[anti-abuse-wg] Mimecast.com

On Wed, 4 Nov 2015 11:22:57 +0000
James Hoddinott <jhoddinott at cloudmark.com> wrote:
<snip>

You should sit up and read this thread carefully as the principles
involved in these explanations are those that are among those that
are shaping the course of the Internet.

> Looking some more into the 'why' here, it looks like it relates to a
> bunch of data from Spamcop reports although these domains have been
> flagged as spammy in our system for some time so full samples are
> hard to come by now. The one sample I have been able to dig up shows:
> Received: from ns3.ox.co.za ([209.17.190.102]:34366)
> 	by web.hostacc.com with esmtp (Exim 4.85)
> 	(envelope-from <shawna_bean at ctfilter.com>)
> 	id 1ZjxSd-0004BS-DN
> 	for x; Thu, 08 Oct 2015 00:45:23 +0200
> Received: from ctfilter.com (unknown [223.4.32.2])
> 	by ns3.ox.co.za (Postfix) with ESMTP id 6BF7C68271E
> 	for <x>; Thu,  8 Oct 2015 00:43:23 +0200 (SAST)
> Date: Thu, 8 Oct 2015 6:44:27 +0800
> From: "Shawna Bean" <shawna_bean at ctfilter.com>
> Reply-To:"Shawna Bean" <shawna_bean at ctfilter.com>
> Subject:   Top Popular Pharma Active solutions 
> It looks like our systems were getting a little too aggressive on the
> domains appearing in such messages so we're in the process of
> adjusting them to work better and not produce such FPs.
> 
To translate for those that may be less technical, this basically means that 
what James is saying is mea culpa, that the victims of Pharma Spam Attacks 
were blocked (false positive (FP)) 

In the above headers an IP223.4.32.2 from Alibaba (China) is dropping
spam on ns3.ox.co.za at 209.17.190.102 - ns3.ox.co.za (Canada) - sees that
Alibaba is dropping over a set amount/threshold and is forwarding 1 in
every 10 odd of these to web.hostacc.com (Germany/EU) - which then
collects and submits it to Spamcop - Spamcop (USA) then sends an abuse
report to @Alibaba and if more Spamcop users complain about @223.4.32.2 then it
could/may be listed and the drop automagically stops.

So, what James is saying is that he picked headers (raw data - with no
context) up from Spamcop and then proceeded to block the victims/complainants 
which he fed into Mimecast,

a third party, which apparently trusts James explicitly and completely
(so much so that James has the power to blacklist servers from all over
the world)

and then all my hosts, from Sweden to the US were blocked (just checked, 
some are still blocked...) and some of them magically right after I sent email 
to support at mimecast. James is kindly offering to delist en bulk. Very nice, 
very decent and of course correct. - but an offer we will decline.

But, there is still a problem. I have a small daughter, she is four years old and 
as cute as a button. (I am around her pinky finger and she can get me to do 
anything for her)

Last night, right before supper, I caught her with her hand still
inside the cookie jar. 

She explained that she was only taking out a cookie to eat it later,
after dinner and that it was all perfectly fine.... there were still
some crumbs on her face, from the cookie she had obviously only just
ate, anyway, I digress.

I believe that James did all that, but I do not believe that that was
the cause for my blacklisting. I do believe that James believes it
so my responses are not against or to James as an opponent, rather
to Mimecast.com and to the behavior of Mimecast.com.

James believes that this happened because: False Positive. He says 
that all the headers from spam complaints both victims as well as 
spammers were all loaded into blacklists. 
(Who even does that - Would you think it reasonable that victims will
be loaded into a third party blacklist? James, dude, seriously??)

Anyway, no. This is a Mimecast.com thing... - Maybe James gave
them my data? at most.

This may surprise you, but ::: Blocking victim servers in small
companies It is a practise that is on the increase by certain
predatory/expansionary elements on the Internet. Not just Mimecast.com

Just now, Microsoft Azure blocked one of my servers, after we
filed a spam complaint against one of there users, in fact, right now
I have an open routing complaint as Microsoft is dropping traffic
(certain TCP ports only) from a /24 - for no reason, other than they
don't know why they are doing it.... right, so reasonable. 
(At least Microsoft responds, replies and deals with their issues)

Last week, another fake/wannabe RBL has blocked me for no good 
reason only last week directly after I complained about 14000 spam/ube 
emails per hour...

They offered to filter my emails for me, "for a small monthly fee"
These people have actual large companies as clients. Their sales suits 
must be amazing at selling FUD.

Maybe it is because that happened that I sat up straight yesterday
afternoon when Mimecast.com blacklisted me and then, each time I emailed
@mimecast.com - no reply, no nothing, followup email BAM, blocked, new
server blocked. So, no, cannot believe that it is only James.... soz
dude.

I still like occam's razor, there are many reasons, the two obvious one's are:

first off - It is extremely hard to believe that one person/company can
take out another person/company and so properly that it is even impossible 
to escalate without actually shouting wolf from a mountaintop. and that
one person/company is so trusted that a third party would take their
word as fact.

secondly - each time i email a new server is listed? Simply too much
coincidence, simply hard to understand and impossible to accept.

So, where does that leave this issue?

I think James is innocent, but I do believe he feels responsible, I think 
that the goals of some of the larger filters are to expand market
share, aggressively. 

It is my contention that these expansionary tactics constitutes abuse
and as such requires discussion & solutions.

andre