Jump to content

Ironport/Senderbase Woes


PSIPostmaster
 Share

Recommended Posts

Well, it seems a google search turned up a bunch of Ironport complaints here so I guess I'll add one more.

We had a spam issue over the weekend due to compromised accounts. A fair chunk of spam got out before we could respond and understandably, we got on a few blacklists. A pain for us but hey, that's the way the world works these days. We got the accounts locked down, cleared the spam from our outgoing queues and set about getting ourselves off the blacklists. By about midday Monday, we were looking in good shape.

Except we were still getting blocked by a few (fairly major to us) sites. Some had error messages that were worth sweet FA but some were referring to SenderBase. Our reputation showed as poor. Fair enough I guess. We're clean now so we'll wait for it to clear. Well, all through until EOD Tuesday, I keep an eye on things. Accounts still locked down, no spam, still a poor reputation. At one point in the day, our reputation had shown as neutral. Check the logs in case of another outbreak that pushed us back into poor? Nope, nothing. Odd. So I write a scri_pt to check the ironport page periodically and let me know if it changes.

Well, at 01:30 and 05:40 Wednesday our reputation twitched back into neutral but stayed that way for less than 5 minutes. No external email was sent (or attempted) in that time. I.e. no way for Ironport devices to examine outgoing emails, determine them as non-spam and increase our reputation (or lower if appropriate) just an apparently random spasm

By midday, our execs are getting understandably upset at being unable to send email to these other businesses. Some config files get tweaked and ALL email is now being routed via another IP. No email AT ALL is going via the original IP. This is at midday. At 3:30, the SenderBase status changes from poor to neutral then within five minutes is back to poor. Apparently based on 0 information

People, it seems as if there is something seriously wrong with however SenderBase is handling restoring the reputation for mail servers it has lowered the reputation for. This is especially bad in light of the fact there is no way to request an increase in reputation from their website or by email (or indeed any other way). If you are thinking of using this service or know someone who is, I'd suggest seriously thinking again. I'll be emailing the affected companies (some of whom we do big spending with) to inform them that their anti-spam software is affecting their ability to do business.

Edit: Our alternate IP has been online for less than 5 hours and already its reputation has gone from neutral to good.

Edited by PSIPostmaster
Link to comment
Share on other sites

Well, it seems a google search turned up a bunch of Ironport complaints here so I guess I'll add one more.

Kind of curious as to just what "IronPort complaints here" might actually mean. IronPort isn't really much of a Topic subject in these parts.

Except we were still getting blocked by a few (fairly major to us) sites. Some had error messages that were worth sweet FA but some were referring to SenderBase. Our reputation showed as poor. Fair enough I guess. We're clean now so we'll wait for it to clear. Well, all through until EOD Tuesday, I keep an eye on things. Accounts still locked down, no spam, still a poor reputation. At one point in the day, our reputation had shown as neutral. Check the logs in case of another outbreak that pushed us back into poor? Nope, nothing. Odd. So I write a scri_pt to check the ironport page periodically and let me know if it changes.

Well, at 01:30 and 05:40 Wednesday our reputation twitched back into neutral but stayed that way for less than 5 minutes. No external email was sent (or attempted) in that time. I.e. no way for Ironport devices to examine outgoing emails, determine them as non-spam and increase our reputation (or lower if appropriate) just an apparently random spasm

This is not a SenderBase support arena, but I would suggest that you have some misunderstandings about how SenderBase hardware, databases, and information is derived/generated.

By midday, our execs are getting understandably upset at being unable to send email to these other businesses. Some config files get tweaked and ALL email is now being routed via another IP. No email AT ALL is going via the original IP. This is at midday. At 3:30, the SenderBase status changes from poor to neutral then within five minutes is back to poor. Apparently based on 0 information

Based on 0 information, I'm wondering why you'd expect things to change? The only variable that would be different would be time, and it's hard to guess how that would gactor into a Reputation score.

People, it seems as if there is something seriously wrong with however SenderBase is handling restoring the reputation for mail servers it has lowered the reputation for. This is especially bad in light of the fact there is no way to request an increase in reputation from their website or by email (or indeed any other way).

Assumedly, one of those automated systems, results/scores based on the mathmatical output of the algorhythm involved. Removing all traffic would seem to hamper any quick/major changes in the last result ..????

If you are thinking of using this service or know someone who is, I'd suggest seriously thinking again. I'll be emailing the affected companies (some of whom we do big spending with) to inform them that their anti-spam software is affecting their ability to do business.

Not sure I can agree with that whole thought process. Most places have bought the big-iron hardware so as to throttle back the unwanted none-business-related incoming e-mail. That your outgoing e-mail servers got wrapped up in sending out bad e-mail seems to reflect that the big-iron stuff did exactly what it was designed and configured to do. In my mind, if you were going to contact thse folks, it would be to ask about the possible white-listing of your e-mail.

Edit: Our alternate IP has been online for less than 5 hours and already its reputation has gone from neutral to good.

As above, I'd suspect that the continuing traffic (and assumedly no other BL listings) would be the background to the results seen.

Again, this is not a SenderBase support Forum. In fact, I've had dismal failures in trying to get my questions answered from SenderBase (and IronPort) staff. But you really need to talk to those folks.

Link to comment
Share on other sites

Kind of curious as to just what "IronPort complaints here" might actually mean. IronPort isn't really much of a Topic subject in these parts.

Of the several searches I did on how to increase reputation at senderbase, quite a few of the top entries were on this forum. I suspect there may be some link to spamcop, even the senderbase support mentioned spamcop (although perhaps somewhat tangentially) in their email they sent me this morning

This is not a SenderBase support arena, but I would suggest that you have some misunderstandings about how SenderBase hardware, databases, and information is derived/generated.

Quite possibly. It appears to be fairly poorly documented and somewhat opaque. From what I have been able to find, well I think I'm correct but it's hard to tell.

Based on 0 information, I'm wondering why you'd expect things to change? The only variable that would be different would be time, and it's hard to guess how that would gactor into a Reputation score.

That is exactly my point. With us being continully blocked by people using SenderBase, there is no way for them to gather more data. Catch 22. Senderbase admits in their email this morning that there was no complaint since 7AM on Monday. Yet we were still fully listed as poor as of this morning. I would imagine that a sensible service would allow reputation to rise gradually with time or open a small window so that output from the suspicious mail server coult be reassessed from time to time. That the reputation went poor->neutral->poor in such a short period indicates that it is not simply that our reputation is so bad it had a big hole to dig itself out of. If anything, it looks more like they attempted to implement some kind of window algorithm but did it wrong.

Assumedly, one of those automated systems, results/scores based on the mathmatical output of the algorhythm involved. Removing all traffic would seem to hamper any quick/major changes in the last result ..????

Yes, if they were actually sampling the traffic. Unfortunately, everyone using their service is blocking us. This being a business, it's more important that email works than performing an academic study of the Senderbase reputation algorithm. The IP change was a success in that respect.

Not sure I can agree with that whole thought process. Most places have bought the big-iron hardware so as to throttle back the unwanted none-business-related incoming e-mail. That your outgoing e-mail servers got wrapped up in sending out bad e-mail seems to reflect that the big-iron stuff did exactly what it was designed and configured to do. In my mind, if you were going to contact thse folks, it would be to ask about the possible white-listing of your e-mail.

Yes, it was pretty effective up to a point. Then it was preventing business emails going through unnecessarily. Like if you had brakes that stopped your car well but then wouldn't release when you wanted to go again.

As above, I'd suspect that the continuing traffic (and assumedly no other BL listings) would be the background to the results seen.

Again, this is not a SenderBase support Forum. In fact, I've had dismal failures in trying to get my questions answered from SenderBase (and IronPort) staff. But you really need to talk to those folks.

Yes. A lot of my complaint is their opacity. At least most of the other blacklists offer some automated way to suggest that you have cleaned things up and are a good boy now.

Link to comment
Share on other sites

If you want to email me the IP you're having trouble with, I'll see if I can get it into the hands of somebody who can help you.

Email me directly at: service[at]admin.spamcop.net

Support emailed this morning and advised they'd temporarily upgraded our rating to neutral. For now however, we're going to keep using the alternate IP as it gives us outgoing spam scanning and it looks like we are continuing to receive the phishing type emails. We've been pretty aggresively letting users know they shouldn't be giving out their passwords this week (they've been told before of course) but there always seems to be one...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...