HayesJupe's Blog

April 2, 2012

SenderBase reputation is poor…

Filed under: Exchange — hayesjupe @ 9:10 pm

This pearler popped up today.

We started getting a few delays messages from various clients…. at first didnt think much of it…. but after telnetting into one clients and recieving the following error:

554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation. If you believe that this failure is in error, please contact the  intended recipient via alternate means.

Connection to host lost.

Thats not so good… mxtoolbox.com…. nup, not on those 107 blacklists, abuse.net, yep, we’re still not an open relay, nor have we ever been… so WTF?

http://www.senderbase.org/help/blocked

apparently our subnets reputation is poor….. not our relays or our /28, but someone else in the class C… thats right, the fucking class C.

I had always thought that ironport was quite good – up until now….. thats just plain fucking stupid…. punishing the entire class C because one dickhead is being a dickhead….. effectively shutting down our business for a few days.

Best thing is – there’s no appeal or support line to contact… best article i found was this – http://itepisodes.blogspot.com.au/2009/04/what-to-do-after-being-blacklisted.html that suggestes to wait 3 days and allow the reputation to come back up (assuming the SPAM stops)

* Update 4/4/2012 @ 17:23 ACST *

A guy i pseudo work with every now and again, who specifically does cisco and ironport stuff rang me out of the blue last night and said he was also having the issue, along with mqny others (and i got a bunch more calls today about it too) – looks like the issue is senderbase…. the guy managed to get this out of them….

“While investigating the IP in question, SenderBase identified a misconfiguration in one of their sensors which was causing the discrepancy with the IP. This has been fixed and steps have been taken to ensure it does not happen again.   The reputation of the IP should improve within 24 hours as our servers update the changes made on our end.”

So while that will hopefully resolve the issue – im still pissed. For a few reasons:

1) Im not quite sure these people understand the impact to a company of not being able to contact their clients via email

2) Go to http://www.senderbase.org/help/blocked – what options do you have… you can query your reputation and thats it. Sure you can hit contact, then email support…. but not having an automated mechanism for logging de-listing, come across, to me, as if “we never get it wrong, therefore if your network has a poor reputation, you have clearly fucked up” – when thats not the case.

3) The guy who forwarded me this email is a fairly significant cisco dealer (for this region) – and a good dude. If he has better contacts than us non-cisco people and still has to jump up and down for 3 days to get a response…. thats pretty fucking shit. See point 1 – i just dont think they realise, or care, about the impact that it has on a business.

4) Fair call to the guy that commented (below) – no i dont know the other site is spamming…. i jumped to an incorrect conclusion – and i was completely wrong

As of this moment, we are still blocked due to “poor reputation”…. we’ll see if anything changes overnight.

* Update 5/04/2012 @ 08:47 ACST *

Still no movement, i have directly emailed senderbase support – i dont expect a reply – but have to try…. we now havent been able to email a good 60% of our customers all week.

Brett – the commenter below has also posted an article about this on ITNews.com.au – http://www.itnews.com.au/News/296066,having-trouble-sending-email.aspx

* Update 13:40 ACST *

So i just had another chat to the guy i know that does a lot of ironport stuff…. apparently something is in the works. I have asked him to put together some facts around the situation and send them to me – which he said he will try and do this afternoon.

Since this doesnt look like its going to be fixed soon (enough) – i have implemented a temporary work around on my mail servers, of relaying via my ISP’s mail relay…. for those of of you out there also on internode…. you can use mail.internode.on.net as a outbound relay…. at least temporarily.

On the reverse lookup/PTR comments below…. bascially there was some suggestion that it was a stricter PTR check that was causing the issue initially… i got this information 3rd hand and ran with it – as, no official information was forth-coming from cisco…. so hey, trying something on a whim that may fix the issue is good by me – as it can always be reversed easily :-)

Anyhoo – hopefully we should have something better by the end of today.

* update 9/4/2012 * – i did get this thurs night, but have been away camping, so didnt post.

http://www.itnews.com.au/News/296227,cisco-says-mea-culpa-on-bounced-emails.aspx

I can now also report that i can connect directly to all of our clients.

