Lately, I am getting more and more spam coming via postini.com. See below:
Received: from source ([206.190.38.111]) by exprod5mx128.postini.com ([12.158.34.245]) with SMTP; Fri, 30 Jul 2004 04:40:47 CDT
Received: from psmtp.com (exprod5mx30.postini.com [12.158.34.185]) by psmtp.preferred.com (8.12.9-20030924/8.12.9) with SMTP id i6VB468i000751 Received: from source ([192.116.80.38]) by exprod5mx32.postini.com ([12.158.34.245]) with SMTP;Tue, 17 Aug 2004 19:45:45 PDT
Received: from psmtp.com (exprod6mx122.postini.com [12.158.36.114]) by mta-3.gci.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with SMTP id <0I2F00HE8XHSVF@mta-3.gci.net> for x; Sat, 14 Aug 2004 06:27:31 -0800 (AKDT)
Received: from source ([80.253.126.147]) by exprod5mx115.postini.com ([12.158.34.245]) with SMTP; Tue, 17 Aug 2004 14:08:37 CDT
Does anyone know whether Postini has been bought out by Alan Ralsky perhaps? :-) Thanks, Hank
On Thu, 19 Aug 2004, Hank Nussbacher wrote:
Lately, I am getting more and more spam coming via postini.com. See below:
Received: from source ([206.190.38.111]) by exprod5mx128.postini.com ([12.158.34.245]) with SMTP; Fri, 30 Jul 2004 04:40:47 CDT
Received: from psmtp.com (exprod5mx30.postini.com [12.158.34.185]) by psmtp.preferred.com (8.12.9-20030924/8.12.9) with SMTP id i6VB468i000751
Is it just spam that has Postini in its headers, or all mail to that address? Have you or a mail administrator for your domain signed up with Postini for spam filtering? If so, all mail for the domain will flow through Postini's servers. If your mailbox isn't enabled for filtering or is set to not filter, all the spam you previously got from anywhere will show Postini in the headers. For that matter, all of your mail to that address will have Postini in the headers. -- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
At 09:14 AM 19-08-04 -0700, Jay Hennigan wrote:
Have you or a mail administrator for your domain signed up with Postini for spam filtering? If so, all mail for the domain will flow through Postini's servers. If your mailbox isn't enabled for filtering or is set to not filter, all the spam you previously got from anywhere will show Postini in the headers. For that matter, all of your mail to that address will have Postini in the headers.
How exactly does "all mail for the domain will flow through Postini's servers"? I ask since the IP sending to some postini IP like exprod5mx30.postini.com is blocked for outgoing port 25+80. That means that the data is flowing to postini in 1 of the following ways: a) auto-GRE tunnels b) email packaged in some way c) email is being sent via some dialup/DSL connection to postini I am just trying to understand how postini is bypassing my anti-spam ACLs. -Hank
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
On Fri, Aug 20, 2004 at 07:53:05AM +0300, Hank Nussbacher wrote:
At 09:14 AM 19-08-04 -0700, Jay Hennigan wrote:
Have you or a mail administrator for your domain signed up with Postini for spam filtering? If so, all mail for the domain will flow through
How exactly does "all mail for the domain will flow through Postini's servers"? I ask since the IP sending to some postini IP like exprod5mx30.postini.com is blocked for outgoing port 25+80. That means that the data is flowing to postini in 1 of the following ways:
a) auto-GRE tunnels b) email packaged in some way c) email is being sent via some dialup/DSL connection to postini
You're making this entirely too complicated. Just because mail can't enter postini's network via the address it comes from, doesn't mean it can't enter it on a different IP. Postini's a mail filtering company, I'd be willing to bet they have a lot of IPs that allow inbound mail. :)
I am just trying to understand how postini is bypassing my anti-spam ACLs.
Again, you haven't answered his question.... Did your ISP or some other email provider possibly sign up for Postini? How many different domain addresses forward into your account? If you accept mail from any other server for any other domain, that domain could be a postini customer. Postini does not originate or forward spam, they filter mail destined for their customer domains. Some spam gets through their filters, because spammers are smart and adaptively evil. It's really quite simple. -- Ray Wong rayw@rayw.net
At 10:17 PM 19-08-04 -0700, Ray Wong wrote:
I am just trying to understand how postini is bypassing my anti-spam ACLs.
Again, you haven't answered his question.... Did your ISP or some other email provider possibly sign up for Postini? How many different domain addresses forward into your account? If you accept mail from any other server for any other domain, that domain could be a postini customer.
You are missing my point. I am the ISP. I have a *downstream* customer who may or may not have signed up to Postini. This *downstream* customer is bypassing my anti-spam ACLs by somehow using Postini. I am trying to figure out how Postini works. -Hank
Postini does not originate or forward spam, they filter mail destined for their customer domains. Some spam gets through their filters, because spammers are smart and adaptively evil. It's really quite simple.
--
Ray Wong rayw@rayw.net
Hank Nussbacher wrote:
Postini does not originate or forward spam, they filter mail destined for their customer domains. Some spam gets through their filters, because spammers are smart and adaptively evil. It's really quite simple.
