Re: [anti-abuse-wg] Mimecast.com
It looks like the same issue for cozahosts.com & wetmy.com so I have fixed those up too now. Is there a larger list of domains that you are seeing this issue with? I can do a more bulk review and fix up if you want to get those to me. Looking some more into the 'why' here, it looks like it relates to a bunch of data from Spamcop reports although these domains have been flagged as spammy in our system for some time so full samples are hard to come by now. The one sample I have been able to dig up shows: Received: from ns3.ox.co.za ([209.17.190.102]:34366) by web.hostacc.com with esmtp (Exim 4.85) (envelope-from <shawna_bean@ctfilter.com>) id 1ZjxSd-0004BS-DN for x; Thu, 08 Oct 2015 00:45:23 +0200 Received: from ctfilter.com (unknown [223.4.32.2]) by ns3.ox.co.za (Postfix) with ESMTP id 6BF7C68271E for <x>; Thu, 8 Oct 2015 00:43:23 +0200 (SAST) Date: Thu, 8 Oct 2015 6:44:27 +0800 From: "Shawna Bean" <shawna_bean@ctfilter.com> Reply-To:"Shawna Bean" <shawna_bean@ctfilter.com> Subject: Top Popular Pharma Active solutions It looks like our systems were getting a little too aggressive on the domains appearing in such messages so we're in the process of adjusting them to work better and not produce such FPs. -- James Hoddinott Manager, Security Operations Cloudmark
-----Original Message----- From: anti-abuse-wg [mailto:anti-abuse-wg-bounces@ripe.net] On Behalf Of andre@ox.co.za Sent: 04 November 2015 10:41 To: James Hoddinott Cc: anti-abuse-wg@ripe.net Subject: [SPAM] Re: [anti-abuse-wg] Mimecast.com
On Wed, 4 Nov 2015 10:20:51 +0000 James Hoddinott <jhoddinott@cloudmark.com> wrote:
Hi Andre,
Hello James :)
I don't think they are Evil Corp and this is little more than spam filtering on a role address (which you can debate ad-infinitum if you
nope. no debate - simply broken if you advice on bounce to contact mr x and mr x auto bounces from the same ip/address
like). I did spot that your replies on this thread were flagged as spam by us and since we provide them some services I dug in a little more and can see that our systems had erroneously set the domain hostacc.com [1] as spammy so I have fixed that up for you and I
okay, no - not really understood or accepted? how come the same happened to 176.9.148.244 @cozahosts.com 209.17.190.102@ns3.ox.co.za wetmy.com and all the others, every time that I send request to support@mimecast - magically: new server is also blocked...
can you fix all my servers? surely all of my thousands of users all over the planet did not suddenly all attack mimecast? Some systems are on BSD, Some on Linux, Some on Unix, Some on Windows, etc It is extremely unlikely that everything by me was compromised all at the same time - and then ONLY to mail bomb mimecast.com...
so, this shows me only one thing? - Malice.
Do I (and everyone else) when they have a magical problem like this have to post on public lists and beg?
Or is it not occam's razor? - Simple extortion for money?
reckon you should now be able to send your reports in to Mimecast without issue (or at least, without this issue).
Thank you so much James, I do honestly and truly appreciate it from the bottom of my heart.
But I am as stubborn as my email address, I need to understand why I need to know what is wrong, understand the situation and problem so that it can make sense to me, Also, I think that is is important to do things openly, so that everyone can understand what is going on
as next week (or last week) maybe this also happened to someone else and if we know how to respond or what the issues are, we can help others and do the whole Kumbaya thing :)
again thanks James :)
andre
[1] This appears to be what your sending IP resolves to and what it HELOs as.
On Wed, 4 Nov 2015 11:22:57 +0000 James Hoddinott <jhoddinott@cloudmark.com> wrote: <snip> You should sit up and read this thread carefully as the principles involved in these explanations are those that are among those that are shaping the course of the Internet.
Looking some more into the 'why' here, it looks like it relates to a bunch of data from Spamcop reports although these domains have been flagged as spammy in our system for some time so full samples are hard to come by now. The one sample I have been able to dig up shows: Received: from ns3.ox.co.za ([209.17.190.102]:34366) by web.hostacc.com with esmtp (Exim 4.85) (envelope-from <shawna_bean@ctfilter.com>) id 1ZjxSd-0004BS-DN for x; Thu, 08 Oct 2015 00:45:23 +0200 Received: from ctfilter.com (unknown [223.4.32.2]) by ns3.ox.co.za (Postfix) with ESMTP id 6BF7C68271E for <x>; Thu, 8 Oct 2015 00:43:23 +0200 (SAST) Date: Thu, 8 Oct 2015 6:44:27 +0800 From: "Shawna Bean" <shawna_bean@ctfilter.com> Reply-To:"Shawna Bean" <shawna_bean@ctfilter.com> Subject: Top Popular Pharma Active solutions It looks like our systems were getting a little too aggressive on the domains appearing in such messages so we're in the process of adjusting them to work better and not produce such FPs.
To translate for those that may be less technical, this basically means that what James is saying is mea culpa, that the victims of Pharma Spam Attacks were blocked (false positive (FP)) In the above headers an IP223.4.32.2 from Alibaba (China) is dropping spam on ns3.ox.co.za@209.17.190.102 - ns3.ox.co.za (Canada) - sees that Alibaba is dropping over a set amount/threshold and is forwarding 1 in every 10 odd of these to web.hostacc.com (Germany/EU) - which then collects and submits it to Spamcop - Spamcop (USA) then sends an abuse report to @Alibaba and if more Spamcop users complain about @223.4.32.2 then it could/may be listed and the drop automagically stops. So, what James is saying is that he picked headers (raw data - with no context) up from Spamcop and then proceeded to block the victims/complainants which he fed into Mimecast, a third party, which apparently trusts James explicitly and completely (so much so that James has the power to blacklist servers from all over the world) and then all my hosts, from Sweden to the US were blocked (just checked, some are still blocked...) and some of them magically right after I sent email to support@mimecast. James is kindly offering to delist en bulk. Very nice, very decent and of course correct. - but an offer we will decline. But, there is still a problem. I have a small daughter, she is four years old and as cute as a button. (I am around her pinky finger and she can get me to do anything for her) Last night, right before supper, I caught her with her hand still inside the cookie jar. She explained that she was only taking out a cookie to eat it later, after dinner and that it was all perfectly fine.... there were still some crumbs on her face, from the cookie she had obviously only just ate, anyway, I digress. I believe that James did all that, but I do not believe that that was the cause for my blacklisting. I do believe that James believes it so my responses are not against or to James as an opponent, rather to Mimecast.com and to the behavior of Mimecast.com. James believes that this happened because: False Positive. He says that all the headers from spam complaints both victims as well as spammers were all loaded into blacklists. (Who even does that - Would you think it reasonable that victims will be loaded into a third party blacklist? James, dude, seriously??) Anyway, no. This is a Mimecast.com thing... - Maybe James gave them my data? at most. This may surprise you, but ::: Blocking victim servers in small companies It is a practise that is on the increase by certain predatory/expansionary elements on the Internet. Not just Mimecast.com Just now, Microsoft Azure blocked one of my servers, after we filed a spam complaint against one of there users, in fact, right now I have an open routing complaint as Microsoft is dropping traffic (certain TCP ports only) from a /24 - for no reason, other than they don't know why they are doing it.... right, so reasonable. (At least Microsoft responds, replies and deals with their issues) Last week, another fake/wannabe RBL has blocked me for no good reason only last week directly after I complained about 14000 spam/ube emails per hour... They offered to filter my emails for me, "for a small monthly fee" These people have actual large companies as clients. Their sales suits must be amazing at selling FUD. Maybe it is because that happened that I sat up straight yesterday afternoon when Mimecast.com blacklisted me and then, each time I emailed @mimecast.com - no reply, no nothing, followup email BAM, blocked, new server blocked. So, no, cannot believe that it is only James.... soz dude. I still like occam's razor, there are many reasons, the two obvious one's are: first off - It is extremely hard to believe that one person/company can take out another person/company and so properly that it is even impossible to escalate without actually shouting wolf from a mountaintop. and that one person/company is so trusted that a third party would take their word as fact. secondly - each time i email a new server is listed? Simply too much coincidence, simply hard to understand and impossible to accept. So, where does that leave this issue? I think James is innocent, but I do believe he feels responsible, I think that the goals of some of the larger filters are to expand market share, aggressively. It is my contention that these expansionary tactics constitutes abuse and as such requires discussion & solutions. andre
participants (2)
-
andre@ox.co.za -
James Hoddinott