[Snap] Problems sending email

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] Problems sending email

nzgeek

619 posts

Ultimate Geek
+1 received by user: 52

#143402 14-Apr-2014 01:03

Is anyone else having issues getting email to send? Specifically, bounce emails from Snap's Ironport server?

I'm having issues with the automatic emails my Fritz!Box is sending out. I've set things up on the Fritz so that it's doing SMTP + auth, and it's sending via an email forwarder that I've got set up with my hosting provider (kiwihosting.net). Everything was working up until a week ago, now I'm getting issues.

Here's an example bounce message:

The following message to <fritzbox@redacted> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 550-'Server IP 202.37.100.98 listed as abusive. See http://www.linuxmagic.com/power_of_ip_reputation.html for more information. Protection provided by MagicSpam 1.0.6-1.3 http://www.magicspam.com'

Reporting-MTA: dns; mx1.ironport.snap.net.nz

Final-Recipient: rfc822;fritzbox@redacted
Action: failed
Status: 5.1.0
Remote-MTA: dns; [74.53.201.75]
Diagnostic-Code: smtp; 5.1.0 - Unknown address error 550-'Server IP 202.37.100.98 listed as abusive. See http://www.linuxmagic.com/power_of_ip_reputation.html for more information. Protection provided by MagicSpam 1.0.6-1.3 http://www.magicspam.com' (delivery attempts: 0)

202.37.100.98 is the IP address of Snap's Ironport box. 74.53.201.75 is the address of my hosting provider's email server.

I'm not 100% sure, but it looks like my hosting provider is using MagicSpam and is preventing the Ironport box from sending the email. If this is the case, why would Snap's outgoing mail server be seen as "abusive" by a mail reputation service?

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#1024651 14-Apr-2014 01:42

Because it only take one snap user account to get compromised, or one persons PC to get infected and send mountains of spam in a short period of time through their email service. The ironports are great mail filtering appliances, possibly the best (we use them too) but they still don't stop 100% of spam.

They've just ended up on some RBL, part and parcel of running an ISP mail system, just having a filtering device by itself is not enough, you still need to place further limits per user and have systems in place which will auto ban compromised accounts to make any attempt to keep your mail servers clean.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1024662 14-Apr-2014 06:59

Use a different email account - Gmail, AuthSMTP, and FastMail.fm all work well for me. I don't use ISP supplied email, if Snap supplied me with one I never checked it.

ChrisNZL

311 posts

Ultimate Geek
+1 received by user: 29

#1024679 14-Apr-2014 08:38

nzgeek: Is anyone else having issues getting email to send? Specifically, bounce emails from Snap's Ironport server?

I was having issues last week. I use Snap's SMTP servers to send mail.

I can't find the system email detailing the problem unfortunately (I must've deleted it), but it had a useful webpage linked that analysed the Ironport's email sending history or something.

As @insane said above, if one person's computer gets infected...

The system website I looked at had a graph with a scale of 0-10 for the amount of email that was being sent from Snap's Ironport server. From Feb-March it was scored a 0 (hardly any email being sent in the global scheme of things), then towards the end of March and through until now, it magically jumped up to like, 5 or 6 I think it said. Heaps of email suddenly going out.

So, it makes sense that some Snap customer's computer has turned into a spambot (or their login credentials were compromised from afar) and is sending mass amounts of spam, which is setting off flags for anti-spam systems, thus becoming a hindrance for the rest of us.

Perhaps Snap could look at customer email sending records and see which customer's account is being used to send all this extra mail?

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#1024772 14-Apr-2014 11:08

ChrisNZL:
I can't find the system email detailing the problem unfortunately (I must've deleted it), but it had a useful webpage linked that analysed the Ironport's email sending history or something....

.....Perhaps Snap could look at customer email sending records and see which customer's account is being used to send all this extra mail?

Would have been www.senderbase.org/

ChrisNZL

311 posts

Ultimate Geek
+1 received by user: 29

#1024798 14-Apr-2014 11:39

Would have been www.senderbase.org/

That's the one, thanks!

Looking at that graph says it all.

nzgeek

619 posts

Ultimate Geek
+1 received by user: 52

#1025069 14-Apr-2014 19:09

insane: Because it only take one snap user account to get compromised, or one persons PC to get infected and send mountains of spam in a short period of time through their email service.

insane: They've just ended up on some RBL, part and parcel of running an ISP mail system, just having a filtering device by itself is not enough, you still need to place further limits per user and have systems in place which will auto ban compromised accounts to make any attempt to keep your mail servers clean.

I understand the basic reasons around how this can happen. I just expected that Snap would have measures in place to prevent this sort of things from happening. The SMTP server should be requiring authentication to send any outbound message, and it should be limiting the rate at which messages can be sent. Spammers are everywhere, and anyone could get infected with malware, so risk avoidance and mitigation is crucial for an ISP.

insane: The ironports are great mail filtering appliances, possibly the best (we use them too) but they still don't stop 100% of spam.

The Ironport appliances used to be really good, but have been slowly dropping behind since being bought by Cisco. I used to work for Marshal Software (now part of Trustwave), and we had a few customers who ran MailMarshal as a backstop to catch all the crap that the Ironport failed to stop. Then again, you are comparing a multi-purpose appliance with a very mature piece of specialised software, so it's not the fairest of comparisons.

ChrisNZL: The system website I looked at had a graph with a scale of 0-10 for the amount of email that was being sent from Snap's Ironport server. From Feb-March it was scored a 0 (hardly any email being sent in the global scheme of things), then towards the end of March and through until now, it magically jumped up to like, 5 or 6 I think it said. Heaps of email suddenly going out.

insane: Would have been www.senderbase.org/

Looking at the numbers, I would guess that the Ironport is fairly new and has only been in place since the end of March, which is when the scores started ramping up. Still, and significant change in email volume should be treated as a major red flag and should be investigated.

ChrisNZL: So, it makes sense that some Snap customer's computer has turned into a spambot (or their login credentials were compromised from afar) and is sending mass amounts of spam, which is setting off flags for anti-spam systems, thus becoming a hindrance for the rest of us.

Only if that email is being sent via Snap's servers. Many bots will either use open relays or will try to send email directly to the target systems. For the few that do connect via Snap's email servers, there should be measures in place to limit and detect this sort of suspicious activity.

Perhaps RalphFromSnap can chime in on this issue and let us know what's been happening...