About these ads

15 Comments »

  1. Are you sure someone was actually spamming? I’ve had multiple reports of problems with IronPort in recent days. Cisco has advised of some changes made in Senderbase that were making more aggressive assignment of poor reputation based on reverse pointers for DNSs. Could this be the same issue for you? Let me know!
    Brett

    Comment by Brett — April 4, 2012 @ 3:18 pm | Reply

    • yep – fair point – do you have a link or any documentation on what those changes were?
      Many places we deal with (including us) do not have correct PTR records pointing to the same FQDN as the MX record…. as the ISP generally controls these – and while they exist – we have never bothered getting them updated previously…. so looks like now we will have to.
      Dont get me wrong – im all for stopping SPAM – but not at the expense of legitimate mail…. the ensuring PTR’s match the MX, numbers wise, is going to get SFA SPAM.

      Comment by hayesjupe — April 4, 2012 @ 5:39 pm | Reply

      • Hey mate – still no official word from Cisco. Send me your email address? I’m going to report this in the morning to see just how widespread the problem is. Looks to be national.

        Comment by Brett — April 4, 2012 @ 7:56 pm

    • uhmm Brett, can you point me to the RFC that states you need to setup a PTR record for the MX record? I can’t find it. If the MX record points to the same IP as the machine that sends mail out then sure, but there are a lot of systems that have their incoming mail enter through a gateway (mine included) this gateway never sends mail back out to the internet., it’s delivered internally. So the mail server that sends mail out has a different IP to the one that recieves mail (MX) The one that sends mail out DEFINATLY needs a PTR record setup.

      Comment by Gavin — April 5, 2012 @ 8:15 am | Reply

    • FWIW, the important part about DNS matching has nothing to do with the MX, or the name of the domain, or anything like that.

      What you want is for a reverse DNS lookup on your IP (a.b.c.d) to match the (unique) hostname for your server (servername.example.com), and a lookup on _that_ name (server.example.com) to match back to the IP (a.b.c.d).

      The unique server name should also be the name the mail software uses as it’s “HELO” string for outbound mail.

      The MX address and IP is irrelevant, as is shared hosting; in those cases the reverse DNS and forwards DNS have to match the unique name for the server the content is hosted on, they don’t have to match the domains for the websites etc.

      Comment by mibus — April 5, 2012 @ 10:29 am | Reply

  2. I had this “issue” with senderbase years ago. No-one would give me any info on why my reputation was poor or how it became so. You’re spot on about the webpage, it’s crap. I had to virtually threaten legal proceedings, (as I could prove my systems did not send spam), before anything was done and my reputation improved (gee magic huh). This whole process was unfortunatly done through a user of the senderbase system (an Irionport customer) and while he was a great guy to talk to and and it was not he fault, hedid what he could as I was unable to talk to anyone at senderbase directly. Senderbase reputation with me since – shit..

    Comment by Gavin — April 5, 2012 @ 8:10 am | Reply

  3. Good write up, I went through the same procedure. Two widely separated mailservers suddenly had poor reputations in Senderbase. I think senderbase’s webpage displays considerable arrogance: They Are Right and There’s No Appeal. It’s disappointing to hear that their own customers haven’t got an avenue of complaint either.
    We didn’t change anything on the servers, and today they’re coming back with “neutral” status.
    I’m not going to thank Senderbase/Ironport for fixing it. They screwed up and caused me and my customers some pain. That puts them in the same position as all the other RBLs that have made mistakes over the years… but without the humility and honesty to admit it, fix it and move on.

    Comment by Pete — April 5, 2012 @ 9:13 am | Reply

  4. I just went through a similar situation at my work: we were sending mail from a server whose HELO hostname wasn’t matching the PTR for the IP that the server was using. Senderbase/Ironport claimed that this “contravened” the RFC – an arguable point at best. But, as you and others have pointed out, it’s very hard to get a hold of the Senderbase folks they respond at their discretion and pleasure. Ultimately, it made business sense for us to reconfigure our network, but it was supremely galling that they could bully us into changing our network for their designs, especially when I would argue that our network configuration caused no risk to anyone. That they would brand us as some kind of threat based on this (mis)configuration seems like a stretch, seems like they’re looking very hard for something to be able to point to and say, “look, we provide value because we’re blocking something.”

    Comment by Bigby Findrake — July 7, 2012 @ 4:16 am | Reply

  5. I just had this same issue with senderbase. NO spam on any of my client’s computers/servers but senderbase flagged their IP as spam for about 36 hours. It finally went to neutral a few minutes ago. and yes it is ridiculous to provide where you can basically prevent companies from sending email to particular domains and not provide contact phone number … they suck

    Comment by Nick — September 6, 2012 @ 5:45 am | Reply

  6. I just found out my SMTP relay has been blacklisted by the senderbase again for no fucking reason. It was blacklisted two weeks ago but was able remove the IP with the help from senderbase. Looks like whenever we take down the back end servers leaving the inbound SMTP servers to queue the incoming emails, the score turns to poor. It could be a coincident but twice it had happened to me while the SMTP relay was queuing the inbound emails. So I don’t know what to make of it. I verified that our servers do not relay. We don’t allow out bound traffic on port 25 except for the SMTP relay servers.

    Actually the real dickheads are the ones who use the senderbase.

    Comment by Erumaimadu — September 26, 2012 @ 11:27 pm | Reply

  7. How does the senderbase find our SMTP relay’s IP? Is someone reporting us? I don’t think we ever send emails to senderbase.

    Comment by Erumaimadu — September 26, 2012 @ 11:30 pm | Reply

  8. Having similar issues now. One of our accounts was hijacked by a spambot. We saw it, stopped it and are removed the same day from all major (non-extortion blacklists) yet days later Cisco / Senderbase continues to list us as bad. Calls and emails fall on deaf ears. I am not their customer, they don’t care. Yet, as a small business I have very pissed off customers who want to send email to their customers and can not. So very frustrating.

    Comment by Scott Berry — October 3, 2012 @ 7:41 am | Reply

  9. We are having similar problems with Cisco Ironport Senderbase : http://krystal.co.uk/blog/2012/10/cisco-ironport-senderbase-blacklisting-gone-bad/

    Comment by Tom Mason (@tomrmason) — October 11, 2012 @ 1:37 am | Reply

  10. How to fix Senderbase.org poor reputation Listing
    =============================================

    Since cisco took over Ironport senderbase.org is poorly managed this is causing problem for many of us Server Admins.

    If one domain gets hacked and some spamming happens the well managed RBL’s will list and de-list the server IP within hours this actually stops spam. But senderbase.org will list the IP 2 days after the incident and will not remove it for quite some time. Don’t know how spam can be stopped if senderbase lists the IP 2 days after spamcop.net de-lists it. Senderbase.org “stinks”, look up IP’s of daily spammers who send lots of spam to your servers, Oops! they have good reputation in senderbase.org.

    Solution
    =========
    Nobody likes their e-mail blocked including the senderbase.org using Server Admins and their clients. If they are blocking e-mail from your server block e-mail from their server also with a message as follows, give them the same bitter medicine.

    ======>>>> Recipient is blocking your e-mail becuase your Email Hosting Provider is blocking recipient’s emails using senderbase.org contact your Email Hosting Provider to whitelist recipient’s domain name or IP xxx.xxx.xxx.xxx and inform the recipient to get your e-mail block removed.

    If every Server Admin who’s IP’s get listed unjustly in the sederbase.org due to one time hacked domain spamming incident do the above, within 1 year the whole senderbase.org concept will go defunct becuase when the the senderbase.org using Server Admins are “forced” to manually whitelist lots of domains and IP’s they will stop using senderbase.org auto-magically.

    Cheers!

    Comment by Server Admin — January 22, 2013 @ 10:01 am | Reply

  11. Thank you very much for this article. I had to face the same problem, having a bad reputation at cysco’s senderbase after my mailserver was hacked and several thousand spammails were sent. Despite the security hole was fixed and all effords to be removed from all kind of blacklists, my senderbase reputation kept poor till now (one week after the incident).

    After reading your article, it became clear there is hardly a chance to regain a good reputation soon, so I gave up on that issue and hired a smtp relay service, and send all my email through this, and my company was able to send emails again to very large customers, who use the senderbase system.

    this concept of senderbase actually is a threat to small companies like mine. Sure, you can hire all kind of services, but after all you cannot really avoid being hacked, only make it harder. once being hacked there are spam emails being sent, and your reputation is gone.

    I will stick on smtp relay services, which I can easily switch if there is a problem without changing my mailservers IP which is in my case not possible, I would have had to get a different server and move my mailserver there.

    without being able to get manually a good reputation at cyscos senderbase, this services destroys more business than protecting their customers from spam.

    Comment by kopfzutisch — October 31, 2013 @ 3:49 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 29 other followers

%d bloggers like this: