Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - How do you guys deal with it?
  FAQ FAQ  Forum Search   Register Register  Login Login

How do you guys deal with it?

 Post Reply Post Reply
Author
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Topic: How do you guys deal with it?
    Posted: 25 January 2006 at 1:02pm

I am consistantly  getting complaints from our sales team saying our customers, mostly new customers, are unable to send us emails. Mostly I find is the emails fail the tests for the following reasons:

1. No reverse DNS

2. contains embeded picture with keyword (sid=img)

3. Their email servers are listed as either Open Relay or Spam site by one of the blacklist servers.

What should I do?

I do manually sort those emails rejected for reason 1 and 2.



Edited by Benny
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 6:52pm
Benny,
 
We all have the same issues but at varying levels.  The first issue is to educate your customers but some seem to be as stubborn as rocks.  The key is to make sure they know that mail servers must be configured with proper rDNS and MX records as this is a very basic function.  The unfortunate thing is that some countries (China for one) actually do not allow rDNS ... thinking in some screwed reasoning that rDNS is a security problem!  
 
Another workaround is that all domains are supposed to have an abuse@ address.  We force non-filtering on that address and receive zero spam on it.  If some idiot actually spammed an abuse admin account, I would hunt them down like a dog ... and so would everyone else.
 
The key issue it to make sure, in the case of rDNS or black lists, that they know it is THEIR issue.  The keyword filtering is another issue.   Anytime something get blocked by one of your keywords, you have to be prepared to take the heat.  I know that my filters are not as effective as they could be because we elect NOT to "censor" but look mainly for obvious obfuscation. I do, however have some filters that fall outside that line and sometimes need to "fix" them.
 
Sorry ... no magic answer from me.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 10:42pm

When was last time you tried to educate your wife? :-)

Educating customers is hard to do, but educating our people is even harder. Everytime a customer has a problem, our sales mgr calls me or sends emails to my boss and myself stating there's a problem in our email system. It has become quite nasty sometimes. They keep telling me it's my system's problem blah blah blah no matter how many times I told them it's the customers. Everytime I offer to help too but not once our salespeople hook me up with their IT people.

I finally relented on the src=cid image thingy which seems to generate more false positive.

 

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 7:48am
Unfortunately there is no magic solution.

If the rDNS filter is causing you headaches, you may try to disable it. We recently a new filter (MX filter test) that checks the sender's MX record, and that will help to some degree if the rDNS filter is turned off.

But if your senders are bad administrators, and configure their servers to be open relays, they are in fact (unknowingly) spammers, as spammers are using their server to send out spam... And SpamFilter is doing its job in blocking them. Your only option here really is to whitelist these "bad" domains and hope that one day these admins will realize that nobody is receiving their emails, and will fix their configs.


Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 9:08am

We had to stop checking rDNS because of false positive complaints. You can't make anybody do anything and since we have no control we decided it was not worth the hassle.

The cid=image is another tough one(as well as base64html) since a lot of our customers send pictures back and forth.

We do use a spamassassin proxy behind SF that catches that last bit of spam that SF does not and use it to get URL's and unique words which we feed back into SF keyword blacklist.

http://www.webguyz.net
Back to Top
nippe View Drop Down
Newbie
Newbie


Joined: 03 February 2005
Status: Offline
Points: 12
Post Options Post Options   Thanks (0) Thanks(0)   Quote nippe Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 9:17am

This is working very often for me.

Write somthing like this to the sender:

= = = = = = = = = = = = = = = =
The server that is sending your mail is not ... bla, bla, bla ...RFC 1912 2.1 ... bla, bla.

We do not want to stop mail from you but ...
The reason we do this is ...

Please forward this message and the error message you hopfylly received erlier to your technican.
This link may be helpfull for your tecnican:
http://www.dnsstuff.com/tools/ptr.ch?ip=213.180.65.6

Copy to:
postmaster@...
n.n@..   - who, according to the whois-informaion, is your domian administrator.

Best regards ...

My name and telephone number
= = = = = = = = = = = = = = =

This is what happens!

The  sender forward this message and maybe the NDN to postmaster or another technican.

Postmaster does nothing. (If  the postmaster likes to do things this should not happen in the first place.)

n.n (from the never updated whois-information) is no longer domain administrator (he is now just a boss) calls postmaster and ask what is going on.

... and then postmaster calls me on the telephone and ask for help.

I tell postmaster to open the link in the message, read the webpage and call the dns manager for the in-addr-arpa-zon. 

Problem solved!

... and postmaster ows me a beer.  :)

Back to Top
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 9:20am

I am kind of whining here.

About 1 out of 100 emails caught as "no reverse DNS" is false positive. If I open that, I am very sure we will be flooded.

Our sales team do not care whose fault it is and who is responsible to fix the problem, they just want the emails from their customers arrive in their inboxes, and obviously, they don't want to see spams either.

Does anybody think i should just put those sales people or the top whiner into exception list, let them get flooded with spam, and then they will understand what a great job I have been doing?

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 10:42am

Whiner ... oops, I mean Benny,

I agree ... it is a real dilemma.  However, the "Can't eat your cake and have it too" applies here.  This may not be practical but you could set up a separate server to accept the spam and forward the barking sales people their messages back.  OR ... Put their addresses in the allow list with the :tag option.  Here's a plan ... have them actually use the Web Spam Management to check their spam a couple of times a day, assuming you have that set up.  Last resort, hit them with a 2X4 and tell them to work with their clients to fix their rDNS.  A 60 second addition to dns is all it takes.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
WebGuyz View Drop Down
Senior Member
Senior Member


Joined: 09 May 2005
Location: United States
Status: Offline
Points: 348
Post Options Post Options   Thanks (0) Thanks(0)   Quote WebGuyz Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 10:44am
We tried the 2x4 but it did not work.
http://www.webguyz.net
Back to Top
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 10:55am

The problem with hitting them with spams is that I would have to clean up the mess if they make one and i am sure they will.

Once I put them in the Allowed list, they would be hit by hundreds of virus and spams.

The risk of doing that is too high - as I would be risking my job, not unless they can take the responsibility, obviously, they wouldn't.

I wonder if there is a way to let them enjoy the spam but not be affected by virus.

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 11:04am
Do you have the Anti-Virus Plugin for SpamFilter?  It works in all cases.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 11:08am

Educating customers is hard to do, but educating our people is even harder. Everytime a customer has a problem, our sales mgr calls me or sends emails to my boss and myself stating there's a problem in our email system. It has become quite nasty sometimes. They keep telling me it's my system's problem blah blah blah no matter how many times I told them it's the customers.

Here's what you do: disable ALL spf filters and let the stew brew for a couple of days.

that'll bring the sales people to their knees, it will DEMONSTRATE to them what the benefits of spf system are. and they will see you side of things.

On the other hand... sales people are sales people and love to hear their own voice, unhindered by any or all forms of knowledge :)

i wish you good luck,

Marco

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 11:14am

I don't use virus plugins.

I use SFI to filter out majority of the harmful attachments and I have a SMTP antivirus software sitting behind to get rid of the rest attachments.

There's no antivirus mechnism on my network. I just don't allow any attachment that may carry any virus.

How much does the norman av cost?



Edited by Benny
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 11:22am

Cut From LogSat Page:

About the Plug-in

The antivirus plug-in is available for purchase separately from Spam Filter ISP as an optional component. Unlike Spam Filter ISP's licenses, the antivirus plug-in is offered as a subscription service with a yearly subscription fee. The amount of this service is $400 per year. This fee covers all of your updates and virus patterns to fight off any and all new viruses during you subscription year. To purchase the antivirus plugin for an existing SpamFilter license please login the registered user area of the website.

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 4:13pm
Benny,

Stupid question. Have you prepared for them a quick report showing how much spam they received (and was blocked) during the past, say, 7 days? Just this morning we ourselves had a "vip" customer complaining about the same 2-3 spams emails he received in his mailbox during the past few days. We printed a 13-page PDF showing the 291 spam emails that he did *not* receive int he last 3 days, and that pretty much left him saying "wow, I didn't know! Sorry."

Seing that many should justify the false positives too...
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Benny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 30 January 2006 at 9:32pm
Sorry, Roberto, how do I do that report?
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 30 January 2006 at 11:36pm
We simply logged in the quarantine web interface using the user's email address. This gave us a list of all email that was quarantined for him. This does not include all spam blocked by the IP blacklist cache filter, as those emails are cutoff immediately, so the number is actually lower than it should be.

If you want to retrieve a report directly from the quarantine database, simply issue the SQL query:

SELECT     EmailFrom, EmailTo, Subject, MsgDate
FROM         tblQuarantine
WHERE     (EmailTo = 'support@logsat.com')

on the database. Please note that these results are accurate only if you configure SpamFilter to quarantine everything. If this is not the case, you'll need to use commercial reporting tools available that import SpamFilter logs.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Benny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 31 January 2006 at 9:19am
Unfortunately, I do not quarantine everything. :-(
Back to Top
JohnD View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote JohnD Quote  Post ReplyReply Direct Link To This Post Posted: 31 January 2006 at 1:45pm

I have had the same discussion with our Sales people.  For me the solution really was explaining in laymans terms what a Rdns is and why it's important.  Also I implemented the web interface and have not had any complaints since. 

 

BTW 75% of the email we get is spam.

Back to Top
Benny View Drop Down
Newbie
Newbie


Joined: 17 January 2006
Status: Offline
Points: 24
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 31 January 2006 at 3:51pm
I thought about the web interface thing too. What if somebody releases something that should not be released? I just don't want to give them such control.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4068
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 31 January 2006 at 4:00pm
If they release (force the delivery of) an email to themselves, the sender will be whitelisted. However the sender is also matched to the recipient, so that they are whitelisted *only* to that recipient. All other email from that sender to other users will still be blocked.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Benny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2006 at 10:14am
They could release some virus and get infected themselves and soon infect other people.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2006 at 10:17am
Easy solution ... Don't quarantine the viruses.
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Benny View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Benny Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2006 at 11:46am
I drop every email that carries an executable though.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.079 seconds.