saba Posted October 21, 2004 Posted October 21, 2004 Hello, Here's an interesting issue. We get our email for our entire domain pre-screened for spam and VIRII by a third party (MXLOGIC.COM). The problem is that someone keeps listing their IP addresses in the SPAMCOP database. These folks don't run mail servers, they run a mail proxy server that connects sending servers with recipient servers in real time. Is there a way for your service to "white list" providers like this? Their IP's never change, but every couple of weeks we go through the same gyrations: 1) Email sent to us starts bouncing, because our outsourced mail server uses SPAMCOP (can't talk them into turning it off for our domain...) 2) We contact MXLOGIC, they contact you, the IP gets delisted 3) a day or 2 later, the bounces stop. 4) a couple of weeks go by, back to step 1. Can anything be done about this? THanks
Chris Parker Posted October 21, 2004 Posted October 21, 2004 What's the IP address or addresses of the servers in question? Are they properly processing messages without butchering the headers?
saba Posted October 21, 2004 Author Posted October 21, 2004 What's the IP address or addresses of the servers in question? Are they properly processing messages without butchering the headers? 19106[/snapback] 1) The address listed in spamcops (this time) is 66.179.109.175. It's been other ones before, MXLOGIC has three seperate /27 subnets they use for email. 2) As far as a I know, they don't alter any of the email headers. They pass them on intact to the recipient mail server, and do their checks on content before they deliver that to the recipient. If it's bad, they close the connection.
Wazoo Posted October 21, 2004 Posted October 21, 2004 I'd have to see some headers. All I can go on right now it stuff found at http://mxlogic.com/resources/FAQs.html What is an MX record? An MX record is simply an entry in a domain name database that identifies the email server responsible for handling email for that domain – similar to a primary postal address. With the MX Logic service, you re-direct your MX record to MX Logic so all email from the outside go through MX Logic and its filtering process before it is delivered to your actual address. Does pointing our MX record to MX Logic give you access to our email? No. The MX Logic message processing centers act as proxies when receiving your inbound email. Messages are filtered in real-time as they are being simultaneously delivered into your messaging environment. Because MX Logic’s service is proxy-based, your messages are not stored to disk so there is no risk of lost, damaged or corrupted email. Not sure I follow that they could manipulate the flow of data this way and not be included within the e-mail headers .. which of course, they must be based on your complaint of them constantly getting listed. You say "they contact you" .... they must be old hands at this, as the normal signs of an issue are postings to the newsgroups (or here since the creation of this Forum) .. but I'm not sure I've ever seen this outfit mentioned before. That you then say "a couple of days later" pretty much goes with the "maximum of 48 hours after spew stops) ...???? "They don't run e-mail servers, they run proxy .." .... funny, open proxies is the latest rage for spammers, taking over compromised systems with fast connections to run their spew. The problem with tracking down the source of that spew usually ends up with the Proxy being tagged as the source, as the headers don't contain the needed connection data of where the spew really came from ... you should be starting to draw some of your own conclusions here ... If you're ready to jump out of your chair, don't ... there's no accusations of spammer here .. just talking about issues with the header data of traffic passed via a proxy ...and again, discussion done without seeing the evidence provided by a sample header to show what is and what isn't existing within that data ... For your sample IP address, Senderbase http://www.senderbase.org/?searchBy=ipaddr...=66.179.109.175 showing; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.1 .... 1212% Last 30 days .. 3.1 ....... 26% Average ........ 3.0 With 33 systems identified as serving up e-mail, this quantum increase in the last day's volume usually indicates a spam problem. Also noting that the SpamCop "evidence" page shows nothing about spamtrap hits, only complaints. (Unusual in the above numbers scenario, but there could be other reasons ..??) For example, traffic on 66.179.109.172 shows Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.1 .. 25% Last 30 days .. 4.3 .. 91% Average ........ 4.0 So traffic may have shifted from this server to the one listed for instance ..?? Bottom line, "we" can't answer you here without seeing more data. But, if one was to give your "they have talked to SpamCop Admin in the past .. repeatedly .." then one would think that the header/proxy issue would have been discussed by now, and if MXLOGIC hasn't fixed their side of the issue, not sure what else anyone else could do. Whitelisting an IP address to ignore "any" bad stuff would work for exactly the amount of time it would take a spammer to find out about that action being taken .... Possibly a silly question ... why are "you" asking for help to get around an issue with a company that you are paying money to ...???? Just where is the staff of MXLOGIC?
saba Posted October 22, 2004 Author Posted October 22, 2004 I'd have to see some headers. All I can go on right now it stuff found at http://mxlogic.com/resources/FAQs.html Not sure I follow that they could manipulate the flow of data this way and not be included within the e-mail headers .. which of course, they must be based on your complaint of them constantly getting listed. You say "they contact you" .... they must be old hands at this, as the normal signs of an issue are postings to the newsgroups (or here since the creation of this Forum) .. but I'm not sure I've ever seen this outfit mentioned before. That you then say "a couple of days later" pretty much goes with the "maximum of 48 hours after spew stops) ...???? "They don't run e-mail servers, they run proxy .." .... funny, open proxies is the latest rage for spammers, taking over compromised systems with fast connections to run their spew. The problem with tracking down the source of that spew usually ends up with the Proxy being tagged as the source, as the headers don't contain the needed connection data of where the spew really came from ... you should be starting to draw some of your own conclusions here ... If you're ready to jump out of your chair, don't ... there's no accusations of spammer here .. just talking about issues with the header data of traffic passed via a proxy ...and again, discussion done without seeing the evidence provided by a sample header to show what is and what isn't existing within that data ... For your sample IP address, Senderbase http://www.senderbase.org/?searchBy=ipaddr...=66.179.109.175 showing; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.1 .... 1212% Last 30 days .. 3.1 ....... 26% Average ........ 3.0 With 33 systems identified as serving up e-mail, this quantum increase in the last day's volume usually indicates a spam problem. Also noting that the SpamCop "evidence" page shows nothing about spamtrap hits, only complaints. (Unusual in the above numbers scenario, but there could be other reasons ..??) For example, traffic on 66.179.109.172 shows Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 4.1 .. 25% Last 30 days .. 4.3 .. 91% Average ........ 4.0 So traffic may have shifted from this server to the one listed for instance ..?? Bottom line, "we" can't answer you here without seeing more data. But, if one was to give your "they have talked to SpamCop Admin in the past .. repeatedly .." then one would think that the header/proxy issue would have been discussed by now, and if MXLOGIC hasn't fixed their side of the issue, not sure what else anyone else could do. Whitelisting an IP address to ignore "any" bad stuff would work for exactly the amount of time it would take a spammer to find out about that action being taken .... Possibly a silly question ... why are "you" asking for help to get around an issue with a company that you are paying money to ...???? Just where is the staff of MXLOGIC? All good questions - let me see if I can answer as much as I can: 1) They claim they've done all they can. I'm just trying to figure out exactly what the deal is, here. Yes, I pay them money, and I can go somewhere else to have my domain's email screened, but they do have a good service. I'm responsible for several domains worth of email through them, and it affects all the email. 2) Here is the only snippit of data that my email senders get. THey don't get this all the time, of course, because MXLOGIC has many many IP's that they can send email out on: ========= Hi. This is the qmail-send program at dnsmadeeasy.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <my email address is here>; 66.179.109.175 does not like recipient. Remote host said: 550 Blocked - see http://www.spamcop.net/bl.shtml?66.179.109.175 Giving up on 66.179.109.175. ========== 3) Maybe I used the wrong word, "proxy". As best as I understand how the MXLOGIC system works, this is the sequence of events: a) you point your MX records to their servers. they receive email on your behalf, and in REAL TIME, they connect with your "physical" (IP address of) the mail server where you email is hosted. c) All error messages that the recipient mail server generates are passed back to the sending server. That's what the error stream listed above is. an email message from the dnsmadeeasy.com domain was coming to me, and my mail server rejected it, because they check the sending IP address (which in my case is ALWAYS mxlogic) agains spamcop.net 4) the increase in volume probably has to do with the hundreds of companies they represent. Every one of my emails has to go through their system. They have clients with many thousands of mailboxes that are filtered through their systems. maybe they turned on a new server, who knows. They're a company with three redundant NOC's, and multiple servers at each site. 5) their engineers have stated that they know of no solution to this issue - which is why i'm raising the question here. 6) I'm not sure I understand the "header" issue you reference. I understand that none of us want spam in our inboxes, I'm not sure how they keep getting "recommended" to the spam list. That's not their business, obviously, and will hurt them (and us, their customers) since almost all email going through their system is inbound (and then outboud) email for other peoples servers. Thanks for your time, just trying to understand what's going on here. Here's an example of a good email, i don't get the ones that bounce... Return-path: <myemail[at]host156.ipowerweb.com> Envelope-to: myemail[at]address.com Delivery-date: Wed, 06 Oct 2004 06:48:44 -0700 Received: from myemail by host156.ipowerweb.com with local-bsmtp (Exim 4.24) id 1CFC9q-0004fZ-PR for myemail[at]address.com; Wed, 06 Oct 2004 06:48:43 -0700 Received: from [216.183.119.103] (helo=p03m103.mxlogic.net) by host156.ipowerweb.com with smtp (Exim 4.24) id 1CFC9q-0004fU-9D for myemail[at]address.com; Wed, 06 Oct 2004 06:48:42 -0700 Received: from cm1.dnsmadeeasy.com [63.219.151.7] (EHLO dnsmadeeasy.com) by p03m103.mxlogic.net (mxl_mta-1.3.8-10p4) with ESMTP id 927f3614.20954.093.p03m103.mxlogic.net; Wed, 06 Oct 2004 07:46:17 -0600 (MDT) Received: (qmail 21284 invoked by uid 507); 6 Oct 2004 09:46:19 -0400 Delivered-To: address.com-myemail[at]address.com Received: (qmail 21282 invoked by uid 507); 6 Oct 2004 09:46:19 -0400 Received: from vhmail1.cdw.com (12.32.90.87) by dnsmadeeasy.com with SMTP; 6 Oct 2004 09:46:19 -0400 Received: from outmail.cdw.com (Not Verified[10.19.0.60]) by vhmail1.cdw.com with NetIQ MailMarshal (v6,0,3,8) id <B4163f6d70000>; Wed, 06 Oct 2004 08:44:55 -0500 Received: from as400.cdw.com ([10.1.1.164]) by outmail.cdw.com with Microsoft SMTPSVC(5.0.2195.5329); Wed, 6 Oct 2004 08:45:22 -0500 From: <xxxxxx[at]cdw.com> To: <myemail[at]address.com>
StevenUnderwood Posted October 22, 2004 Posted October 22, 2004 As mentioned elsewhere, you should be having MXLOGIC work directly with spamcop to resolve why the servers keep getting listed. This is not normal for a forwarding service in my experience. An alternative would be to switch services. You claim they have a good service but you also claim that you have a recurring problem "every couple of weeks". To me, that is terrible service. At work, I use a similiar service to MXLOGIC called postini and have never had any such problem over the last 18 months (when we started with them) because they add the appropriate headers to the email message to indicate where they received the message from. Received: from psmtp.com ([64.18.1.158]) by mail.kopin.com (Lotus Domino Release 5.0.12) with SMTP id 2004102016275503:3045 ; Wed, 20 Oct 2004 16:27:55 -0400 Received: from source ([24.203.62.240]) by exprod6mx18.postini.com ([64.18.5.10]) with SMTP; Wed, 20 Oct 2004 13:35:40 PDT Does MXLOGIC do something similiar? You should look for at least one received line in the headers of your messages. If you post a set of complete headers, we may be able to detect a problem the parser may have with them. Even better, if you are a spamcop customer (or simply sign up for a free reporting account) and submit a test message that came into your address (and cancel any reports) then post a tracking URL from the reporting page, we may be able to see why spamcop is seeing MXLOGIC's srevers as the source. There seems to be a diverse amount of spam being seem from that IP. I can see these and the report numbers because I am a paying customer. Report History: -------------------------------------------------------------------------------- Submitted: Wednesday, October 20, 2004 4:36:15 PM -0400: Vãlium for less -------------------------------------------------------------------------------- Submitted: Wednesday, October 20, 2004 2:08:18 PM -0400: =?iso-8859-1?B?RGlldCBwaWxscyBoZXJlLiAgICAgag==?= -------------------------------------------------------------------------------- Submitted: Wednesday, October 20, 2004 10:06:25 AM -0400: beplaster exterior paragonite -------------------------------------------------------------------------------- Submitted: Tuesday, October 19, 2004 5:41:21 PM -0400: Please confirm Your account -------------------------------------------------------------------------------- Submitted: Tuesday, October 19, 2004 5:41:21 PM -0400: Mayra call your brother to do it. -------------------------------------------------------------------------------- Submitted: Monday, October 18, 2004 3:34:10 PM -0400: Inexpensive Vãlium
Wazoo Posted October 22, 2004 Posted October 22, 2004 See a parse in action on your sample at http://www.spamcop.net/sc?id=z684571850z49...61e5dda0dafbe4z Of the most interest is the bit concerning your MXLOGIC outfit; Received: from [216.183.119.103] (helo=p03m103.mxlogic.net) by host156.ipowerweb.com with smtp (Exim 4.24) id 1CFC9q-0004fU-9D for x; Wed, 06 Oct 2004 06:48:42 -0700 no from 216.183.119.103 found host 216.183.119.103 = p03m103.mxlogic.net (cached) host p03m103.mxlogic.net (checking ip) = 216.183.119.103 Possible spammer: 216.183.119.103 Received line accepted Relay trusted (mxlogic.net) It would appear that the SpamCop database does in fact know about this company and its servers (well, at least this one) So based on the "evidence" page, these results, StevenUnderwood's data, and the SenderBase numbers, it would be hard to guess at anything but what seems to be obvious ... there is definitely spam spew coming from the machine at this IP address. The "problem" does not appear to be at SpamCop.
saba Posted October 22, 2004 Author Posted October 22, 2004 See a parse in action on your sample at http://www.spamcop.net/sc?id=z684571850z49...61e5dda0dafbe4z Of the most interest is the bit concerning your MXLOGIC outfit; Received: from [216.183.119.103] (helo=p03m103.mxlogic.net) by host156.ipowerweb.com with smtp (Exim 4.24) id 1CFC9q-0004fU-9D for x; Wed, 06 Oct 2004 06:48:42 -0700 no from 216.183.119.103 found host 216.183.119.103 = p03m103.mxlogic.net (cached) host p03m103.mxlogic.net (checking ip) = 216.183.119.103 Possible spammer: 216.183.119.103 Received line accepted Relay trusted (mxlogic.net) It would appear that the SpamCop database does in fact know about this company and its servers (well, at least this one) So based on the "evidence" page, these results, StevenUnderwood's data, and the SenderBase numbers, it would be hard to guess at anything but what seems to be obvious ... there is definitely spam spew coming from the machine at this IP address. The "problem" does not appear to be at SpamCop. 19113[/snapback] Thank you all for your input. This is a learning experience for us, lets see if I can summarize what i've learned so far: 1) MXLOGIC service isn't perfect, and sometimes spam does slip through their filters, and ends up going to someones inbox. 2) That person, (or server, or whatever process is running) catches/flags the email as spam, and notes that it originated from the MXLOGIC servers, since if you subscribe to their service, they add their header to the top of the email. 3) Is this how they end up on your list? Are you saying there is something they can do to what they add to the email headers to prevent this? thanks again.
Wazoo Posted October 22, 2004 Posted October 22, 2004 To go further, I'm going to have to ask to take a step back. I ignored that your sample looked a but "doctored" ... as that munging didn't impact the point I was trying to make. However, now that you want to get more specific, that "doctoring" up of the sample is an issue. For example ... the top handling line does not contain data to show where host156.ipowerweb.com actually received this e-mail from. (and you'll note the snippet in the parser output I provided commenting on this also; no from 216.183.119.103 found This may have been a mistake in the cut/paste/editing of that line .. or it could be a mis-configuration of this ipowerweb server (also noting that ipowerweb is not a stranger in these parts) I wouldn't necessarily agree with your description of MXLOGIC adding their data to the Top of the header .. rather it's that they add their stuff to the header, which is the way things are supposed to work. Yes, it's added to the Top at that time, but as you see in the sample, it's not at the Top when finally received. Call it semantics. What has been suggested is that spam is coming from MXLOGIC servers. Whther that's due to being compromised, screwed up, that "newly discovered" condition, or something else, I can't say without seeing an actual spam / report / complaint ... This goes back to why are you trying to troubleshoot an MXLOGIC problem. They are the ones that should have the evidence and conditions in front of them.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.