Senderbase listing, trying to make sense of it

[StevenUnderwood]

I did hear on another forum that, yet again, this was probably my fault for having a domain which was not registered at abuse.net.

Just curious, but what forum?

I know SpamCop uses abuse.net registration for its reporting addresses, but that makes sense because that is what abuse.net is there for. Like you, I would never expect it to affect a reputation score.

[technion]

Just curious, but what forum?

Microsoft's internal Partner Community (Exchange Miscellaneous).

Probably the last group of people I'd expect to be cluey on this, but then, Exchange configuration issues were suggested on this forum, so I took it there.

Presented them with full dumps of all Exchange config data, but when noone could see anything wrong, they started looking for less obvious issues in the same way we all have been.

Update: Still neutral four hours on.

[Farelf]

...I did hear on another forum that, yet again, this was probably my fault for having a domain which was not registered at abuse.net. ...

I never would have thought of that, should have - more accustomed to thinking in terms of rfc-ignorant.org listings maybe. So much for 'considering the improbable', eh? SenderBase could be a lot more helpful, especially in personal messages (which would save having eventual solutions 'broadcast' in open bulletins ).

Thanks for the update to the 'knowledge base' and for the good news. Reputation still neutral at time of this post - SB response delay seems to be permanent now - probably deliberate (in which case one could almost grow fond of captcha as an alternative).

[technion]

Thanks for the update to the 'knowledge base' and for the good news. Reputation still neutral at time of this post - SB response delay seems to be permanent now - probably deliberate (in which case one could almost grow fond of captcha as an alternative).

It could still be completely coincedental. For all we know we got punished for 15 days because of one reported incident.

Most of the options are requite depressing here. Whether it's abuse.net, loooong delisting periods, the fact a long established rDNS name for changed, or something else entirely, it's all stupid when you don't tell the person.

Open relays only get closed when they are told it gets them off an RBL in a matter of hours. This reputation guesswork is rubbish, and it does nothing to encourage people to improve their networks.

I'd also like the bigger Australian ISPs, all of whom seemed to be using this garbage filter system, who'd like to consider this. Multiple tech support agents would only give me the same thing about a "zero tolerance approach to spammers" and couldn't comprehend at all that this reputation system doesn't necessarily make guarantees about a certain IP belonging to a known spammer.

[Farelf]

...I'd also like the bigger Australian ISPs, all of whom seemed to be using this garbage filter system, who'd like to consider this. Multiple tech support agents would only give me the same thing about a "zero tolerance approach to spammers" and couldn't comprehend at all that this reputation system doesn't necessarily make guarantees about a certain IP belonging to a known spammer.

Agree, trouble is, it is extremely effective against the majority problem - spam from botnet senders (more than 50% of the traffic hitting every network, often 90% +) pushing fast-flux hosted spamsites (or Chinese/Romanian, whatever 'bulletproof' hosts, virtually untouchable). My provider, iiNet, uses it (switchable for inwards mail within user accounts) and I was able to infer ~99.7% effectiveness in stopping spam, judging by a 30 day trial with inwards filtering switched 'off'. Around 3,500 spam received in that time, compared to the default of having it switched 'on' when around 12 would be expected over the same timeframe. Which ain't bad for a commercial solution. No evidence of false positives seen but that can be hard to know - and your case demonstrates it will occasionally happen - though not a false positive in SB terms. Seems SB are quite prepared to live with low incidence false positives/injustices, in preference to making some very minor concessions in terms of 'policy' disclosure, as long as their clients are happy too (can't expect things to be otherwise). The end-users mostly live in a permanent state of numinous incomprehension so little/no pressure on providers from them. 'Such is life,' as Ned said. As proposed, ACMA might be able to make a difference - as an outside chance and while Conroy is boosting them above their former situation of obscurity.

[Farelf]

Noting from http://www.senderbase.org/senderbase_queri...g=61.14.113.190 "SenderBase reputation score Good" - despite 0 Last day magnitude. And showing "Hostname: mail.livingcare.org.au". The object of "trying to make sense of it" is not working out well but nice to see that green.

