Sunday, November 2. 2008Anti-Spam Appliances Considered Harmful
It's no secret: Anti-Spam configuration can be hazardous to your email traffic. If the spamfilters generate too many false positives your email transmission will suffer. This is a major problem in B2B configurations and can bite you out of the blue.
I've had this problem in the past, when the company I was working for was justifiably listed on an RBL. And I had it again, now - only this time I am reasonably sure that the system is a) configured tightly enough not to be usable as an open relay and b) not being used for sending out marketing or other possibly spam-alike emails. Nevertheless, the system was listed with a commercial anti-spam appliance vendor in their RBLs (which are "reputation based" - meaning, they have a set of criteria that can give you a certain (read: bad) reputation). The only explanation I have for this is that said company has caught backscatter from our system and classified that as spam. If you don't know what Backscatter is: that's bounces sent to innocent people that were listed in the From: address of Spam. The danger with those commercial anti-spam appliances is the multiplication factor: if you happen to end up as a false positive with those companies, you may lose contact with not only one customer, but with several. There are several solutions to this:
How do you cope with these problems? What are your ideas? Any help appreciated! 
|
Calendar
QuicksearchStatische SeitenBlog AdministrationArchivesKategorienlinksExterne LinksGetaggte Artikel anti-recruiting bürgerrechte barcamp security metrics blackout bundestrojaner crisis crisis management egoshooter federal trojan filme flickr geschichte incident management information investigations jobleads killerspiele law enforcement malware management media medien medienkompetenz power supply problem problem management recruiting security spam stöckchen strafverfolgung trojan umfragen zeitläufteTop ExitsBlog abonnierenMapflickr photostream
Powered by |
|||||||||||||||||||||||||||||||||||||||||||||||||
Your system only has to send out NDNs itself, if it doesn't reject messages at the SMTP level. If your mailserver signals a 5xx "no such user" in reply to the RCPT command or a 5xx code at the end of the DATA phase (e.g. after content/virus examination) it is in the responsibility of the sending mailserver to create the NDNs. In case of spammers injecting directly, this will not happen. In case of abused mailservers those will be blocked not yours.
Thus only a "accept all, bounce later" strategy creates backscatter. I don't know which mailserver you are using, but with MS Exchange there is a configuration switch to change its behaviour from the default backscattering one:
http://support.microsoft.com/default.aspx?scid=kb;en-us;886208
Disable externally sending autoresponders/vacation messages. There should be "role accounts" for e.g. customers to send the messages to and a tracking system so colleagues can take over for urgent inquiries.
If it is a large commercial reputation based RBL then there must have been usually a lot of backscatter to end up on their list.
E.g. senderbase.org/spamcop delists blocks automatically after 24 hours without incident. So fixing the problem and contacting your ISP for a 48 hours relay via their mailservers should fix the problem really fast.
Appliancies using external RBLs beyond their control should be destroyed
I agree that RBLs can be mean. If the listing is legit one can argue that some punishment should be ok.
If the listing is not correct there are still phones. Call the recipient and argue with him. If everyone does they will not use the RBL any longer.
Publish the information about bad appliancies and RBLs, so others can find it.
\Maex
[ please, could you make the input box a bit wider? 40 chars is a bit small and it makes it hard to proofread what one was typing. ]