Trying to understand block

[PVanderVossen]

From the SpamCop listing :

http://www.spamcop.net/w3m?action=blcheck&ip=66.63.21.2

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

We are using OS X Server (postfix) for our email server, but also have a Windows 2000 box which is scanning our email for viruses and spam coming in (Interscan Messaging Security Suite from Trend Micro). I believe it is entirely possible for an email to be addressed to a non-existant user at my domain (about 13,000 of these are being blocked a day by Interscan) which succeeds at getting past my spam filtering. That email would then be sent to our postfix machine which would then bounce that email because it is not addressed to a valid person at our domain. My guess is that this bounced email is being sent to one of the SpamCop honey pots. Is that an accurate depiction of what could be happening to get us listed? If so, any recommendation of how I can fix that, short of manually listing every single possible account in the Interscan system. Since it doesn't have a direct link to our real mail server, it doesn't know what is a valid account or not. And even if it did, what happens when someone misspells an email address, are we not to send an undeliverable reply to them any longer? Any help would be appreciated.

I did read as much as I could of the documentation on this site, but I don't really have anymore time to figure out why only 1 of about 100 different spam blocking lists has us listed. Hopefully a post on the forums will be more fruitful then reading generic FAQs. I suspect if I had a legitimate problem here, we would be listed in more places.

[Jeff G.]

Yes, that is probably what is happening to get you listed. Please follow the advice "If you must accept delivery before you know the status of a message, then file it internally - do not send, forward or bounce it outside your organization" on Why auto-responses are bad (Misdirected bounces).

[PVanderVossen]

Which leads me back to this question : What happens when someone misspells an email address, are we not to send an undeliverable reply to them any longer?

Excuse my ignorance of the ins and outs of hosting a mail server, since it is only one of about 1000 things I am charged with doing here.

Are these my two choices?

1. Send undeliverable reports on undeliverable messages (thousands of which are undeliverable themselves) and be listed by SpamCop.

2. Eat the email, just delete the underliverable messages, and never notify the sender. This would seem the right technical solution, but doesn't really do much for the users I have on the system who have names that are hard to spell, and have customers who are trying to get email to them.

Is their some third choice or method that I am not thinking of?

Thanks.

[Jeff G.]

I would suggest 2, with as many aliases as necessary to reduce your workload (or that of your Postmaster Team). Of course, many aliases (for nonexistent addresses that are shared by spammers) can safely be aliases to Dave Null or to an account for which all mail is reported.

In addition, LDAP and RADIUS are two real-time options and periodic flat-file transfer is one delayed option for providing Internet-facing mailservers with user info, but I don't know if Interscan Messaging Security Suite supports any of those options.

[StevenUnderwood]

A third choice would be to "file it internally - do not send, forward or bounce it outside your organization" until a human can investigate it confirm that the sending address is reasonable.

Another possibility would possibly be for your AV server to request from the mail server if an address were valid and rejecting the message immediately if not. That would also take care of your misspelling problem. The originator would receive the error message.

[Jeff G.]

FYI, you should really take care of the one error noted on http://www.dnsreport.com/tools/dnsreport.c...llenshariff.com - "No NSs with CNAMEs - ERROR: router.allenshariff.com. has a CNAME entry (backup.allenshariff.com.); it is not valid to have a CNAME entry and NS entries for router.allenshariff.com.. See RFC1912 2.4 and RFC2181 10.3 for more information." or you may find router.allenshariff.com listed by bogusmx.rfc-ignorant.org per bogusmx.rfc-ignorant.org listing policy.

[Derek T]

Is their some third choice or method that I am not thinking of?

Thanks.

25185[/snapback]

Perhaps I'm missing something here, but the obvious third choice is to reject the mail (with a 5xx permanent error) at the time of the SMPT transaction. Rejection goes to the right place, sender notified, no-one abused, IP not listed, everyone happy. Too obvious?

[StevenUnderwood]

Perhaps I'm missing something here, but the obvious third choice is to reject the mail (with a 5xx permanent error) at the time of the SMPT transaction. Rejection goes to the right place, sender notified, no-one abused, IP not listed, everyone happy. Too obvious?

Derek, As stated, the machine that first accepts the mail does not know whether an account is valid or not.

