Hi Patrick,

My suggestion is to have a pool of IP addresses you can use for your mail servers so that when this happens, you can change the DNS entries and simply stop using the IP address(es) with the bad reputation.

I have been told that this is what most of the "big boys" like MessageLabs do.

Trying to get all the "reputation services" to see you as a good guy again is really painful, and sometimes expensive.

Just don't forget to have a valid forward/reverse DNS entry for all your mail servers.

Regards,
Mickey


On Wed, Jun 23, 2010 at 15:33, Patrick Studer <p.studer@x-netconsulting.ch> wrote:
Hi

Some day ago, a account of our mail server has been misused
to sent out some thousand of spam mails.

This could happen, because the spammer which misused the account
logged in from different IPs (botnet?) over the whole world. Every time, he
successfully (smtp) authenticated, he sent out a couple of mails
(about 20-30). Then he disconnected and reconnected after 1-2 minutes
from an other IP and sent again some 20-30 mails. This has been done
for some hours, which generated some thousand of SPAM mails.

Since this started Friday night and was just discovered yesterday, we
was listed on one blacklist. We changed the password of the misused account
and removed our server from this blacklist.

We already was happy, that it's just was that simple, but we was
to fast.

We got then complains, that some mail system still block our mail server. After
some investigation, we found out, that this mail system or mail gateways are
base on Cisco IronPort. First at all, this system didn't response with a
clear response (Something like 5.7.1 Your access to submit messages to this
e-mail system has been rejected, isn't really helpful for an mail admin to
find out why his email get blocked.)

After we found out, that all this boxes are Ironport Boxes, we was pointed
to the www.senderbase.org. But this site isn't very helpful. You can find
out that your mail server has a bad email reputation, but that's it. A
link to SpamCop on the webpage isn't helpful either, since we aren’t listed
in their blacklist.

The only e-mail address on the webpage seem not to be the contact for
when you have a bad e-mail reputation.

We thought, perhaps the Score will fall down over 24 hours, but that's
not the case.

So, we tried to get some help from the cisco ironport support. There
answer wasn't very helpful either. They told us, that senderbase.org
is a complete other company and they don't have any contact and
we should try their website www.senderbase.org. Otherwise, if we don't
have a IronPort box, they will not help us.

Now, the question is, what can we do, do get our mails delivered to
this ironport boxes?

We really take care, to do all against be used for spamming or to
be known as a good source for mails (spf, dkim, smtp-auth,
tarpiting, etc.etc.).

We think, that this reputation system isn't that great. We have one
issue and get blocked for several days (or weeks) without an option
to take care about the situation.

Any help or suggestion would be appreciated!

Kind Regards

Patrick Studer

******************************************************************************
X-NetConsulting GmbH                 Internet   http://www.x-netconsulting.ch
Grosspeterstrasse 21                 E-Mail     p.studer@x-netconsulting.ch
CH-4052 Basel                        Telefon    +41 61 315 85 55
Schweiz                              Fax        +41 61 315 85 59
******************************************************************************






_______________________________________________
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog



--
Mickey Coggins