Messaging Gateway

I'm hoping someone can help me. I've been ringing and requesting someone contact me via ipremoval.sms.symantec.com but no-one will contact me. Our university email servers are listed in the symantec reputation filter and as such all brightmail appliances are rejecting our email. I've requested information as to why they were added, as "snow shoe attack" doesn't give me anything to look at in my logs. From what I can see in my logs, there is nothing standing out. I've used http://www.symantec.com/business/security_response/landing/spam/index.jsp and it says "hitandrun" with no more information. Under the help for the page, hitandrun isn't listed as a 3rd party RBL. I've also checked http://mxtoolbox.com/blacklists.aspx and according to it we are only listed on backscatterer.org and they want $300US to remove us (I can't believe symantec would use a 3rd party RBL that extorts people like that).

If anyone has contact details for someone I can talk to regarding this, please let me know. I've tried calling symantec helpdesk and they won't talk to me because I'm not a customer. They want me to ring someone who is blocking us, and ask them to log a job on our behalf. How to I find someone at apple.com to log a job for us seriously? I'm happy to fix the problem if someone can tell me what the problem is, but currently I've had no response from anyone. We were removed for a few hours friday afternoon (AU time) then were added back on, still with no contact.

-Simon

What have you done to validate that your site is not leaking SPAM.  Does your firewall block ALL oubound port 25 traffic except that leaving from your authorized mail servers?

How do student systems send mail to the internet?  Directly?  Do you require them to connect to the university MTAs?  Do you require SMTP Auth for them to send?

Backscatter watches for bounce back.  What is your policy for mail addressed to invalid recipients?  Do you REJECT (best) or Drop (OK) at the edge, or let the mail get to the core mail server and let it bounce (bad)?

In other words, until you clean up, you'll just get black listed again.

We do not use any 3rd party blacklist providers. We maintain our own list.

This document might help you:

Title: 'Emails sent from a bulk mailer are being blocked by a Symantec Brightmail product'
Document ID: 2004120812474063
> Web URL: http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2004120812474063?Open&seg=ent

What have you done to validate that your site is not leaking SPAM.  Does your firewall block ALL oubound port 25 traffic except that leaving from your authorized mail servers?

We block port 25 outgoing on our firewall and all internal mail must pass through out mail servers (the ones that were given -IP rep). All internal mail servers smart host route to them.

How do student systems send mail to the internet?  Directly?  Do you require them to connect to the university MTAs?  Do you require SMTP Auth for them to send?

Students have to authenticate to get to their mail, and to send email from externally.

Backscatter watches for bounce back.  What is your policy for mail addressed to invalid recipients?  Do you REJECT (best) or Drop (OK) at the edge, or let the mail get to the core mail server and let it bounce (bad)?

This is the only thing I can think of as to why we were listed. We do have an issue where we do generate bounces. We were working of the (obviously old school now) principle that verifying recipients gives spammers an authoritive list of your users, and not sending bounce messages is bad because legitimate people don't know if their message got through or not. We are in the process of rolling out new mail infrastructure next week, that will address this issue. We are going for the lesser of 2 evils and verifying recipients.

In other words, until you clean up, you'll just get black listed again.

I totally understand this, I'm just trying to find out why we were added so I can fix it. I've looked through our outbound longs and I can't see any spam (so it doesn't look like we have a compromised account). The backscatter seems to be the only issue, but I can't really trust a site that charges money to remove you. If others had us listed I'd believe them, but as it is, I think they just want money.

Just looking for conformation so I can fix the issue.


Thanks for the help btw.

Thanks for that, I'll check it out. The reason I assumed symantec uses 3rd party RBLs is because they list them on the BrightMail IQ Service. This was taken yesterday. We have since been marked as neutral reputation and are able to send emails again. I'm still interested to get the reason for our addition confirmed so I can fix the issue.

-Simon

Via private converstation - At 8:40 AM CT USA,  The three IP addresses are back on the Bad Sender list in Brightmail.

http://www.senderbase.org/senderbase_queries/detailip?search_string=your_IP   says you are clean.

I got some clarification on the 'hitandrun' list you are seeing. It is actually a Symantec internal list we maintain and it is showing up publicly by accident. They are currently working on fixing that.

Spamhaus has some good information on what a snowshoe attack means here:

http://www.spamhaus.org/faq/answers.lasso?section=Glossary

Basically they are using a number of IP addresses in your environment to send spam from. Thats how it looks to us at least, possibly becuase you have multiple mail servers the emails come from. It also may be backscatter spam that is not originating from your network, but the NDRs are coming from your mail server.

If you had the Brightmail appliance I would tell you to turn on 'Drop invalid recipients' and Directory harvest Attack detection.

RE: I got some clarification on the 'hitandrun' list you are seeing. It is actually a Symantec internal list we maintain and it is showing up publicly by accident. They are currently working on fixing that.

What's it going to say instead?

I do not know for sure but it may not show that column at all.