From the first post:

If so, any recommendation of how I can fix that, short of manually listing every single possible account in the Interscan system. Since it doesn't have a direct link to our real mail server, it doesn't know what is a valid account or not. And even if it did, what happens when someone misspells an email address, are we not to send an undeliverable reply to them any longer?

[Derek T]

Derek, As stated, the machine that first accepts the mail does not know whether an account is valid or not.

From the first post:

25203[/snapback]

So, I was missing something! but at least I answered the 'even if it did' part!

[loafman]

We are using OS X Server (postfix) for our email server, but also have a Windows 2000 box which is scanning our email for viruses and spam coming in (Interscan Messaging Security Suite from Trend Micro). I believe it is entirely possible for an email to be addressed to a non-existant user at my domain (about 13,000 of these are being blocked a day by Interscan) which succeeds at getting past my spam filtering. That email would then be sent to our postfix machine which would then bounce that email because it is not addressed to a valid person at our domain.

25183[/snapback]

Most mail admins would say that you have the process backwards. You should have the Postfix box as the internet facing box to protect the Windows box that is running your antivirus and antispam software. You could then use the SMTP transaction time to filter viruses and spam, with appropriate reject codes. Plus you could do rejections based on valid user name. No more accepting then bouncting, which seems to be your problem.

The postfix.org site has an excellent paper on avoiding backscatter. Just go to postfix.org and search for 'backscatter'. The postfix.org mailing list has plenty of helpful folks to help you untangle the beasty. Its a busy list, so be warned.

[PVanderVossen]

I think I understand the comments here, and I will be working on this within the next two days. Meanwhile I have a company of 65 people that can't send email to certain clients because of a stupid quirk in the way email is handled or rejected.

I have a question in relation to Spamcop policy.

I see on the front page:

NEWS:

Postmasters, please limit forgery blow-back:

Delayed bounces, virus notices, vacation messages More..

If Spamcop realizes that servers are getting listed because a spammer has forged an address and bounced a undeliverable message back to a Spamcop honey pot, why can't spam Cop ignore undeliverable reports to their honey pots? It seems like that would be the responsible thing to do. Rather than require thousands of postmasters to modify the way their systems are bouncing emails, why not make one change to the way your service collects addresses?

[dra007]

Obviously bouncing to forged e-mail addresses is abusive as it often ends up in the mail box of innocent recipients. If anything this policy should be strongly implemented/enforced, so Postmasters will (as they should) make the changes necessary to prevent such abuse.

[Jeff G.]

If Spamcop realizes that servers are getting listed because a spammer has forged an address and bounced a undeliverable message back to a Spamcop honey pot, why can't spam Cop ignore undeliverable reports to their honey pots? It seems like that would be the responsible thing to do. Rather than require thousands of postmasters to modify the way their systems are bouncing emails, why not make one change to the way your service collects addresses?

25220[/snapback]

We SpamCop Reporters don't have that luxury (ignoring undeliverable reports). We choose to protect our mailboxes from mailservers that backscatter.

[Derek T]

If Spamcop realizes that servers are getting listed because a spammer has forged an address and bounced a undeliverable message back to a Spamcop honey pot, why can't spam Cop ignore undeliverable reports to their honey pots? It seems like that would be the responsible thing to do. Rather than require thousands of postmasters to modify the way their systems are bouncing emails, why not make one change to the way your service collects addresses?

25220[/snapback]

1. for every spamtrap hit there are what? 1,000, 10,000, 100,00? abusive bounces to real people with real inboxes. Some people have received so many bounces because their 'from' address has been spoofed as to make their accounts unusable.

2. put yourself in the spammers shoes. You find an address that 'bounces' your spam to the forged 'from'. All you have to do is send the entire run to that address and put your list of 1 million live addresses into the 'from' insead of the 'to'. The obliging bouncer then acts as an open relay for you! IOW anyone can relay from PVanderVossen's server as set up as present in this way.

[Miss Betsy]

If Spamcop realizes that servers are getting listed because a spammer has forged an address and bounced a undeliverable message back to a Spamcop honey pot, why can't spam Cop ignore undeliverable reports to their honey pots? It seems like that would be the responsible thing to do. Rather than require thousands of postmasters to modify the way their systems are bouncing emails, why not make one change to the way your service collects addresses?

