Educause Security Discussion mailing list archives
Dealing with IronPort SenderBase
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Wed, 11 Jun 2008 08:38:00 -0400
Has anyone else had to deal with SenderBase to have their reputation score adjusted? We had this issue once in the past. We had to contact Cisco sales managers (IronPort was bought by Cisco so we went that route since we are a Cisco shop) and get messages to directors at IronPort before their customer support would budge to adjust our score. It took almost a week and a lot of political garbage. We had a user fall victim to a phishing scheme which resulted in his account being compromised. The attacker logged in to his webmail (OWA) account from Nigeria and sent about 100 spam messages cc'ed to multiple recipients. I am not sure where IronPort's support personnel got the idea it was a virus/Trojan other than obviously not carefully reading my initial e-mail to them and making assumptions. We did have a similar issue back in March with another account. That issue was made worse since we did not get paged until the drives containing our mail logs and queues got low on space. We were able to stop this latest attack within 30 minutes (during off hours) thanks to monitoring we had placed on our Exchange SMTP queues. Several e-mail addresses the attacker used had invalid domains which resulted in our queues exceeding the low thresholds we have in place to trigger paging. We are still investigating better options to mitigate these attacks as it is only a matter of time before we get another user that falls victim to these schemes. I am very frustrated with IronPort's lack of support. I feel they are holding organizations hostage by refusing to adjust the score. In my opinion their score is a defamation of character based upon the current point in time where the issue on our end has been corrected. It is hindering our ability to conduct business with other organizations. I have contacted the domains that are using IronPort appliances and asked them to whitelist us. Many of them do not have valid postmaster, hostmaster, and/or DNS administrator e-mail accounts. Of the ones that do, only one has responded (kudos to them for monitoring their administrative mailboxes, and shame on those that do not monitor these boxes). IronPort states the score will come down on its own. However, it was my understanding that the score comes down as more legitimate mail is sent from our mail server. In order for them to see legitimate mail, something has to report back to them. That something, I would presume, is IronPort appliances. If we can't connect to IronPort appliances to send mail because they are blocking all mail exchangers with a poor reputation, our score will never come down. Thanks for your input, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu -----Original Message----- From: IronPort Customer Support Ticketing System [mailto:support () senderbase org] Sent: Tuesday, June 10, 2008 8:03 PM To: Jenkins, Matthew Subject: [IronPort.com #341032] SenderBase reputation score for Fairmont State University Hello Thank you for contacting Senderbase. Looks like you were correct and these complaints are the result of a recent virus/trojan infection in your network. It looks like you had a similar issue in March and we had temporarily resolved this issue then by resetting your reputation score. Since a new spam issue has cropped up this soon, I am going to have to let the system do its job and recover on its own. Since you have resolved the issues, the reputation of your IP should begin to improve automatically and you should be able to deliver emails successfully. Sincerely Senderbase. -----Original Message----- From: Jenkins, Matthew Sent: Sunday, June 08, 2008 10:00 AM To: support () senderbase org Subject: SenderBase reputation score for Fairmont State University This week we had a valid account compromised and used to send about a hundred spam messages through our MTA. Each message was addressed to numerous recipients. We now have a poor reputation with SenderBase and this is causing our outbound mail to be rejected by organizations we do business with. The account breach was corrected within 30 minutes, however unfortunately several hundred spam messages were sent before the attack was stopped. Can you please adjust our score for x.x.x.x temporarily until it comes back up on its own? Thanks, Ps: We have two mail servers, x.x.x.1 and x.x.x.x.2, but only x.x.x.x.2 seems to have gotten the poor score. Thank you, Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu
Current thread:
- Dealing with IronPort SenderBase Jenkins, Matthew (Jun 11)