We have been showing all the false positives that we receive on some commercial email servers that receive global email flows. The average FP rate is going to be about one, yes one, email per week! None of them were critical, more inconvenient than anything and in a couple of cases, they were possible FP only that were actually correct in identifying spam.
Are email server Administrators so lazy or incapable that they can't sort out one email a week for a user? And why can't they run a whitelist, I mean, no sane email Administrator would run an email server without one, right?
Here is evidence of a spammer having delivery denied, and you are going to ask how do I know it was spam if delivery was denied? Well, we have setup secondary and tertiary MX servers operating the exact same configuration as the primary servers but with blocking in place, not insert an X-Header for listed IP addresses of senders. The spammer delivered a copy of the same spam to an alternate server and was blocked from delivering on another server, so in that way we were able to see and check the spam to confirm.
Sat 2011-12-10 4:29:07: [1234:787] Accepting SMTP connection from [67.159.33.100]
Sat 2011-12-10 4:29:07: [1234:787] Looking up PTR record for 67.159.33.100 (100.33.159.67.IN-ADDR.ARPA)
Sat 2011-12-10 4:29:07: [1234:787] 3 second wait for DNS response exceeded
Sat 2011-12-10 4:29:07: [1234:787] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 10 Dec 2011 4:29:07 -0200
Sat 2011-12-10 4:29:07: [1234:787] <-- EHLO super.jbcapacitacionempresarial.com
Sat 2011-12-10 4:29:07: [1234:787] Performing reverse lookup on super.jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-10 4:29:07: [1234:787] D=super.jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.100]
Sat 2011-12-10 4:29:07: [1234:787] --> 250-xxx.xxx.xxx Hello super.jbcapacitacionempresarial.com, pleased to meet you
Sat 2011-12-10 4:29:07: [1234:787] --> 250-ETRN
Sat 2011-12-10 4:29:07: [1234:787] --> 250-AUTH=LOGIN
Sat 2011-12-10 4:29:07: [1234:787] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-10 4:29:07: [1234:787] --> 250-8BITMIME
Sat 2011-12-10 4:29:07: [1234:787] --> 250 SIZE 0
Sat 2011-12-10 4:29:07: [1234:787] <-- MAIL FROM:
Sat 2011-12-10 4:29:07: [1234:787] Performing reverse lookup on jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-10 4:29:07: [1234:787] D=jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.101]
Sat 2011-12-10 4:29:07: [1234:787] P=010 D=jbcapacitacionempresarial.com TTL=(240) MX=[mail.jbcapacitacionempresarial.com] {67.159.33.101}
Sat 2011-12-10 4:29:07: [1234:787] Spam Blocker A-record resolution of [100.33.159.67.l2.apews.org] in progress (DNS Server: 192.168.1.1)...
Sat 2011-12-10 4:29:07: [1234:787] Spam Blocker D=100.33.159.67.l2.apews.org TTL=(35) A=[127.0.0.2]
Sat 2011-12-10 4:29:07: [1234:787] APEWS.ORG listed, 99.7% certain it is spam
Sat 2011-12-10 4:29:07: [1234:787] --> 250
Sat 2011-12-10 4:29:07: [1234:787] <-- RCPT TO:
Sat 2011-12-10 4:29:07: [1234:787] 'Recipient unknown' given to divert future spam
Sat 2011-12-10 4:29:07: [1234:787] --> 550
Sat 2011-12-10 4:29:07: [1234:787] <-- QUIT
Sat 2011-12-10 4:29:07: [1234:787] --> 221 See ya in cyberspace
Sat 2011-12-10 4:29:07: [1234:787] SMTP session successful, 154 bytes transferred.
The spammer was given a "550" user unknown reply and that should get the email address removed from the sender's database however, these days 550 get ignored and spammers keep trying to deliver to all email servers that they can get access to.
Email servers that send solicited emails do so by checking their cache or public DNS to find where to deliver an email. They try the first MX listed and only try the second or third if delivery was not possible and the retry period exhausted depending on the configuration chosen by the email Administrator of that server. Outbound email servers are typically not listed in DNS as MX i.e. senders and so even though they listen on TCP port 25, they should never receive emails.
Even domain delivery receipts and recipient display or read receipts use the same MX servers in the order of priority MX1, MX2, MX3 etc as configured in DNS by the Administrator for each domain name. Spammers ignore that and just send to all and any servers listening on TCP port 25. L2.Apews.org is therefore excellent for use in blocking and denying delivery on such servers if not other MX servers depending on the ability of the email Administrator.
Look again at the false positives that we have listed here, had we been blocking from day 1 then each of these would not have been allowed delivery into the network. See anything mission critical there? With a decent whitelist those FP would have been even fewer or zero. Why pay for a spam solution? Surely anyone making money out of spam solutions is part of the problem, they wouldn't want to give up their income. Needless to say, good email Administrators are worth their weight in gold, better to pay them than pay for anti-spam services or "solutions".
quitarme de la lista, envio mis datos:
ReplyDeleteE-456417
190.12.86.70