funsec mailing list archives
Shaw and Spamhaus
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Thu, 24 Feb 2011 21:43:39 -0800
I seem to be back on the air. A few observations: (Sorry, I've not had time to put these in particular order, and some of the point may duplicate or relate ...) 1) I still have absolutely no idea why Shaw cut me off. They keep blaming Spamhaus, but the only links they offer me as evidence clearly show that there is no "bad reputation" in the specific IP address that I am currently using, only a policy listing showing one of Shaw's address ranges. 2) I got absolutely no warning from Shaw, and no notice after the fact. 3) Shaw's spam filtering is for the birds. Today I got two messages flagged as spam, for no clear reason I could see. They were from a publisher, asking how to send me a book for review. The only possible reason I could see was that the publisher copied three of my email addresses on the same message. A lot of people do that, but it usually doesn't trip the spam filter. Today it did. (Someone else with Shaw "service" tried to send out an announcement to a group. Since he didn't have a mailing list server, he just sent out a bunch of messages. Apparently that got *his* account flagged as spamming.) I also got the usually round of messages from security mailing lists tagged as spam: Shaw sure has something against security. And at least one 419 scam got through unflagged today, despite being like just about every other 419 in the world. (Oddly, during this period I've noted a slight uptick in 419s and phishing in general.) 4) Through this episode I had contact with Shaw via email, phone, "live chat," and Twitter. I follow ShawInfo and Shawhelp on Twitter. On Twitter, I was told to send them a direct message (DM). I had, in fact, tried to do that, but Shaw doesn't accept direct messages by default. (Since I pointed that out to them, they now, apparently accept them from me.) They sent me public messages on Twitter, and I replied in kind. Through the Twitter account they also informed me that error 554 is "poor reputation" and is caused by sending too many emails. They didn't say how many is too many. (Testing by someone else indicated something on the order of 50-100 per hour, and I've never done anything near that scale.) 5) The "live chat" function installs some software on your (the client) machine. At least two of the pieces of software failed the digital signature verification ... 6) The "information" I got from Shaw was limited. The first (phone) support call directed me to http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.16 9 If you read the page, the information is almost entirely about the "network" with only a few (and not informative) pieces about the IP address itself. (I did, separately, confirm that this was my IP address.) The bulk of the page is a report on addresses that aren't even in the same range as I am. About halfway down the right hand side of the page is "DNS-based blocklists." If you click the "[Show/Hide all]" link you'll notice that four out of five think I'm OK. If you click on the remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169 At the moment, it shows that I'm completely OK. At the time I was dealing with Shaw, it showed that itÂ’s not in the SpamHaus Block List (SBL) or the XBL. It was in the PBL (Policy Block List), but only as a range known to be allowed to do open sending. In other words, there is nothing wrong with my IP address: Shaw is in the poop for allowing (other) people to send spam. 7) The second (live chat) support call sent me to http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+ Again, this page showed a single negative entry, and a whole page of positive reports. The single negative entry, if pursued, went to the same Spamhaus report as detailed above. 8) At the time, both initial pages, if followed through in terms of details, led to http://www.spamhaus.org/pbl/query/PBL164253 giving, as the reason, that "This IP range has been identified by Spamhaus as not meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' email to PBL users." Again, Shaw's problem, not mine. However, that page has a link to allow you to try and have an address removed. However, it says that the "Removal Procedure" is only to be used "If you are not using normal email software but instead are running a mail server and you are the owner of a Static IP address in the range 70.79.164.0/22 and you have a legitimate reason for operating a mail server on this IP, you can automatically remove (suppress) your static IP address from the PBL database." Nevertheless, I did explore the link on that page, which led to http://www.spamhaus.org/pbl/removal/ Again, there you are told " You should only remove an IP address from the PBL if (A) the IP address is Static and has proper Reverse DNS assigned to your mail server, and (B) if you have a specific technical reason for needing to run a 'direct- to-MX' email service, such as a mail server appliance, off the Static IP address. In all other cases you should NOT remove an IP address from the PBL." This did not refer to my situation. Unfortunately, THESE TWO PAGES ARE INCORRECT. If you do proceed beyond that page, you get to http://www.spamhaus.org/pbl/removal/form This page does allow you to submit a removal request for a dynamic IP address, and, in fact, defaults to dynamic in the form. It was only on the last part of the second call, when the Shaw tech gave me this specific address, that I found this out. For this I really have to blame Spamhaus. 9) In trying to determine if, by some weird mischance, my computer had become infected, I used two AV scanners, one spyware scanner, and two rootkit scanners. (All results negative, although the Sophos rootkit scanner could have been a bit clearer about what it had "found.") Of course, I've been in the field for over two decades. How would the average user (or even a security professional in a non- malware field) even know that there are different types of scanners? (Let alone the non-signature based tools.) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org Rescue those being led away to death, hold back those being dragged to the slaughter. Will you object, `But look, we did not know?' Has he who weighs the heart no understanding, He who scans your soul no knowledge? - Proverbs 24:11,12 victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Shaw and Spamhaus Rob, grandpa of Ryan, Trevor, Devon & Hannah (Feb 24)
- Re: Shaw and Spamhaus phester (Feb 26)