Shaw and Spamhaus

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>]

I seem to be back on the air.

A few observations:

(Sorry, I've not had time to put these in particular order, and some of the point 
may duplicate or relate ...)

1) I still have absolutely no idea why Shaw cut me off.  They keep blaming 
Spamhaus, but the only links they offer me as evidence clearly show that there is 
no "bad reputation" in the specific IP address that I am currently using, only a 
policy listing showing one of Shaw's address ranges.

2) I got absolutely no warning from Shaw, and no notice after the fact.

3) Shaw's spam filtering is for the birds.  Today I got two messages flagged as 
spam, for no clear reason I could see.  They were from a publisher, asking how to 
send me a book for review.  The only possible reason I could see was that the 
publisher copied three of my email addresses on the same message.  A lot of 
people do that, but it usually doesn't trip the spam filter.  Today it did.  (Someone 
else with Shaw "service" tried to send out an announcement to a group.  Since he 
didn't have a mailing list server, he just sent out a bunch of messages.  Apparently 
that got *his* account flagged as spamming.)  I also got the usually round of 
messages from security mailing lists tagged as spam: Shaw sure has something 
against security.  And at least one 419 scam got through unflagged today, despite 
being like just about every other 419 in the world.  (Oddly, during this period I've 
noted a slight uptick in 419s and phishing in general.)

4) Through this episode I had contact with Shaw via email, phone, "live chat," and 
Twitter.  I follow ShawInfo and Shawhelp on Twitter.  On Twitter, I was told to 
send them a direct message (DM).  I had, in fact, tried to do that, but Shaw doesn't 
accept direct messages by default.  (Since I pointed that out to them, they now, 
apparently accept them from me.)  They sent me public messages on Twitter, and 
I replied in kind.  Through the Twitter account they also informed me that error 
554 is "poor reputation" and is caused by sending too many emails.  They didn't 
say how many is too many.  (Testing by someone else indicated something on the 
order of 50-100 per hour, and I've never done anything near that scale.)

5) The "live chat" function installs some software on your (the client) machine.  
At least two of the pieces of software failed the digital signature verification ...

6) The "information" I got from Shaw was limited.  The first (phone) support call 
directed me to 
http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.16
9
If you read the page, the information is almost entirely about the "network" with 
only a few (and not informative) pieces about the IP address itself.  (I did, 
separately, confirm that this was my IP address.)  The bulk of the page is a report 
on addresses that aren't even in the same range as I am.  About halfway down the 
right hand side of the page is "DNS-based blocklists."  If you click the "[Show/Hide 
all]" link you'll notice that four out of five think I'm OK.  If you click on the 
remaining one, you go to http://www.spamhaus.org/query/bl?ip=70.79.166.169
At the moment, it shows that I'm completely OK.  At the time I was dealing with 
Shaw, it showed that it’s not in the SpamHaus Block List (SBL) or the XBL.  It 
was in the PBL (Policy Block List), but only as a range known to be allowed to do 
open sending.  In other words, there is nothing wrong with my IP address: Shaw is 
in the poop for allowing (other) people to send spam.

7) The second (live chat) support call sent me to 
http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a70.79.166.169+
Again, this page showed a single negative entry, and a whole page of positive 
reports.  The single negative entry, if pursued, went to the same Spamhaus report 
as detailed above.

8) At the time, both initial pages, if followed through in terms of details, led to 
http://www.spamhaus.org/pbl/query/PBL164253
giving, as the reason, that "This IP range has been identified by Spamhaus as not 
meeting our policy for IPs permitted to deliver unauthenticated 'direct-to-mx' 
email to PBL users."  Again, Shaw's problem, not mine.  However, that page has a 
link to allow you to try and have an address removed.  However, it says that the 
"Removal Procedure" is only to be used "If you are not using normal email 
software but instead are running a mail server and you are the owner of a Static IP 
address in the range 70.79.164.0/22 and you have a legitimate reason for 
operating a mail server on this IP, you can automatically remove (suppress) your 
static IP address from the PBL database."  Nevertheless, I did explore the link on 
that page, which led to http://www.spamhaus.org/pbl/removal/
Again, there you are told "     You should only remove an IP address from the PBL 
if (A) the IP address is Static and has proper Reverse DNS assigned to your mail 
server, and (B) if you have a specific technical reason for needing to run a 'direct-
to-MX' email service, such as a mail server appliance, off the Static IP address. In 
all other cases you should NOT remove an IP address from the PBL."  This did 
not refer to my situation.  Unfortunately, THESE TWO PAGES ARE 
INCORRECT.  If you do proceed beyond that page, you get to 
http://www.spamhaus.org/pbl/removal/form
This page does allow you to submit a removal request for a dynamic IP address, 
and, in fact, defaults to dynamic in the form.  It was only on the last part of the 
second call, when the Shaw tech gave me this specific address, that I found this 
out.  For this I really have to blame Spamhaus.

9) In trying to determine if, by some weird mischance, my computer had become 
infected, I used two AV scanners, one spyware scanner, and two rootkit scanners.  
(All results negative, although the Sophos rootkit scanner could have been a bit 
clearer about what it had "found.")  Of course, I've been in the field for over two 
decades.  How would the average user (or even a security professional in a non-
malware field) even know that there are different types of scanners?  (Let alone 
the non-signature based tools.)

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Rescue those being led away to death,
   hold back those being dragged to the slaughter.
Will you object, `But look, we did not know?'
   Has he who weighs the heart no understanding,
He who scans your soul no knowledge?             - Proverbs 24:11,12
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.