Hank's issue is that he's got ports 25 and 80 blocked for some part of his network. Those IPs are generating spam reports though they shouldn't be. In the example he forwarded, the spam reached a user of gci.net, for which postini provides MX services - who then reported the email to Hank as spam from Hank's network. What I can see happening is that Hank's port 25 filtering ACLs are being bypassed somehow ... maybe zombied machines on his network running ip masquerading and spam sending proxies on unfiltered ports, or tunneling smtp requests out in some other way Or maybe he doesn't source filter addresses and a spammer controlled machine on his network has two interfaces - one on hank's network [say a throwaway dialup / broadband account], and another a much fatter pipe. Packets (or rather in this case, junk mail) goes out through the fat pipe with Hank's IPs spoofed into the source address. I would recommend that Hank set up port blocks both inbound and outbound, and also examine mrtg or other data that he may have about that host. If possible, sniffing the traffic inbound and outbound to it would also reveal a whole lot. srs
On Fri, 20 Aug 2004, Suresh Ramasubramanian wrote:
Hank Nussbacher wrote:
Postini does not originate or forward spam, they filter mail destined for their customer domains. Some spam gets through their filters, because spammers are smart and adaptively evil. It's really quite simple.
What I can see happening is that Hank's port 25 filtering ACLs are being bypassed somehow ...
or delivering email via tcp/465 or tcp/587 to postini? (I can't make connnections to postini hosts for GCI.NET on these 2 ports though)
Or maybe he doesn't source filter addresses and a spammer controlled machine on his network has two interfaces - one on hank's network [say a throwaway dialup / broadband account], and another a much fatter pipe. Packets (or rather in this case, junk mail) goes out through the fat pipe with Hank's IPs spoofed into the source address.
'fantasy mail' is what we call this :( It's a pain and you have to port25 filter in AND out :(
I would recommend that Hank set up port blocks both inbound and outbound, and also examine mrtg or other data that he may have about
We've 'fixed' this for dial accounts (mostly) with in/out filters on their connections as you've suggested.
Christopher L. Morrow wrote:
'fantasy mail' is what we call this :( It's a pain and you have to port25 filter in AND out :(
that must have been a nightmare especially with a large provider of dialup pops for a whole lot of ISPs .. not as much as the filtering as keeping track of the holes you punched in the filters so that customers of an isp leasing pops from you can relay out through their own isp's servers. is there a doc for this somewhere online? i know at least some isps who would appreciate being spoonfed a howto for this, right down to copy and paste cisco acls ... thanks! srs
On Fri, 20 Aug 2004, Suresh Ramasubramanian wrote:
Christopher L. Morrow wrote:
'fantasy mail' is what we call this :( It's a pain and you have to port25 filter in AND out :(
that must have been a nightmare especially with a large provider of dialup pops for a whole lot of ISPs .. not as much as the filtering as keeping track of the holes you punched in the filters so that customers of an isp leasing pops from you can relay out through their own isp's servers.
radius profile based filters, sorry I should have been more clear about that.
is there a doc for this somewhere online? i know at least some isps who would appreciate being spoonfed a howto for this, right down to copy and paste cisco acls ...
it's mostly radius stuff, though I'm sure someone could put simple examples together.
On Fri, 20 Aug 2004, Suresh Ramasubramanian wrote:
now why wasnt i bright enough to think of radius
never mind, i think i got the hang of where to look for cookie cutter samples ...
twasn't me who thought of it either :)
thanks!
Christopher L. Morrow wrote:
radius profile based filters, sorry I should have been more clear about that.
This won't work for resold ports, but we used to do all of our [dialup] filtering on the NAS. We could still do so with our TC1000's, but it's much simpler to do it with radius if you have multiple ISP's using the same box. Bob Martin Christopher L. Morrow wrote:
On Fri, 20 Aug 2004, Suresh Ramasubramanian wrote:
Christopher L. Morrow wrote:
'fantasy mail' is what we call this :( It's a pain and you have to port25 filter in AND out :(
that must have been a nightmare especially with a large provider of dialup pops for a whole lot of ISPs .. not as much as the filtering as keeping track of the holes you punched in the filters so that customers of an isp leasing pops from you can relay out through their own isp's servers.
radius profile based filters, sorry I should have been more clear about that.
is there a doc for this somewhere online? i know at least some isps who would appreciate being spoonfed a howto for this, right down to copy and paste cisco acls ...
it's mostly radius stuff, though I'm sure someone could put simple examples together.
On Thu, 2004-08-19 at 21:27, Hank Nussbacher wrote:
At 10:17 PM 19-08-04 -0700, Ray Wong wrote:
I am just trying to understand how postini is bypassing my anti-spam ACLs.
Again, you haven't answered his question.... Did your ISP or some other email provider possibly sign up for Postini? How many different domain addresses forward into your account? If you accept mail from any other server for any other domain, that domain could be a postini customer.
You are missing my point. I am the ISP. I have a *downstream* customer who may or may not have signed up to Postini. This *downstream* customer is bypassing my anti-spam ACLs by somehow using Postini. I am trying to figure out how Postini works.
-Hank
Did you just get the reply from CKM Hank ? Dee
On Thu, 19 Aug 2004, Hank Nussbacher wrote:
Lately, I am getting more and more spam coming via postini.com. See below:
Received: from source ([206.190.38.111]) by exprod5mx128.postini.com ([12.158.34.245]) with SMTP; Fri, 30 Jul 2004 04:40:47 CDT
More than likely, the mail is being sent to postini for filtering, and its not being caught, or your mailbox is not being filtered by them.
participants (8)
-
Bob Martin -
Christopher L. Morrow -
Hank Nussbacher -
Jay Hennigan -
Ray Wong -
Suresh Ramasubramanian -
Tom (UnitedLayer) -
W.D.McKinney