This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Mimecast.com
- Previous message (by thread): [anti-abuse-wg] Mimecast.com
- Next message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 49, Issue 8
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
andre at ox.co.za
andre at ox.co.za
Wed Nov 4 15:28:38 CET 2015
On Wed, 4 Nov 2015 11:22:57 +0000 James Hoddinott <jhoddinott at cloudmark.com> wrote: <snip> You should sit up and read this thread carefully as the principles involved in these explanations are those that are among those that are shaping the course of the Internet. > Looking some more into the 'why' here, it looks like it relates to a > bunch of data from Spamcop reports although these domains have been > flagged as spammy in our system for some time so full samples are > hard to come by now. The one sample I have been able to dig up shows: > Received: from ns3.ox.co.za ([209.17.190.102]:34366) > by web.hostacc.com with esmtp (Exim 4.85) > (envelope-from <shawna_bean at ctfilter.com>) > id 1ZjxSd-0004BS-DN > for x; Thu, 08 Oct 2015 00:45:23 +0200 > Received: from ctfilter.com (unknown [223.4.32.2]) > by ns3.ox.co.za (Postfix) with ESMTP id 6BF7C68271E > for <x>; Thu, 8 Oct 2015 00:43:23 +0200 (SAST) > Date: Thu, 8 Oct 2015 6:44:27 +0800 > From: "Shawna Bean" <shawna_bean at ctfilter.com> > Reply-To:"Shawna Bean" <shawna_bean at ctfilter.com> > Subject: Top Popular Pharma Active solutions > It looks like our systems were getting a little too aggressive on the > domains appearing in such messages so we're in the process of > adjusting them to work better and not produce such FPs. > To translate for those that may be less technical, this basically means that what James is saying is mea culpa, that the victims of Pharma Spam Attacks were blocked (false positive (FP)) In the above headers an IP223.4.32.2 from Alibaba (China) is dropping spam on ns3.ox.co.za at 209.17.190.102 - ns3.ox.co.za (Canada) - sees that Alibaba is dropping over a set amount/threshold and is forwarding 1 in every 10 odd of these to web.hostacc.com (Germany/EU) - which then collects and submits it to Spamcop - Spamcop (USA) then sends an abuse report to @Alibaba and if more Spamcop users complain about @223.4.32.2 then it could/may be listed and the drop automagically stops. So, what James is saying is that he picked headers (raw data - with no context) up from Spamcop and then proceeded to block the victims/complainants which he fed into Mimecast, a third party, which apparently trusts James explicitly and completely (so much so that James has the power to blacklist servers from all over the world) and then all my hosts, from Sweden to the US were blocked (just checked, some are still blocked...) and some of them magically right after I sent email to support at mimecast. James is kindly offering to delist en bulk. Very nice, very decent and of course correct. - but an offer we will decline. But, there is still a problem. I have a small daughter, she is four years old and as cute as a button. (I am around her pinky finger and she can get me to do anything for her) Last night, right before supper, I caught her with her hand still inside the cookie jar. She explained that she was only taking out a cookie to eat it later, after dinner and that it was all perfectly fine.... there were still some crumbs on her face, from the cookie she had obviously only just ate, anyway, I digress. I believe that James did all that, but I do not believe that that was the cause for my blacklisting. I do believe that James believes it so my responses are not against or to James as an opponent, rather to Mimecast.com and to the behavior of Mimecast.com. James believes that this happened because: False Positive. He says that all the headers from spam complaints both victims as well as spammers were all loaded into blacklists. (Who even does that - Would you think it reasonable that victims will be loaded into a third party blacklist? James, dude, seriously??) Anyway, no. This is a Mimecast.com thing... - Maybe James gave them my data? at most. This may surprise you, but ::: Blocking victim servers in small companies It is a practise that is on the increase by certain predatory/expansionary elements on the Internet. Not just Mimecast.com Just now, Microsoft Azure blocked one of my servers, after we filed a spam complaint against one of there users, in fact, right now I have an open routing complaint as Microsoft is dropping traffic (certain TCP ports only) from a /24 - for no reason, other than they don't know why they are doing it.... right, so reasonable. (At least Microsoft responds, replies and deals with their issues) Last week, another fake/wannabe RBL has blocked me for no good reason only last week directly after I complained about 14000 spam/ube emails per hour... They offered to filter my emails for me, "for a small monthly fee" These people have actual large companies as clients. Their sales suits must be amazing at selling FUD. Maybe it is because that happened that I sat up straight yesterday afternoon when Mimecast.com blacklisted me and then, each time I emailed @mimecast.com - no reply, no nothing, followup email BAM, blocked, new server blocked. So, no, cannot believe that it is only James.... soz dude. I still like occam's razor, there are many reasons, the two obvious one's are: first off - It is extremely hard to believe that one person/company can take out another person/company and so properly that it is even impossible to escalate without actually shouting wolf from a mountaintop. and that one person/company is so trusted that a third party would take their word as fact. secondly - each time i email a new server is listed? Simply too much coincidence, simply hard to understand and impossible to accept. So, where does that leave this issue? I think James is innocent, but I do believe he feels responsible, I think that the goals of some of the larger filters are to expand market share, aggressively. It is my contention that these expansionary tactics constitutes abuse and as such requires discussion & solutions. andre
- Previous message (by thread): [anti-abuse-wg] Mimecast.com
- Next message (by thread): [anti-abuse-wg] anti-abuse-wg Digest, Vol 49, Issue 8
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]