[technion]

Noting from http://www.senderbase.org/senderbase_queri...g=61.14.113.190 "SenderBase reputation score Good" - despite 0 Last day magnitude. And showing "Hostname: mail.livingcare.org.au". The object of "trying to make sense of it" is not working out well but nice to see that green.

It's telling me "neutral" at the moment, but I'll take grey over red any day.

I'm sure no closer to making sense of it, but I thank all the comments the same. It was helpful to at least keep busy with something throughout this process.

[westryn]

Hello,

Like another poster (technion), I'm aware that this isn't a senderbase forum, but I don't know where else to turn. I sent emails to support[at]senderbase.org on Mar 21 and Mar 22, and (in desperation) to dns-admin[at]ironport.com and hostmaster[at]ironport.com on Mar 23, but I've so far received no response.

My (primary) email server at 98.124.190.3 is listed at senderbase as "Poor", but I can find no reason for that other than my IP addresses recently changed. I run a small web hosting business (www.westryn.net). Around March 16 we moved our servers (web, email, dns, etc) to a new co-location facility, and of course we received new IP addresses. I assume that the new-to-us IP addresses were not previously in use, so when they were assigned to us their usage went from zero to a few hundred emails per day. We handle the email for our own business, plus emails generated by the websites that we host. Those emails are mainly order confirmation emails etc for e-commerce sites. We don't run any mailing lists.

I believe our rating has been "Poor" since the moment that the mail server was turned on in the new facility on the new IP address, as some MTAs refused to talk to our mail server right away.

We were not blocked by anyone when we were on the old IP addresses (the old mail server IP was 66.228.55.4, and you can see at senderbase that the current daily magnitude is now zero).

The senderbase query doesn't show us to be on any block lists at all. I do have reverse DNS in place, the forwards and reverses match, and I control the reverse DNS zone. I don't understand why the senderbase query results don't seem to see the reverse DNS.

I have abuse email addresses in place (and have had since the early 1990's), and I have registered them at abuse.net. Our hosting clients do not use us as a connectivity ISP, so they do not send their general email out through our mail server. We don't have anything except our servers on this block of IP addresses.

Because of the rating, many of my outbound emails are being blocked, with log messages like this (they vary depending on the particular destination):

554 Access to this email system has been rejected due to the sending MTA's (Hostname=mail3.westryn.net IP address=98.124.190.3) poor reputation score. Your current email server reputaion can be viewed at http://www.senderbase.org/

In fact, my server monitoring software can't even send txt messages about server problems to my cell phone because the txt service has blocked my emails (I am working with the txt service to try to get our mail server whitelisted with them).

I contacted AOL directly, and they have whitelisted us. But, it's obviously not practical for me to contact individually every ISP to which we or our hosting clients might send mail and ask them to whitelist us.

I have not received any reports of abuse to any of my (or my clients) abuse email addresses.

Can anyone please help me understand why my rating is Poor, so that I can fix the problem? Or, does anyone know of another way to contact senderbase, other than sending email to their support address?

Thanks in advance for any help!

[Wazoo]

Asking the same questions, telling pretty much the same tale .... This Topic will be mergd into that existing Discussion .....

[StevenUnderwood]

Asking the same questions, telling pretty much the same tale .... This Topic will be mergd into that existing Discussion .....

While over on senderbase yesterday, I noticed an "IronPortNation" link which points to: http://www.ironportnation.com/forums/

I don't know what is being discussed in there, however. Anyone looked it over yet?

[Miss Betsy]

has anyone from the forum tried contacting senderbase? Now that there are two posters with the same problem, possibly an email from a third party might, at least, get someone thinking that their 99.98% rate (and now I don't remember whether it was for the amount of spam caught or for the number of positive positives). Anyway, it doesn't look good to be catching false positives. If they are like spamcop, there will be no answer, but things might change.

Miss Betsy

[technion]

Can anyone please help me understand why my rating is Poor, so that I can fix the problem? Or, does anyone know of another way to contact senderbase, other than sending email to their support address?

Unfortunately, if such a contact method existed, I would have done it.

At least AOL whitelisted you - none of the ISPs around here would do that.

has anyone from the forum tried contacting senderbase? Now that there are two posters with the same problem, possibly an email from a third party might, at least, get someone thinking that their 99.98% rate (and now I don't remember whether it was for the amount of spam caught or for the number of positive positives). Anyway, it doesn't look good to be catching false positives. If they are like spamcop, there will be no answer, but things might change.

