Print Page | Close Window

How do you guys deal with it?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5460
Printed Date: 22 October 2017 at 1:30pm


Topic: How do you guys deal with it?
Posted By: Benny
Subject: How do you guys deal with it?
Date Posted: 25 January 2006 at 1:02pm

I am consistantly  getting complaints from our sales team saying our customers, mostly new customers, are unable to send us emails. Mostly I find is the emails fail the tests for the following reasons:

1. No reverse DNS

2. contains embeded picture with keyword (sid=img)

3. Their email servers are listed as either Open Relay or Spam site by one of the blacklist servers.

What should I do?

I do manually sort those emails rejected for reason 1 and 2.




Replies:
Posted By: Desperado
Date Posted: 25 January 2006 at 6:52pm
Benny,
 
We all have the same issues but at varying levels.  The first issue is to educate your customers but some seem to be as stubborn as rocks.  The key is to make sure they know that mail servers must be configured with proper rDNS and MX records as this is a very basic function.  The unfortunate thing is that some countries (China for one) actually do not allow rDNS ... thinking in some screwed reasoning that rDNS is a security problem!  
 
Another workaround is that all domains are supposed to have an abuse@ address.  We force non-filtering on that address and receive zero spam on it.  If some idiot actually spammed an abuse admin account, I would hunt them down like a dog ... and so would everyone else.
 
The key issue it to make sure, in the case of rDNS or black lists, that they know it is THEIR issue.  The keyword filtering is another issue.   Anytime something get blocked by one of your keywords, you have to be prepared to take the heat.  I know that my filters are not as effective as they could be because we elect NOT to "censor" but look mainly for obvious obfuscation. I do, however have some filters that fall outside that line and sometimes need to "fix" them.
 
Sorry ... no magic answer from me.


-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Benny
Date Posted: 25 January 2006 at 10:42pm

When was last time you tried to educate your wife? :-)

Educating customers is hard to do, but educating our people is even harder. Everytime a customer has a problem, our sales mgr calls me or sends emails to my boss and myself stating there's a problem in our email system. It has become quite nasty sometimes. They keep telling me it's my system's problem blah blah blah no matter how many times I told them it's the customers. Everytime I offer to help too but not once our salespeople hook me up with their IT people.

I finally relented on the src=cid image thingy which seems to generate more false positive.

 



Posted By: LogSat
Date Posted: 26 January 2006 at 7:48am
Unfortunately there is no magic solution.

If the rDNS filter is causing you headaches, you may try to disable it. We recently a new filter (MX filter test) that checks the sender's MX record, and that will help to some degree if the rDNS filter is turned off.

But if your senders are bad administrators, and configure their servers to be open relays, they are in fact (unknowingly) spammers, as spammers are using their server to send out spam... And SpamFilter is doing its job in blocking them. Your only option here really is to whitelist these "bad" domains and hope that one day these admins will realize that nobody is receiving their emails, and will fix their configs.




-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 26 January 2006 at 9:08am

We had to stop checking rDNS because of false positive complaints. You can't make anybody do anything and since we have no control we decided it was not worth the hassle.

The cid=image is another tough one(as well as base64html) since a lot of our customers send pictures back and forth.

We do use a spamassassin proxy behind SF that catches that last bit of spam that SF does not and use it to get URL's and unique words which we feed back into SF keyword blacklist.



-------------
http://www.webguyz.net


Posted By: nippe
Date Posted: 26 January 2006 at 9:17am

This is working very often for me.

Write somthing like this to the sender:

= = = = = = = = = = = = = = = =
The server that is sending your mail is not ... bla, bla, bla ...RFC 1912 2.1 ... bla, bla.

We do not want to stop mail from you but ...
The reason we do this is ...

Please forward this message and the error message you hopfylly received erlier to your technican.
This link may be helpfull for your tecnican:
http://www.dnsstuff.com/tools/ptr.ch?ip=213.180.65.6 - http://www.dnsstuff.com/tools/ptr.ch?ip=213.180.65.6

Copy to:
postmaster@...
n.n@..   - who, according to the whois-informaion, is your domian administrator.

Best regards ...

My name and telephone number
= = = = = = = = = = = = = = =

This is what happens!

The  sender forward this message and maybe the NDN to postmaster or another technican.

Postmaster does nothing. (If  the postmaster likes to do things this should not happen in the first place.)

n.n (from the never updated whois-information) is no longer domain administrator (he is now just a boss) calls postmaster and ask what is going on.

... and then postmaster calls me on the telephone and ask for help.

I tell postmaster to open the link in the message, read the webpage and call the dns manager for the in-addr-arpa-zon. 

Problem solved!

... and postmaster ows me a beer.  :)



Posted By: Benny
Date Posted: 26 January 2006 at 9:20am

I am kind of whining here.

About 1 out of 100 emails caught as "no reverse DNS" is false positive. If I open that, I am very sure we will be flooded.

Our sales team do not care whose fault it is and who is responsible to fix the problem, they just want the emails from their customers arrive in their inboxes, and obviously, they don't want to see spams either.

Does anybody think i should just put those sales people or the top whiner into exception list, let them get flooded with spam, and then they will understand what a great job I have been doing?



Posted By: Desperado
Date Posted: 26 January 2006 at 10:42am

Whiner ... oops, I mean Benny,

I agree ... it is a real dilemma.  However, the "Can't eat your cake and have it too" applies here.  This may not be practical but you could set up a separate server to accept the spam and forward the barking sales people their messages back.  OR ... Put their addresses in the allow list with the :tag option.  Here's a plan ... have them actually use the Web Spam Management to check their spam a couple of times a day, assuming you have that set up.  Last resort, hit them with a 2X4 and tell them to work with their clients to fix their rDNS.  A 60 second addition to dns is all it takes.


-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: WebGuyz
Date Posted: 26 January 2006 at 10:44am
We tried the 2x4 but it did not work.

-------------
http://www.webguyz.net


Posted By: Benny
Date Posted: 26 January 2006 at 10:55am

The problem with hitting them with spams is that I would have to clean up the mess if they make one and i am sure they will.

Once I put them in the Allowed list, they would be hit by hundreds of virus and spams.

The risk of doing that is too high - as I would be risking my job, not unless they can take the responsibility, obviously, they wouldn't.

I wonder if there is a way to let them enjoy the spam but not be affected by virus.



Posted By: Desperado
Date Posted: 26 January 2006 at 11:04am
Do you have the Anti-Virus Plugin for SpamFilter?  It works in all cases.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Marco
Date Posted: 26 January 2006 at 11:08am

Educating customers is hard to do, but educating our people is even harder. Everytime a customer has a problem, our sales mgr calls me or sends emails to my boss and myself stating there's a problem in our email system. It has become quite nasty sometimes. They keep telling me it's my system's problem blah blah blah no matter how many times I told them it's the customers.

Here's what you do: disable ALL spf filters and let the stew brew for a couple of days.

that'll bring the sales people to their knees, it will DEMONSTRATE to them what the benefits of spf system are. and they will see you side of things.

On the other hand... sales people are sales people and love to hear their own voice, unhindered by any or all forms of knowledge :)

i wish you good luck,

Marco



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Posted By: Benny
Date Posted: 26 January 2006 at 11:14am

I don't use virus plugins.

I use SFI to filter out majority of the harmful attachments and I have a SMTP antivirus software sitting behind to get rid of the rest attachments.

There's no antivirus mechnism on my network. I just don't allow any attachment that may carry any virus.

How much does the norman av cost?



Posted By: Desperado
Date Posted: 26 January 2006 at 11:22am

Cut From LogSat Page:

About the Plug-in

The antivirus plug-in is available for purchase separately from Spam Filter ISP as an optional component. Unlike Spam Filter ISP's licenses, the antivirus plug-in is offered as a subscription service with a yearly subscription fee. The amount of this service is $400 per year. This fee covers all of your updates and virus patterns to fight off any and all new viruses during you subscription year. To purchase the antivirus plugin for an existing SpamFilter license please http://www.logsat.com/sfi-login.asp - login the registered user area of the website.



-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: LogSat
Date Posted: 26 January 2006 at 4:13pm
Benny,

Stupid question. Have you prepared for them a quick report showing how much spam they received (and was blocked) during the past, say, 7 days? Just this morning we ourselves had a "vip" customer complaining about the same 2-3 spams emails he received in his mailbox during the past few days. We printed a 13-page PDF showing the 291 spam emails that he did *not* receive int he last 3 days, and that pretty much left him saying "wow, I didn't know! Sorry."

Seing that many should justify the false positives too...


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Guests
Date Posted: 30 January 2006 at 9:32pm
Sorry, Roberto, how do I do that report?


Posted By: LogSat
Date Posted: 30 January 2006 at 11:36pm
We simply logged in the quarantine web interface using the user's email address. This gave us a list of all email that was quarantined for him. This does not include all spam blocked by the IP blacklist cache filter, as those emails are cutoff immediately, so the number is actually lower than it should be.

If you want to retrieve a report directly from the quarantine database, simply issue the SQL query:

SELECT     EmailFrom, EmailTo, Subject, MsgDate
FROM         tblQuarantine
WHERE     (EmailTo = 'support@logsat.com')

on the database. Please note that these results are accurate only if you configure SpamFilter to quarantine everything. If this is not the case, you'll need to use commercial reporting tools available that import SpamFilter logs.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Guests
Date Posted: 31 January 2006 at 9:19am
Unfortunately, I do not quarantine everything. :-(


Posted By: Guests
Date Posted: 31 January 2006 at 1:45pm

I have had the same discussion with our Sales people.  For me the solution really was explaining in laymans terms what a Rdns is and why it's important.  Also I implemented the web interface and have not had any complaints since. 

 

BTW 75% of the email we get is spam.



Posted By: Benny
Date Posted: 31 January 2006 at 3:51pm
I thought about the web interface thing too. What if somebody releases something that should not be released? I just don't want to give them such control.


Posted By: LogSat
Date Posted: 31 January 2006 at 4:00pm
If they release (force the delivery of) an email to themselves, the sender will be whitelisted. However the sender is also matched to the recipient, so that they are whitelisted *only* to that recipient. All other email from that sender to other users will still be blocked.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Guests
Date Posted: 01 February 2006 at 10:14am
They could release some virus and get infected themselves and soon infect other people.


Posted By: Desperado
Date Posted: 01 February 2006 at 10:17am
Easy solution ... Don't quarantine the viruses.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: Guests
Date Posted: 01 February 2006 at 11:46am
I drop every email that carries an executable though.



Print Page | Close Window