Robert, thanks for explaining the root cause of your Spamhaus CSS problem and what you changed to fix it. I appreciate your generosity to share what you learned -- helpful insights for the rest of us, and testimony to the collaborative value of this Mailop list.
On Thu, Mar 30, 2017 at 10:50 AM, Robert L Mathews <li...@tigertech.com> wrote: > On 3/29/17 2:52 PM, Larry M. Smith wrote: > > > "If you are authoritative for an IP address and you believe the issues > > that caused the listing have been solved, you can [request a delisting]." > > > > Doesn't work for you? > > Yes, it works great! But then we'd get re-listed a few hours later > because the underlying cause was still present. > > Anyway, I've finally talked to the CSS folks at Spamhaus and found the > cause of this, and it was mostly self-inflicted. Details below in case > others have the same problem. > > When sending to some destinations, our outbound mail servers used > multiple HELO/EHLO hostnames under tigertech.net, depending on the > source of the message internally, and it could further vary over time. > The reasons are boring and stupid; "it fixed an obscure problem in 2006 > and we never stopped doing it". > > The hostnames were valid in terms of RFC 2821 and had working DNS, but > certain recipients treat multiple HELO hostnames from the same IP > address within a short period with suspicion, because it's one > characteristic of snowshoe spam. > > So when one of our IP addresses randomly happened to send more than > [some number of messages per minute] to a certain large ISP using > multiple HELO names, they were flagged as potential snowshoe spam > (despite being normal, often non-bulk messages). This was reported to > the CSS algorithm. > > It further turns out that one of our customers sent a message to a > Spamhaus spamtrap on March 6, lowering the reputation of our netblock > just enough that the combination led to a CSS listing each time. > "Hilarity ensued." > > Removing the multiple HELO hostnames from a single IP address solved it. > Don't do that. I should have known better, because our own anti-spam > point scoring system penalizes senders for this same thing (although it > uses the Public Suffix List to avoid flagging different hostnames under > the same registered domain name, which avoids this particular problem). > > However, I know others do this, perhaps as a side-effect of a NAT setup > that has many different servers behind a single IP address. If that > describes you, it would be wise to ensure that all the servers or > instances consistently and permanently use the same HELO name. > > Thanks to everyone who offered help with this; it was much appreciated. > I hope this description helps someone else. > > -- > Robert L Mathews, Tiger Technologies, http://www.tigertech.net/ > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