Wazoo posted in my thread on Mar 24 2009, 07:31 AM that he was unable to get senderbase to ever respond to his emails either.

The major difference here is that Spamcop:

a) Post enough information on their website that if you are listed, you know exactly why, and how to get delisted

Have a forum right here with people who can get action

Senderbase has neither of those things. It's not the product that's frustrating, it's the ivory tower "don't talk to us just use our filters" approach that is their problem.

[Miss Betsy]

Since both posters have just gotten new IP addresses, it seems to be the sudden upsurge of email that is the cause of the poor reputation - a common sign of a spam run (according to several quotes on the senderbase site). IIRC, someone else had the same problem, but other forum members kind of suspected that the poster really was either a spammer or someone who was clueless about mailing lists.

Obviously, senderbase/Ironport/Cisco does not want to publish FAQ about how to improve one's reputation since spammers would immediately try to get a good reputation and then spam.

The two posters in this topic can feel special since they are 'one in a million' server admins! <g>

Quote from one of the links from senderbase.org: "A key benefit of using Cisco IronPort Hosted Email Security is anti-spam efficacy. Powered by the Cisco SenderBase® Network, which has real-time visibility into the threat landscape, Cisco IronPort Hosted Email Security delivers the industry’s highest spam catch rate (greater than 99 percent) with a less than one in one million false-positive rate."

Seriously, even if the chances are very low, it seems like Cisco IronPort should be interested in what is obviously a problem. Whoever was supposed to get email from the two networks probably aren't happy campers either.

It would seem to me that the solution would be for server admins to be proactive when they switch IP addresses by informing senderbase before they switch to show that they have a good reputation and that whoever they are getting the new IP addresses from also has a good reputation for their netblock. Like the deputies do at spamcop, the 'deputies' at senderbase could manually adjust the reputation for a certain period of time (however long it takes for the new IP address to get a good reputation based on its volume).

I doubt very much whether a spammer could find a way to abuse that system since there would have to be evidence that they were the owners of the old address and the new IP block owners would be alerted to a possible threat to their good reputation by a request from senderbase for verification that so-and-so would be moving their servers to this netblock. In fact, it might be a good thing for everyone concerned as a preventative measure and it could even be published on the website. If a server admin was checking his reputation on a regular basis, s/he would know about it and if s/he wasn't proactive then like the ones who come to spamcop because they were blocked because they were clueless (like the misdirected bounces), there is nothing to do but wait it out until their reputation improves. It also doesn't put an undue strain on senderbase because it is only one in a million instances.

IMHO, if this solution seems to be workable, it would be listened to by senderbase if it came from a server admin with a good reputation.

Miss Betsy

[technion]

Since both posters have just gotten new IP addresses, it seems to be the sudden upsurge of email that is the cause of the poor reputation - a common sign of a spam run (according to several quotes on the

My long term ownership of the IP address in question was discussed already on this thread.

If a server admin was checking his reputation on a regular basis,

You have to consider what's a fair burden to place on network owners.

Setup a reverse DNS. Setup a forward DNS. Make sure your HELO matches it. Register at abuse.net. Setup a firewall that doesn't allow port 25 outbound except from the server. Deal with users who get grumpy that their POP/SMTP accounts on outside servers suddenly don't work. And no, they don't care that there's a port 587 they can still use.

Stop backscatter. Harder than it should be under Exchange 2007.

Setup SPF records.

Check the IP at any of the multi-dns RBL checks out there. Check yourself against Trusted Score. Check yourself against Barracuda.

Distribute an email use policy. Argue with marketing for days that purchased email lists are not appropriate.

It would be less of an issue if Senderbase published a standard DNS lookup that sites like www.robtex.com could plug into (just add one to the list). But they've made a business decision to go proprietry. Even the Perl Net::Sender module I tried working with (to save dealing with the website) tells you everything on the Senderbase database about an IP - except it's score. This is a well documented business decision to go another route. Instead, you load up this awful website that produces seemingly random results (still flapping between neutral and good, while doing constant refreshes) after sitting through 5-10 minutes of lag, hoping your browser doesn't time out on you. I'd really hate for regular repeating of this process to be added to the lists of tasks for a "responsible mail server admin".

IMHO, if this solution seems to be workable, it would be listened to by senderbase if it came from a server admin with a good reputation.

There have been multiple replies from people stating senderbase contact has been a big black hole. I got the impression that at least one of these users were currently having no reputation issues.

When you do get a reply, it's automated, you're not talking to anyone in power, you're talking to a cut + paste guy who clearly doesn't have the authority to act on suggestions, and although I'd love to hear about something placed up the chain, I don't believe it will happen.

While over on senderbase yesterday, I noticed an "IronPortNation" link which points to: http://www.ironportnation.com/forums/

I don't know what is being discussed in there, however. Anyone looked it over yet?

I found this some time back. It appears to be restricted to Ironport customers.

Ironport's implied view on these sorts of issues seemed to come down to "it's not our fault if Senderbase if incorrect, it's an independant third party, which we just happen to own".

[Farelf]

...Setup a reverse DNS. Setup a forward DNS. Make sure your HELO matches it. Register at abuse.net. Setup a firewall that doesn't allow port 25 outbound except from the server. Deal with users who get grumpy that their POP/SMTP accounts on outside servers suddenly don't work. And no, they don't care that there's a port 587 they can still use.

Stop backscatter. Harder than it should be under Exchange 2007.

Setup SPF records.

Check the IP at any of the multi-dns RBL checks out there. Check yourself against Trusted Score. Check yourself against Barracuda.

Distribute an email use policy. Argue with marketing for days that purchased email lists are not appropriate. ...

That is a wonderfully succinct exposition. It should be tattooed (mirror image so they can read it) on many a forehead. Yes, quite a burden and a scandal IMO that SB adds more, like the strike of summer lightning, (rare), devastating, unannounced and unpredictable.

Robtex blacklistings seems to have gone sour at the moment BTW, it seems to me not to be picking up some listings.

[Miss Betsy]

OK, it wasn't an IP address change, it was a domain name change. Obviously, that would have to be included in the 'changes' Did that coincide with the reported incident on March 15th? Possibly some recipient didn't recognize the name change and reported an email from your network as spam?

I know that server admins are kind of between a rock and a hard place in trying to get end users to understand how email works. In spite of being a regular here, I still have a very vague idea of how it works.

However, senderbase would be part of what server admins need to check every once in a while. I don't know how server admins get to know things (like the change in allowable bounces), but they seem to know them. After a very short period when spamcop started allowing reporting of misdirected bounces, the only posters here were people that didn't seem to know very much about how to run an email server or didn't need to keep up with any advances in order to satisfy customers or bosses.

I don't expect any email to senderbase would be answered with anything but a cut and paste. However, I don't despair of someone actually reading it for content. And, even if senderbase didn't make any attempt to address this issue publicly, it still might work for other server admins who are going to make a change to notify senderbase before the fact of making a change.

I agree with your frustration about the lack of cooperation from senderbase on how to avoid a poor reputation. But it seems to be a fact of life now. The only approach that seems likely to work is to point out that within a week, two of the 'one in a million' false positives showed up with similar issues.

Miss Betsy

[technion]

OK, it wasn't an IP address change, it was a domain name change. Obviously, that would have to be included in the 'changes' Did that coincide with the reported incident on March 15th? Possibly some recipient didn't recognize the name change and reported an email from your network as spam?

Again, discussed earlier. We changed the name after several days already on the blacklist to see if it would help a delisting. t did not.

I'll note that change is yet to be reflected on the senderbase page.

The domain change was my IPs rDNS domain. There were no changes to actual email addresses at any point.

[Miss Betsy]

Before you get too frustrated with me, remember I am an end user!

I was just trying to guess at what the 'report on March 15th' could have possibly been from?

Both of the reputation problems in this topic seem to have been connected with a change which altered the reputation score - for unknown reasons - but probably have to do with the change not being recognized as a change, but a new player with no reputation. However, you do have a 'report' to contend with.

From a consumer point of view, problems like this are solved by either convincing the store/organization/whatever that a new policy is warranted or by finding out how to avoid the problem in the future (often by trial and error without the cooperation of the entity). It is not always easy and sometimes it never works until consumers band together and have a confrontation.

I still think two 'one in a million' makes the 'one in a million' a little suspect so there are probably lots more out there. It might make some ISPs re-think using senderbase as 'the' authority. Just as most ISPs do investigate spamcop reports before shutting down a customer and the scbl is not always used to reject messages since it is so aggressive.

Miss Betsy

[technion]

I still think two 'one in a million' makes the 'one in a million' a little suspect so there are probably lots more out there.

Definitely agreed. I did find a number of discussions around the place with similar issues. The major difficulty is someone needs to be fairly skilled to convince people that it's not their problem.

And when you say "I'm running a Netgear modem as my firewall", which realistically, many budgets don't have any opposing choice for, you acknowledge viruses can get through that modem. Whether that's what happened or not, there's doubt there, and it's hard to prove your innocence.

[Wazoo]

While over on senderbase yesterday, I noticed an "IronPortNation" link which points to: http://www.ironportnation.com/forums/

I don't know what is being discussed in there, however. Anyone looked it over yet?

Tried to follow instructions to Register. Roadblock when forced to provide a Customer ID or Serial Number .... so went to the direct Forum Registration link. It appeared to work, but then did a redirect to the IronPort Support Portal Registration again. Apparently, there is linkage between the Forum and the Portal Suppot database. E-mail notification from the attempted Forum Registration has yet to occur, suspect it won't. Waiting for the clock to roll around to Pacific time to give someone a call.

Near as I can make out from the scanty details offered up in all the advertising hype, I'm going to liken the situation much as the 'problem' area of the spamcop.net parsing system when it comes across am unrecognized 'relay' .... the first few parses that see this 'new' relay, the parsing stops and ends up targetting this relay for a Report. Some parses later, this 'new' relay is recognized, and the parse then (usually) correctly then marches on to the more likely real source of the e-mail.

As far as SenderBase, I'm leaning towards the seemingly demonstrated decision process/results of .... new Domain/IP Address, a sudden ramp-up in traffic, bias is set to 'assume' that something bad has happened, the bias being set to match the advertised 'immediate reaction' to the 'assumed' bad traffic. What would seem to be missing in this scenario is the'adjustment' and/or decision that would normally be based on the ratio of 'seen' traffic and 'bad' traffic before making the rating decision .. or rather what seems to be happening, making the initial determination that the involved IP Address is a compromised system then letting time, traffic, and results 'adjust' the rating upwards. (Just noting that this is simply a bit of a guess .... trying to research e-mail reputation seems to keep sliding into web reputation, so many specific details left unsaid (other than the hype)

[Miss Betsy]

The marketplace definitely edges out the small guy - which is in direct opposition to the concept of the great World Wide Web.

I would like to help you but in another topic it has been demonstrated, it really takes someone who can 'talk the talk' and give them something to work with to get their attention. IMHO, the only solution is 'co-operatives' or associations, but when I researched it several years ago, the personality type of the server admin does not mesh well with that type of scenario. Server admins like, 'my server, my rules' and 'like or leave it' which doesn't compete well with bottom line capitalists - except in old western movies.

Miss Betsy

[Wazoo]

Waiting for the clock to roll around to Pacific time to give someone a call.

Talked for a bit with Abagail, who has opened up a ticket in reference to a possible waiver to the non-customer access to the IronPort Support Portal/Forum. Perhaps an answer tomorrow, certainly by Monday she says. We both agreed that my "volunteer status" may be an issue. She is a customer support contact for IronPort hardware, but admits to not being intimate with the details of either SpamCop or SenderBase. All I can do for now.

[Farelf]

...a ticket in reference to a possible waiver to the non-customer access to the IronPort Support Portal/Forum. Perhaps an answer tomorrow, certainly by Monday she says. ...

Good work, let's hope. Not as if you would be trying to 'bell the cat', and they can't ignore 'minor' effects (they're not so minor for those they affect - bad ethics, and it actually is dangerously deluded - "group think" - to allow self-congratulation to blind one to potential problems - bad business).

IronPort-SB should be jumping all over the chance to find out what is happening at the fringes of reliability. Scientists and engineers would all agree - that's where the interesting stuff happens. Like others, I'm not so sure about their fringe being 0.01%. That may be so for false negatives (and my own experience would strongly support that) but information on false positives is harder to get/estimate and, unlike false negatives, false positives even in low proportions are harmful, potentially extremely harmful.

Not sure if I'm getting this across with sufficient clarity but heck, if you build a thousand bridges and one of them falls down there is no way you can write it off as 'bad luck', 'within statistical expectation' etc. You have to find out *why* and incorporate that knowledge into prudent rectification if indicated.

[Miss Betsy]

OTOH, engineers build bridges for 30 year, 50 year, 100 year floods.

I am all for IP addresses getting blocked, even if they have legitimate customers, if there is a real problem. End users need to be as responsible about their connectivity as server admins and have a stronger say in correcting problems than outsiders.

It would be nice to have a list (the way that there is for mailing list managers) of the things, server admins need to do to be 'good' netizens - from closing relays to registering an abuse address. Some of them may be part of how a blocklist determines whether to list an IP address or not, but it doesn't compromise the parts which have to be kept private. It always helps in convincing someone to right a wrong to know a lot of details. A non-profit lobbyist told me a story about State Representative 'Lobby Day' - the lobbyists who went there with a passion and tried to persuade opposing Representatives to vote for legislation in support of their issue got nowhere. The Representatives would wait until they took a breath and ask them about Section 4, item 3. When the lobbyist couldn't answer, end of conversation. The savvy lobbyists cornered sympathetic Representatives and pointed to Section 4, item 3 and told them how it would work better if phrased differently. If a Netgear Modem is a known problem, but one admits it up front with all the measures one has taken to prevent viruses, one has better chance to convince another server admin that one is not a spammer, but falls in the fringes.

OTOH, there are always going to be glitches - from power outages to poor reputations because of being on the fringes. Some may have solutions - proactive planning about changes might work; others like power outages just have to be endured.

Miss Betsy

[Farelf]

OTOH, engineers build bridges for 30 year, 50 year, 100 year floods. ...

Yes, but I am talking about failure inside the design parameters.

...I am all for IP addresses getting blocked, even if they have legitimate customers, if there is a real problem. End users need to be as responsible about their connectivity as server admins and have a stronger say in correcting problems than outsiders.

Yes, but how is that applicable here? I compared it to summer lightning ...

It would be nice to have a list (the way that there is for mailing list managers) of the things, server admins need to do to be 'good' netizens - from closing relays to registering an abuse address.

The O/P's 'exposition' covers most of it succinctly and yes, it would be good if he could be credited with doing 'all the right things' and, at the end of the day, neither he nor his network has been shown to do anything 'wrong'. The single 'indictment' mentioned is very debatable, as I suggested earlier.

Some of them may be part of how a blocklist determines whether to list an IP address or not, but it doesn't compromise the parts which have to be kept private. It always helps in convincing someone to right a wrong to know a lot of details. A non-profit lobbyist told me a story about State Representative 'Lobby Day' - the lobbyists who went there with a passion and tried to persuade opposing Representatives to vote for legislation in support of their issue got nowhere. The Representatives would wait until they took a breath and ask them about Section 4, item 3. When the lobbyist couldn't answer, end of conversation. The savvy lobbyists cornered sympathetic Representatives and pointed to Section 4, item 3 and told them how it would work better if phrased differently. If a Netgear Modem is a known problem, but one admits it up front with all the measures one has taken to prevent viruses, one has better chance to convince another server admin that one is not a spammer, but falls in the fringes.

All true but the problem is in getting a hearing at SB in the first place. Your exemplified 'Representatives' have shown no interest in either fact or fallacy.

OTOH, there are always going to be glitches - from power outages to poor reputations because of being on the fringes. Some may have solutions - proactive planning about changes might work; others like power outages just have to be endured.

There are *always* solutions, expediency (or simple incomprehension) may dictate against their adoption. I have tried to argue it is shortsighted (and squandering opportunity) to ignore things on the fringes. I have supposed anyway that 'the fringe' might not be as well defined as might be thought.

Stone the crows Miss Betsy, fair crack of the whip