers have stated that they know of no solution to this issue - which

is why i'm raising the question here.

6) I'm not sure I understand the "header" issue you reference.

I understand that none of us want spam in our inboxes, I'm not sure how they

keep getting "recommended" to the spam list. That's not their business,

obviously, and will hurt them (and us, their customers) since almost all email going through their system is inbound (and then outboud) email for other

peoples servers.

Thanks for your time, just trying to understand what's going on here.

Here's an example of a good email, i don't get the ones that bounce...

Return-path: <myemail[at]host156.ipowerweb.com>

Envelope-to: myemail[at]address.com

Delivery-date: Wed, 06 Oct 2004 06:48:44 -0700

Received: from myemail by host156.ipowerweb.com with local-bsmtp (Exim 4.24)

id 1CFC9q-0004fZ-PR

for myemail[at]address.com; Wed, 06 Oct 2004 06:48:43 -0700

Received: from [216.183.119.103] (helo=p03m103.mxlogic.net)

by host156.ipowerweb.com with smtp (Exim 4.24)

id 1CFC9q-0004fU-9D

for myemail[at]address.com; Wed, 06 Oct 2004 06:48:42 -0700

Received: from cm1.dnsmadeeasy.com [63.219.151.7] (EHLO dnsmadeeasy.com)

by p03m103.mxlogic.net (mxl_mta-1.3.8-10p4) with ESMTP id 927f3614.20954.093.p03m103.mxlogic.net;

Wed, 06 Oct 2004 07:46:17 -0600 (MDT)

Received: (qmail 21284 invoked by uid 507); 6 Oct 2004 09:46:19 -0400

Delivered-To: address.com-myemail[at]address.com

Received: (qmail 21282 invoked by uid 507); 6 Oct 2004 09:46:19 -0400

Received: from vhmail1.cdw.com (12.32.90.87)

by dnsmadeeasy.com with SMTP; 6 Oct 2004 09:46:19 -0400

Received: from outmail.cdw.com (Not Verified[10.19.0.60]) by vhmail1.cdw.com with NetIQ MailMarshal (v6,0,3,8)

id <B4163f6d70000>; Wed, 06 Oct 2004 08:44:55 -0500

Received: from as400.cdw.com ([10.1.1.164]) by outmail.cdw.com with Microsoft SMTPSVC(5.0.2195.5329);

Wed, 6 Oct 2004 08:45:22 -0500

From: <xxxxxx[at]cdw.com>

To: <myemail[at]address.com>

Edited by Wazoo

Share this post


Link to post
Share on other sites

As mentioned elsewhere, you should be having MXLOGIC work directly with spamcop to resolve why the servers keep getting listed. This is not normal for a forwarding service in my experience. An alternative would be to switch services. You claim they have a good service but you also claim that you have a recurring problem "every couple of weeks". To me, that is terrible service.

At work, I use a similiar service to MXLOGIC called postini and have never had any such problem over the last 18 months (when we started with them) because they add the appropriate headers to the email message to indicate where they received the message from.

Received:  from psmtp.com ([64.18.1.158])          by mail.kopin.com (Lotus Domino Release 5.0.12)          with SMTP id 2004102016275503:3045 ;          Wed, 20 Oct 2004 16:27:55 -0400

Received:  from source ([24.203.62.240]) by exprod6mx18.postini.com ([64.18.5.10]) with SMTP; Wed, 20 Oct 2004 13:35:40 PDT

Does MXLOGIC do something similiar? You should look for at least one received line in the headers of your messages. If you post a set of complete headers, we may be able to detect a problem the parser may have with them. Even better, if you are a spamcop customer (or simply sign up for a free reporting account) and submit a test message that came into your address (and cancel any reports) then post a tracking URL from the reporting page, we may be able to see why spamcop is seeing MXLOGIC's srevers as the source.

There seems to be a diverse amount of spam being seem from that IP. I can see these and the report numbers because I am a paying customer.

Report History:

--------------------------------------------------------------------------------

Submitted: Wednesday, October 20, 2004 4:36:15 PM -0400:

Vãlium for less

--------------------------------------------------------------------------------

Submitted: Wednesday, October 20, 2004 2:08:18 PM -0400:

=?iso-8859-1?B?RGlldCBwaWxscyBoZXJlLiAgICAgag==?=

--------------------------------------------------------------------------------

Submitted: Wednesday, October 20, 2004 10:06:25 AM -0400:

beplaster exterior paragonite

--------------------------------------------------------------------------------

Submitted: Tuesday, October 19, 2004 5:41:21 PM -0400:

Please confirm Your account

--------------------------------------------------------------------------------

Submitted: Tuesday, October 19, 2004 5:41:21 PM -0400:

Mayra call your brother to do it.

--------------------------------------------------------------------------------

Submitted: Monday, October 18, 2004 3:34:10 PM -0400:

Inexpensive Vãlium

Share this post


Link to post
Share on other sites

See a parse in action on your sample at http://www.spamcop.net/sc?id=z684571850z49...61e5dda0dafbe4z

Of the most interest is the bit concerning your MXLOGIC outfit;

Received: from [216.183.119.103] (helo=p03m103.mxlogic.net) by host156.ipowerweb.com with smtp (Exim 4.24) id 1CFC9q-0004fU-9D for x; Wed, 06 Oct 2004 06:48:42 -0700

no from

216.183.119.103 found

host 216.183.119.103 = p03m103.mxlogic.net (cached)

host p03m103.mxlogic.net (checking ip) = 216.183.119.103

Possible spammer: 216.183.119.103

Received line accepted

Relay trusted (mxlogic.net)

It would appear that the SpamCop database does in fact know about this company and its servers (well, at least this one) So based on the "evidence" page, these results, StevenUnderwood's data, and the SenderBase numbers, it would be hard to guess at anything but what seems to be obvious ... there is definitely spam spew coming from the machine at this IP address. The "problem" does not appear to be at SpamCop.

Share this post


Link to post
Share on other sites
See a parse in action on your sample at http://www.spamcop.net/sc?id=z684571850z49...61e5dda0dafbe4z

Of the most interest is the bit concerning your MXLOGIC outfit;

Received:  from [216.183.119.103] (helo=p03m103.mxlogic.net) by host156.ipowerweb.com with smtp (Exim 4.24) id 1CFC9q-0004fU-9D for x; Wed, 06 Oct 2004 06:48:42 -0700

no from

216.183.119.103 found

host 216.183.119.103 = p03m103.mxlogic.net (cached)

host p03m103.mxlogic.net (checking ip) = 216.183.119.103

Possible spammer: 216.183.119.103

Received line accepted

Relay trusted (mxlogic.net)

It would appear that the SpamCop database does in fact know about this company and its servers (well, at least this one)  So based on the "evidence" page, these results, StevenUnderwood's data, and the SenderBase numbers, it would be hard to guess at anything but what seems to be obvious ... there is definitely spam spew coming from the machine at this IP address.  The "problem" does not appear to be at SpamCop.

19113[/snapback]

Thank you all for your input. This is a learning experience for us, lets see if I can

summarize what i've learned so far:

1) MXLOGIC service isn't perfect, and sometimes spam does slip through their

filters, and ends up going to someones inbox.

2) That person, (or server, or whatever process is running) catches/flags the

email as spam, and notes that it originated from the MXLOGIC

servers, since if you subscribe to their service, they add their header

to the top of the email.

3) Is this how they end up on your list? Are you saying there is something

they can do to what they add to the email headers to prevent this?

thanks again.

Share this post


Link to post
Share on other sites

To go further, I'm going to have to ask to take a step back. I ignored that your sample looked a but "doctored" ... as that munging didn't impact the point I was trying to make. However, now that you want to get more specific, that "doctoring" up of the sample is an issue.

For example ... the top handling line does not contain data to show where host156.ipowerweb.com actually received this e-mail from. (and you'll note the snippet in the parser output I provided commenting on this also;

no from

216.183.119.103 found

This may have been a mistake in the cut/paste/editing of that line .. or it could be a mis-configuration of this ipowerweb server (also noting that ipowerweb is not a stranger in these parts)

I wouldn't necessarily agree with your description of MXLOGIC adding their data to the Top of the header .. rather it's that they add their stuff to the header, which is the way things are supposed to work. Yes, it's added to the Top at that time, but as you see in the sample, it's not at the Top when finally received. Call it semantics.

What has been suggested is that spam is coming from MXLOGIC servers. Whther that's due to being compromised, screwed up, that "newly discovered" condition, or something else, I can't say without seeing an actual spam / report / complaint ... This goes back to why are you trying to troubleshoot an MXLOGIC problem. They are the ones that should have the evidence and conditions in front of them.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×