Postmasters are professional people part of whose job it is to be responsible citizens of the internet. It is a nuisance and a headache to have to change your system, but many of the people who receive these kinds of emails are upset and scared and angry because they think that /they/ have been labeled as a spammer. There are many more of them than there are postmasters. And once you have fixed it, your 65 users will have no more problems (and you could have them use the phone, fax, or alternate email address). If you don't fix it, then thousands of people will be alarmed when they get a bounce from an email then they didn't send for as long as your system is working.

As a historical note, spamcop did not used to allow reporting of this kind of email. However, people wanted to be able to report them as spam since they are just as annoying especially if the spammer uses one's email address for the whole spam run.

Blame the spammers for spoiling another aspect of email that once was useful.

Miss Betsy

[PVanderVossen]

Oh, I would agree, it is definitely the spammers at fault. They obviously keep thinking of new ways to get their messages out, at no cost to themselves, but at great cost to everyone else. That definitely pisses me off to no end, but I didn't understand how adding our server to the block list was really accomplishing something.

The example someone gave of the spammers using my servers undeliverable reports to deliver their spam I guess is a valid example, but I don't think its really fair to say our server is configured improperly. 5 years ago if my server sent a bounceback for a bad email address, it was not a problem. It probably only happened a few times a day. It is because the spammers are brute force attacking servers CONSTANTLY with invalid addresses that all of a sudden my configuration is offensive. That is why blocking my companies ability to send email is frustrating. We technically haven't done anything wrong, and we get blocked, and I don't see ANY of the spam fighting services even making a dent in the overall number of spam received. Sure Millions more get blocked then just last week, but they just double the amount they send out. I just get fed up with the entire situation, as I am sure many here are, and "targetting" legitimate mail servers just seems wrong to me.

[StevenUnderwood]

5 years ago if my server sent a bounceback for a bad email address, it was not a problem.

Things change, common courtesy and best practices evolve. Providing a path for back scatter is not a best practice, and has been changing for a couple of years now, at least. Please keep up with the current state of affairs in your position as an internet citizen.

All of the professionals on this board have gone through that same change. Three years ago, my CFO saw no need to eliminate spam from the corporate email, even though I saw the increase. Two years ago, that changed. We use an external company to accept our messages, scan for content and hold questionable messages. Not allowing back scatter was my number 1 question of every company we talked to.

[Derek T]

That is why blocking my companies ability to send email is frustrating.

25235[/snapback]

Reality check: you can send as much as you like, no-one is blocking the sending end. SOME admins may choose not to receive it (not recommended by SpamCop) or to tag it as possible spam (recommended, and what SpamCop does for its own customers). Bottom line: we don't want your blowback in our inboxes and we have no way to tell what's blowback and what's legit from your IP, as it's configured at present. That's why it's (quite rightly) listed as a source of abusive email. Your call.

[Miss Betsy]

I just get fed up with the entire situation, as I am sure many here are, and "targetting" legitimate mail servers just seems wrong to me.

Unfortunately, most legitimate mail servers have learned how to keep spammers from signing up for the service so the spammers have resorted to illegitimate ways of using legitimate servers through trojanned machines and using barrages of false addresses.

Most sys admins who become aware of the situation through being listed on spamcop are thankful to learn how they can stop the new spammer tactics - especially since they age off the scbl quickly as soon as they fix the problem. No one wants spam. If you haven't discovered how to use blocklists (not just spamcop's) to stop spam from entering your system, then you might well read some of the reasons why they are so effective. Another reason that sys admins are thankful to spamcop is that if the spam continues to come from their network, then other, less aggressive, blocklists will add the IP address to their blocklist and it is not as easy to be removed from those lists.

Think of it as not as 'targetting' legitimate mail servers, but as providing legitimate mail servers with early warning of spammers exploiting their systems. Although spam traps don't make reports (because they are not 'real' email users in that they don't send email), if a reporter had made the report, then you would have gotten a report. That is part of the spamcop purpose - to notify sys admins of spam problems - that has evolved (since it worked so well) into giving a head's up on new spammer illegitimate exploits.

Miss Betsy