[anti-abuse-wg] Mimecast.com

It looks like the same issue for cozahosts.com & wetmy.com so I have fixed those up too now. Is there a larger list of domains that you are seeing this issue with? I can do a more bulk review and fix up if you want to get those to me.

Looking some more into the 'why' here, it looks like it relates to a bunch of data from Spamcop reports although these domains have been flagged as spammy in our system for some time so full samples are hard to come by now. The one sample I have been able to dig up shows:

Received: from ns3.ox.co.za ([209.17.190.102]:34366)
	by web.hostacc.com with esmtp (Exim 4.85)
	(envelope-from <shawna_bean at ctfilter.com>)
	id 1ZjxSd-0004BS-DN
	for x; Thu, 08 Oct 2015 00:45:23 +0200
Received: from ctfilter.com (unknown [223.4.32.2])
	by ns3.ox.co.za (Postfix) with ESMTP id 6BF7C68271E
	for <x>; Thu,  8 Oct 2015 00:43:23 +0200 (SAST)
Date: Thu, 8 Oct 2015 6:44:27 +0800
From: "Shawna Bean" <shawna_bean at ctfilter.com>
Reply-To:"Shawna Bean" <shawna_bean at ctfilter.com>
Subject:   Top Popular Pharma Active solutions 

It looks like our systems were getting a little too aggressive on the domains appearing in such messages so we're in the process of adjusting them to work better and not produce such FPs.

-- 
James Hoddinott
Manager, Security Operations
Cloudmark


> -----Original Message-----
> From: anti-abuse-wg [mailto:anti-abuse-wg-bounces at ripe.net] On Behalf Of
> andre at ox.co.za
> Sent: 04 November 2015 10:41
> To: James Hoddinott
> Cc: anti-abuse-wg at ripe.net
> Subject: [SPAM] Re: [anti-abuse-wg] Mimecast.com
> 
> On Wed, 4 Nov 2015 10:20:51 +0000
> James Hoddinott <jhoddinott at cloudmark.com> wrote:
> > Hi Andre,
> >
> Hello James :)
> 
> > I don't think they are Evil Corp and this is little more than spam
> > filtering on a role address (which you can debate ad-infinitum if you
> 
> nope. no debate - simply broken if you advice on bounce to contact mr x
> and mr x auto bounces from the same ip/address
> 
> > like). I did spot that your replies on this thread were flagged as
> > spam by us and since we provide them some services I dug in a little
> > more and can see that our systems had erroneously set the domain
> > hostacc.com [1] as spammy so I have fixed that up for you and I
> 
> okay, no - not really understood or accepted?  how come the same
> happened to 176.9.148.244 @cozahosts.com 209.17.190.102 at ns3.ox.co.za
> wetmy.com and all the others, every time that I send request to
> support at mimecast - magically: new server is also blocked...
> 
> can you fix all my servers? surely all of my thousands of users
> all over the planet did not suddenly all attack mimecast? Some systems
> are on BSD, Some on Linux, Some on Unix, Some on Windows, etc
> It is extremely unlikely that everything by me was compromised all
> at the same time - and then ONLY to mail bomb mimecast.com...
> 
> so, this shows me only one thing? - Malice.
> 
> Do I (and everyone else) when they have a magical problem like this
> have to post on public lists and beg?
> 
> Or is it not occam's razor? - Simple extortion for money?
> 
> > reckon you should now be able to send your reports in to Mimecast
> > without issue (or at least, without this issue).
> >
> Thank you so much James, I do honestly and truly appreciate it from
> the bottom of my heart.
> 
> But I am as stubborn as my email address, I need to understand why
> I need to know what is wrong, understand the situation and problem
> so that it can make sense to me, Also, I think that is is important to
> do things openly, so that everyone can understand what is going on
> 
> as next week (or last week) maybe this also happened to someone else
> and if we know how to respond or what the issues are, we can help others
> and do the whole Kumbaya thing :)
> 
> again thanks James :)
> 
> andre
> 
> > [1] This appears to be what your sending IP resolves to and what it
> > HELOs as.
> >
>