Dealing with IronPort SenderBase

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

Has anyone else had to deal with SenderBase to have their reputation score adjusted?  We had this issue once in the 
past.  We had to contact Cisco sales managers (IronPort was bought by Cisco so we went that route since we are a Cisco 
shop) and get messages to directors at IronPort before their customer support would budge to adjust our score.  It took 
almost a week and a lot of political garbage.

We had a user fall victim to a phishing scheme which resulted in his account being compromised.  The attacker logged in 
to his webmail (OWA) account from Nigeria and sent about 100 spam messages cc'ed to multiple recipients.  I am not sure 
where IronPort's support personnel got the idea it was a virus/Trojan other than obviously not carefully reading my 
initial e-mail to them and making assumptions.  We did have a similar issue back in March with another account.  That 
issue was made worse since we did not get paged until the drives containing our mail logs and queues got low on space.

We were able to stop this latest attack within 30 minutes (during off hours) thanks to monitoring we had placed on our 
Exchange SMTP queues.  Several e-mail addresses the attacker used had invalid domains which resulted in our queues 
exceeding the low thresholds we have in place to trigger paging.  We are still investigating better options to mitigate 
these attacks as it is only a matter of time before we get another user that falls victim to these schemes.

I am very frustrated with IronPort's lack of support.  I feel they are holding organizations hostage by refusing to 
adjust the score.  In my opinion their score is a defamation of character based upon the current point in time where 
the issue on our end has been corrected.  It is hindering our ability to conduct business with other organizations.  I 
have contacted the domains that are using IronPort appliances and asked them to whitelist us.  Many of them do not have 
valid postmaster, hostmaster, and/or DNS administrator e-mail accounts.  Of the ones that do, only one has responded 
(kudos to them for monitoring their administrative mailboxes, and shame on those that do not monitor these boxes).

IronPort states the score will come down on its own.  However, it was my understanding that the score comes down as 
more legitimate mail is sent from our mail server.  In order for them to see legitimate mail, something has to report 
back to them.  That something, I would presume, is IronPort appliances.  If we can't connect to IronPort appliances to 
send mail because they are blocking all mail exchangers with a poor reputation, our score will never come down.
        
Thanks for your input,

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: IronPort Customer Support Ticketing System [mailto:support () senderbase org] 
Sent: Tuesday, June 10, 2008 8:03 PM
To: Jenkins, Matthew
Subject: [IronPort.com #341032] SenderBase reputation score for Fairmont State University

Hello
Thank you for contacting Senderbase. Looks like you were correct and 
these complaints are the result of a recent virus/trojan infection in 
your network. It looks like you had a similar issue in March and we 
had temporarily resolved this issue then by resetting your reputation 
score. Since a new spam issue has cropped up this soon, I am going to 
have to let the system do its job and recover on its own.

Since you have resolved the issues, the reputation of your IP should 
begin to improve automatically and you should be able to deliver 
emails successfully. 

Sincerely
Senderbase.

-----Original Message-----
From: Jenkins, Matthew 
Sent: Sunday, June 08, 2008 10:00 AM
To: support () senderbase org
Subject: SenderBase reputation score for Fairmont State University 

This week we had a valid account compromised and used to send about a hundred spam messages through our MTA.  Each 
message was addressed to numerous recipients.  We now have a poor reputation with SenderBase and this is causing our 
outbound mail to be rejected by organizations we do business with.  The account breach was corrected within 30 minutes, 
however unfortunately several hundred spam messages were sent before the attack was stopped.  Can you please adjust our 
score for x.x.x.x temporarily until it comes back up on its own?  Thanks,
 
Ps:  We have two mail servers, x.x.x.1 and x.x.x.x.2, but only x.x.x.x.2 seems to have gotten the poor score.
 
Thank you,
 
Matt
 
Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu