Thank you Andrew. Every time you write something its an education. Much appreciated.
-Nick MadRiverAccess.com|Skywaves.net Tech Support US/Canada 877-873-6482 or International +1-802-229-6574 Emergency Support 24/7: supp...@skywaves.net General and Non-Emergency support ticket: http://www.skywaves.net/content/secure/support_ticket.htm ---------------------------------------- From: "Colbeck, Andrew" <acolb...@bentallkennedy.com> Sent: Monday, March 11, 2013 9:11 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Per point 3. "Once URIBL starts rejected the requests then every request gets scored as bad" Read the URIBL.com site News, and Implementation sections. This is because a rejection isn't quiet, it returns the value 127.0.0.1, so I'll assume that SM is triggering on a result of "*" instead of "127.0.0.2" and you'll want to go back to SmarterMail to figure out how to be specific about that acceptable response. Perhaps you'll want to use specific tests like the Black test or the Red test instead of the Multi test. Per point 5. "I'm not really sure how URIBL even knows which DNS server I use ...last year, I had my SM server configured to use the Comcast national DNS servers" Well, that's pretty clear, a lot of people use ComCast, so ComCast has been flagged as a "heavy hitter" and queries through their servers to URIBL will cause URIBL to respond to Comcast with the "127.0.0.1" value. URIBL doesn't care about your-server-asking-via-Comcast, they care about which server asked URIBL, which was ComCast. Per point 6. "I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why." Ok, it's plausible that URIBL tests your DNS server to see if it can be abused by bad guys, but I actually doubt that they do this, and it's a red herring. You know that your mail volume is small enough to not be a heavy hitter but you are diagnosed as a heavy hitter anyway. Therefore, someone gave you this advice while trying to diagnose why you are getting heavy hitter results, i.e. that your DNS server is being abused. The big idea here is that your mail server needs to ask a DNS server to resolve stuff for it, including URIBL. However, random people on the Internet should not be able to use your DNS server, because they will certainly abuse it to throw bandwidth at someone they don't like. That's called an open resolver, see here for why that's bad http://dns.measurement-factory.com/surveys/openresolvers.html It's extremely common to use a DNS server right on your email server, and point your antispam queries at that DNS server. Some DNS servers allow you to specify the IP/subnet of allowed clients; Windows 2008 does not, it happily resolves for anyone. So instead of using client ACLs on the DNS server, make sure you're not telling your firewall to allow inbound DNS as a service on that particular IP address; because of course have a wonderful stateful firewall, it will happily allow outbound DNS and the corresponding inbound replies. For your email server to resolve DNS, you don't want to use forwarders, and you do want to use recursion. Per point 7. "I tried writing to the URIBL abuse administrator but got no response" Your case is pretty straightforward; perhaps they think you want too much help while they've provided what's necessary on their website already. Perhaps they're busy working on their golf swing and not reading email. If you can't reach them from your own domain, write to them from a freemail account instead of the domain that is in trouble, and cite your IP/domain. Be concise. Be polite. Don't use HTML formatting if you can help it. And don't use a legal disclaimer in your footer, because antispam/security admins are notoriously allergic to what they interpret as your attempt to legally bind their communication, and as a result they simply ignore such email. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Thursday, March 07, 2013 4:32 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Hi Andrew and thanks! The problem isn't Declude but it is spam related so I'd be interested to see if anyone else has ideas. I spent some time on the SmarterMail forums and this is what it looks like: 1. SM uses a series of built-in tests as well as external tests such as Declude. Among these are a pair of URIBL tests that are based on links embedded in the messages. 2. SM scores a hit for each bad link reported by URIBL and applies the weight score to each hit. With the default weight of 4, a message with five links rejected by URIBL would give a total score of 4 x 5 = 20. 3. Starting some time late 2012, URIBL started rejected some requests based on high volume of calls from a particular server. Various people have experienced this problem at various times over the last three months. Once URIBL starts rejected the requests then every request gets scored as bad. So, for example, every message with five embedded links gets a weight of 20, regardless of the legitimacy of those links. This results in a sudden inflation of spam scores. 4. I don't understand how our mail server would be subject to this. Our volume of mail isn't just small, one might almost call it tiny. The number of calls we make to URIBL are correspondingly very small. 5. The claim made by Those Who Know on the SM forum is that the URIBL rejection is really directed at those who use high volume public DNS servers. I'm not really sure how URIBL even knows which DNS server I use, but that's the claim. Since last year, I have had my SM server configured to use the Comcast national DNS servers (Comcast being my upstream provider). Since that's supposed to be the problem, I switched to our in-house public DNS server, but that didn't help either. Then I tried setting up a private DNS server on the mail server itself and still couldn't get it to work. 6. Then I was told that I need to turn off recursion on the DNS server to be considered acceptable to URIBL. Again, I don't know why. The problem is that I use the MS DNS server (Win 2008) and when you turn off recursion, it forced off forwarding as well. There are many good reasons for not wanting to turn off forwarding (in fact, MS doesn't recommend it). So now I'm stuck between a rock and a hard place. 7. I tried writing to the URIBL abuse administrator but got no response and couldn't find any other contact information. Anyone able to correct or illuminate me? Thanks, Ben ----- Original Message ----- From: Colbeck, Andrew To: Declude.JunkMail@declude.com Sent: Wednesday, March 06, 2013 3:27 PM Subject: RE: [Declude.JunkMail] why have spam scores jumped? Ben, check the archive website here http://www.mail-archive.com/declude.junkmail@declude.com/ for the mail you've missed. Andrew. From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 10:10 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] why have spam scores jumped? Thanks for the heads-up, but I didn't and still don't see either my original email or the responses. I just took a look at it via the web interface because sometime Microsoft Live Mail (like Outlook Express before it) will not show some messages where it doesn't like the header, but I just don't see either my message or the responses. I'm assuming what happened was exactly what I was asking about - those messages were given him spam scores and deleted. I don't suppose you could resend those replies to the list? Thanks, Ben From: Randy Armbrecht Sent: Tuesday, March 05, 2013 11:12 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] why have spam scores jumped? Your Friday post did show up and already has 2 or 3 responses to it Sincerely, Randy Armbrecht Global Web Solutions, Inc. Office: 804.442.5300 x112 Toll Free: 877.800.4562 24 /7 Tech Support! Your Internet Source.Since 1996! NEW GlobalSync Remote-BackUp Solutions! Web Hosting - E-Mail - Spam/Virus Gateway Services Hi-Speed DSL, Ethernet and Wireless Internet - T-1/T-3's PC Support - Networking - Virus/MalWare Removal 25% discount on most services for Non-Profits! Call us today! From: SM Admin [mailto:imailad...@bcwebhost.net] Sent: Tuesday, March 05, 2013 1:52 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] why have spam scores jumped? (I sent this message on Friday but it never showed up, so I thought I'd try again.) Hi, I don't know if anyone is still here but I'd like some insights into some strange anti-spam behavior. We have latest SmarterMail and Declude, as well as Sniffer. Over the last few days I noticed a significant drop in email messages. Upon further investigation, I found that messages were being givn much higher spam scores than in the past, with the result that they get classified as spam or just outright deleted. Checking the headers, however, I don't see why the scores are coming in so high. Below are a few examples. Does anyone see why the spam scores come out so high? Thanks, Ben *********************************************** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2998-c X-Declude-Sender: mstad...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 195938010.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [0] at 17:26:20 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES->destination X-Declude-Code: e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:3, Declude: 0 X-SmarterMail-TotalSpamWeight: 15 ***************************************************************************************** -MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487572.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [-3] at 16:38:51 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES->destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, URIBL:7, Declude: -3 X-SmarterMail-SpamDetail: 0.0 TVD_SUBJ_ACC_NUM X-SmarterMail-SpamDetail: 0.0 T_OBFU_PDF_ATTACH X-SmarterMail-TotalSpamWeight: 28 ********************************************************************** X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-32767-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159487567.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [-3] at 16:35:50 on 01 Mar 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES->destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.ghrlawyers.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 1 [raw: 1], DK_None, DKIM_None, URIBL:10, Declude: -3 X-SmarterMail-TotalSpamWeight: 41 ****************************************************************************** Just for comparison, here is an email from the same source from Tuesday (and very typical of past headers): X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-27512-c X-Declude-Sender: gha...@ghrlawyers.com [70.89.176.73] X-Declude-Spoolname: 159486224.eml X-Declude-RefID: X-Declude-Note: Scanned by Declude 4.11.00 "http://www.declude.com/x-note.htm"; X-Declude-Scan: Incoming Score [-3] at 17:56:38 on 26 Feb 2013 X-Declude-Tests: SPFUNKNOWN [1] X-Country-Chain: UNITED STATES->destination X-Declude-Code: 1e X-HELO: mail.garrettlaw.com X-Identity: 70.89.176.73 | mail.garrettlaw.com | ghrlawyers.com X-SmarterMail-Spam: SPF_SoftFail, ISpamAssassin 5 [raw: 3], DK_None, DKIM_None, Declude: -3 X-SmarterMail-TotalSpamWeight: 5 --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. This message (and any associated files) may contain confidential, proprietary and/or privileged material and access to these materials by anyone other than the intended recipient is unauthorized. Unauthorized recipients are required to maintain confidentiality. Any review, retransmission, dissemination or other use of these materials by persons or entities other than the intended recipient is prohibited and may be unlawful. If you have received this message in error, please notify us immediately and destroy the original. Ce message et tout document qui y est éventuellement joint peuvent contenir de l'information confidentielle ou exclusive. L'accès à cette information par quiconque autre que le destinataire désigné en est donc interdit. Les personnes ou les entités non autorisées doivent respecter la confidentialité de cette information. La lecture, la retransmission, la communication ou toute autre utilisation de cette information par une personne ou une entité non autorisée est strictement interdite. Si vous avez reçu ce message par erreur, veuillez nous en aviser immédiatement et le détruire. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
