Mailing List Archive

Am 20.06.2015 um 17:38 schrieb Jered Floyd:
> A small number of recipients have been getting bounce-unsubscribed a
> community mailing list that I administer. The most recent bounces say
> that this "blocked using Barracuda Reputation;
> http://www.barracudanetworks.com/reputation/" Visiting that page
> provides no information on the specific reason my MTA has been blocked
> so I can't determine if there is a configuration issue, but there is a
> link for one-time removal.

you are blacklisted at http://www.barracudacentral.org/rbl
blame your users!

> Below that the page says "One way to get your email through spam filters
> even if you are listed on the BRBL is to register your domain and IPs at
> EmailReg.org." OK, sounds good, I can prove that my IP address is
> allowed to send for my domains -- I thought that was what SPF and DKIM
> are for (which are configured) but whatever.
>
> However, I click through to emailreg.org <http://emailreg.org> and AFTER
> signing up for an account and configuring it they then reveal that there
> is a $20 "administrative fee" per domain.
>
> This sounds like a scam to me. They're blacklisting mail servers, not
> telling why, and then offering to take you off the list (without even
> correcting any problems) for "just" a $20 fee. I don't see how any
> legitimate RBL can operate with that model.

no you don't understand how a Barracuda appliance works
emailreg.org is a whitelist like the ones spamassassin is using

in case of a barracuda appliance it overrides the RBL

> Has anyone else here run into this? Is there a way out other than
> bribing Barracuda to not block my mail?

tell your customers don't send spam

Harald,

> no you don't understand how a Barracuda appliance works
> emailreg.org is a whitelist like the ones spamassassin is using
>
> in case of a barracuda appliance it overrides the RBL

It's a whitelist that appears to be based solely on paying Barracuda a fee. That doesn't sound like a valid whitelist protocol!


>> Has anyone else here run into this? Is there a way out other than
>> bribing Barracuda to not block my mail?
>
> tell your customers don't send spam

I'm pretty sure none of my users are sending spam. I'm not on any other RBLs, and I haven't seen recent unusual mail volume.

Regardless, with other RBLs there is typically some information on the triggering criteria. That does not appear to be the case here. BRBL seems to be a pay-to-play whitelist with arbitrary and opaque "poor reputation" categorization.

Regards,
--Jered

Am 20.06.2015 um 17:49 schrieb Jered Floyd:
>
> Harald,
>
>> no you don't understand how a Barracuda appliance works
>> emailreg.org is a whitelist like the ones spamassassin is using
>>
>> in case of a barracuda appliance it overrides the RBL
>
> It's a whitelist that appears to be based solely on paying Barracuda a fee. That doesn't sound like a valid whitelist protocol!

most whitelists are based on fee

>>> Has anyone else here run into this? Is there a way out other than
>>> bribing Barracuda to not block my mail?
>>
>> tell your customers don't send spam
>
> I'm pretty sure none of my users are sending spam. I'm not on any other RBLs, and I haven't seen recent unusual mail volume.

you need to hit only *once* a honeypot

> Regardless, with other RBLs there is typically some information on the triggering criteria. That does not appear to be the case here. BRBL seems to be a pay-to-play whitelist with arbitrary and opaque "poor reputation" categorization.

no it is not, we used a barracuda appliance for nearly a decade and
there where zero complaints because the RBL, the unwhitelistable URIBL
auf barracuda is much more problematic

listing happens the same way as for other RBLS:

* hit a honeypot
* user complaints

there is a outlook plugin where you can flag every mail as ham or spam
and if a few RCPTs flag mails of your customers as spam, well you got listed

On 06/20/2015 08:38 AM, Jered Floyd wrote:
>
> Hello SA-users,
>
> I have a question on the other side of things: outgoing mail. I know
> this is off-topic but this seems to the only venue where there might
> be knowledge of the problem, and the offender is a spamassassin
> "customer".
>
> (I operate an MTA host on which I run SpamAssassin -- it works
> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
> spamassassin 3.3.1-1.1) This system is in an Internap data center,
> and provides mail services for about a half-dozen organizations that I
> support. SPF and DKIM are correctly configured for hosted domains,
> as is user authentication for submitted mail.)
>
> I appear to be getting a shakedown scam from Barracuda Networks. They
> seem to be getting out of the "anti-spam" and into the "protection
> racket" business.
>
> A small number of recipients have been getting bounce-unsubscribed a
> community mailing list that I administer. The most recent bounces say
> that this "blocked using Barracuda Reputation;
> http://www.barracudanetworks.com/reputation/" Visiting that page
> provides no information on the specific reason my MTA has been blocked
> so I can't determine if there is a configuration issue, but there is a
> link for one-time removal.
>
> Below that the page says "One way to get your email through spam
> filters even if you are listed on the BRBL is to register your domain
> and IPs at EmailReg.org." OK, sounds good, I can prove that my IP
> address is allowed to send for my domains -- I thought that was what
> SPF and DKIM are for (which are configured) but whatever.
>
> However, I click through to emailreg.org <http://emailreg.org> and
> AFTER signing up for an account and configuring it they then reveal
> that there is a $20 "administrative fee" per domain.
>
> This sounds like a scam to me. They're blacklisting mail servers, not
> telling why, and then offering to take you off the list (without even
> correcting any problems) for "just" a $20 fee. I don't see how any
> legitimate RBL can operate with that model.
>
> Has anyone else here run into this? Is there a way out other than
> bribing Barracuda to not block my mail?
>
> Thanks,
> --Jered
>
The BRBL may have listed the entire /24 that includes your sending IPs.
Painful experience has shown that Barracuda won't hear your requests for
delisting, and the listing may never go away.

Barracuda have run their emailreg.org scam for many years.

-Richard

On 21/06/2015 01:38, Jered Floyd wrote:

> I appear to be getting a shakedown scam from Barracuda Networks. They seem to be getting out of the "anti-spam" and into the "protection racket" business.
>
> A small number of recipients have been getting bounce-unsubscribed a community mailing list that I administer. The most recent bounces say that this "blocked using Barracuda Reputation; http://www.barracudanetworks.com/reputation/ [1]" Visiting that page provides no information on the specific reason my MTA has been blocked so I can't determine if there is a configuration issue, but there is a link for one-time removal.

Ask them why, they are under no obligation to remove you, but at least
you'll know why your listed specifically.

> However, I click through to emailreg.org [2] and AFTER signing up for an account and configuring it they then reveal that there is a $20 "administrative fee" per domain.

>

Thats why most sane admins ignore it, they have been pulling that stunt
for many years, and likely why they are used by fewer and fewer
companies these days, and why not pay?, its very, very, simple:

Trust can only ever be earned - not bought!

and just because X trusts Y, doesn't mean its safe for Z to trust Y
(seen this first hand many a times over past 20 years), if it becomes a
serious problem tell hte end users to complain to whoever is filtering
their mail with BN.

(we also null out all SA's included whitelist rules)

> This sounds like a scam to me. They're blacklisting mail servers, not telling why, and then offering to take you off the list (without even correcting any problems) for "just" a $20 fee. I don't see how any legitimate RBL can operate with that model.

They arent the first to try make a fast buck, in years gone by SORBS
would only removed you if you paid, its why very few liked/trusted/used
SORBS, although you could ask them to remove you and they would, for
free, unless you ended up being a repetitive listing I suppose, then I
could see them enforcing their policy of the day, they have however
changed that these days I've heard, its been nearly 10 years since I've
talked to M.S. so not sure what policies they use today .



Links:
------
[1] http://www.barracudanetworks.com/reputation/
[2] http://emailreg.org

On 21/06/2015 01:49, Jered Floyd wrote:

> Harald,
>
>> no you don't understand how a Barracuda appliance works
>> emailreg.org is a whitelist like the ones spamassassin is using
>>
>> in case of a barracuda appliance it overrides the RBL
>
> It's a whitelist that appears to be based solely on paying Barracuda a fee. That doesn't sound like a valid whitelist protocol!

I guess they might claim that fee is to validate who you say you are
(yes, same thing SPF and DKIM do now for free) it sure will not stop you
from getting spam from those "trusted" domains.

On 21/06/2015 02:16, Richard Doyle wrote:

> On 06/20/2015 08:38 AM, Jered Floyd wrote:
>
>> Hello SA-users,
>>
>> I have a question on the other side of things: outgoing mail. I know
>> this is off-topic but this seems to the only venue where there might
>> be knowledge of the problem, and the offender is a spamassassin
>> "customer".
>>
>> (I operate an MTA host on which I run SpamAssassin -- it works
>> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
>> spamassassin 3.3.1-1.1) This system is in an Internap data center,
>> and provides mail services for about a half-dozen organizations that I
>> support. SPF and DKIM are correctly configured for hosted domains,
>> as is user authentication for submitted mail.)
>>
>> I appear to be getting a shakedown scam from Barracuda Networks. They
>> seem to be getting out of the "anti-spam" and into the "protection
>> racket" business.
>>
>> A small number of recipients have been getting bounce-unsubscribed a
>> community mailing list that I administer. The most recent bounces say
>> that this "blocked using Barracuda Reputation;
>> http://www.barracudanetworks.com/reputation/ [1]" Visiting that page
>> provides no information on the specific reason my MTA has been blocked
>> so I can't determine if there is a configuration issue, but there is a
>> link for one-time removal.
>>
>> Below that the page says "One way to get your email through spam
>> filters even if you are listed on the BRBL is to register your domain
>> and IPs at EmailReg.org." OK, sounds good, I can prove that my IP
>> address is allowed to send for my domains -- I thought that was what
>> SPF and DKIM are for (which are configured) but whatever.
>>
>> However, I click through to emailreg.org <http://emailreg.org [2]> and
>> AFTER signing up for an account and configuring it they then reveal
>> that there is a $20 "administrative fee" per domain.
>>
>> This sounds like a scam to me. They're blacklisting mail servers, not
>> telling why, and then offering to take you off the list (without even
>> correcting any problems) for "just" a $20 fee. I don't see how any
>> legitimate RBL can operate with that model.
>>
>> Has anyone else here run into this? Is there a way out other than
>> bribing Barracuda to not block my mail?
>>
>> Thanks,
>> --Jered
> The BRBL may have listed the entire /24 that includes your sending IPs.
> Painful experience has shown that Barracuda won't hear your requests for
> delisting, and the listing may never go away.
>
> Barracuda have run their emailreg.org scam for many years.
>
> -Richard

In listing a /24 , I'm sure they like most DNSBL's only take that avenue
if there are multiple IP's within that range causing, or having the
potential of causing, problems or potential for listing avoidance - this
is common with snowshoe'rs



Links:
------
[1] http://www.barracudanetworks.com/reputation/
[2] http://emailreg.org

Richard,

> The BRBL may have listed the entire /24 that includes your sending IPs.
> Painful experience has shown that Barracuda won't hear your requests for
> delisting, and the listing may never go away.

I believe you've got it in one. I heard back from a colleague on the same /24 (though not the same address!) and he had a client with a bad WordPress install that was generating spam.

That seems to make this EmailReg situation even more egregious -- if they're really blocking whole networks based on a single IP then it really is a protection scheme operated (opaquely) by Barracuda. "Pay us money if you want mail to get through to our customers; we'll blacklist you arbitrarily otherwise." How can this possibly be legal under US racketeering laws?

--Jered

I wonder what their justification is for doing this.

2015-06-21 16:33 GMT+02:00 Jered Floyd <jered@convivian.com>:

>
> Richard,
>
> > The BRBL may have listed the entire /24 that includes your sending IPs.
> > Painful experience has shown that Barracuda won't hear your requests for
> > delisting, and the listing may never go away.
>
> I believe you've got it in one. I heard back from a colleague on the same
> /24 (though not the same address!) and he had a client with a bad WordPress
> install that was generating spam.
>
> That seems to make this EmailReg situation even more egregious -- if
> they're really blocking whole networks based on a single IP then it really
> is a protection scheme operated (opaquely) by Barracuda. "Pay us money if
> you want mail to get through to our customers; we'll blacklist you
> arbitrarily otherwise." How can this possibly be legal under US
> racketeering laws?
>
> --Jered
>
>
>
>

Am 21.06.2015 um 17:00 schrieb Jeroen de Neef:
> I wonder what their justification is for doing this.

the questoon is how many addtional IP's on the /24 where in fact sending
spam, see http://www.spamhaus.org/faq/section/Glossary#233

> 2015-06-21 16:33 GMT+02:00 Jered Floyd <jered@convivian.com
> <mailto:jered@convivian.com>>:
>
> Richard,
>
> > The BRBL may have listed the entire /24 that includes your
> sending IPs.
> > Painful experience has shown that Barracuda won't hear your
> requests for
> > delisting, and the listing may never go away.
>
> I believe you've got it in one. I heard back from a colleague on
> the same /24 (though not the same address!) and he had a client with
> a bad WordPress install that was generating spam.
>
> That seems to make this EmailReg situation even more egregious -- if
> they're really blocking whole networks based on a single IP then it
> really is a protection scheme operated (opaquely) by Barracuda.
> "Pay us money if you want mail to get through to our customers;
> we'll blacklist you arbitrarily otherwise." How can this possibly
> be legal under US racketeering laws?

> I appear to be getting a shakedown scam from Barracuda Networks.

You are not being shaken down, but you might be slandering. ;-)

I'm fairly certain that BN isn't making much profit off of your $20.
What they are getting is your commitment, and your ID, that one or
more IP addrs under your control will not spam. And if you do spam
from those IPs, and BN detects it, they have evidence to tie you to
the crime (plus previously accepted agreement that you would
voluntarily handle the situation in a mutually agreed upon manner)

$20 is $20, but frankly most people pay more than that in snail mail
postage each year.

-Jim P.

On Sunday 21 June 2015 at 17:22:58 (EU time), Jim Popovitch wrote:

> > I appear to be getting a shakedown scam from Barracuda Networks.
>
> You are not being shaken down, but you might be slandering. ;-)
>
> I'm fairly certain that BN isn't making much profit off of your $20.
> What they are getting is your commitment, and your ID, that one or
> more IP addrs under your control will not spam. And if you do spam
> from those IPs, and BN detects it, they have evidence to tie you to
> the crime (plus previously accepted agreement that you would
> voluntarily handle the situation in a mutually agreed upon manner)

It seems to me that $20 is nothing to the spammers - and they're already using
techniques to change their IP addresses on a regular basis.

So, spammer pays BN $20, gets found out some while later, moves IP, and pays
BN $20 for that address instead (meanwhile raking in another $20 quicker than
most of us do, I suspect). Or, are you assuming that spammers don't have
multiple identities / businesses / bank accounts to make their payments from?

> $20 is $20, but frankly most people pay more than that in snail mail
> postage each year.

Er, so? Most people pay more than $20 for lots of things per year - that
doesn't mean you should just give $20 to anyone who asks for it, so that you
can carry on running a legitimate business.


Regards,


Antony.

--
BASIC is to computer languages what Roman numerals are to arithmetic.

Please reply to the list;
please *don't* CC me.

Am 21.06.2015 um 18:58 schrieb Antony Stone:
> On Sunday 21 June 2015 at 17:22:58 (EU time), Jim Popovitch wrote:
>
>>> I appear to be getting a shakedown scam from Barracuda Networks.
>>
>> You are not being shaken down, but you might be slandering. ;-)
>>
>> I'm fairly certain that BN isn't making much profit off of your $20.
>> What they are getting is your commitment, and your ID, that one or
>> more IP addrs under your control will not spam. And if you do spam
>> from those IPs, and BN detects it, they have evidence to tie you to
>> the crime (plus previously accepted agreement that you would
>> voluntarily handle the situation in a mutually agreed upon manner)
>
> It seems to me that $20 is nothing to the spammers - and they're already using
> techniques to change their IP addresses on a regular basis.
>
> So, spammer pays BN $20, gets found out some while later, moves IP, and pays
> BN $20 for that address instead (meanwhile raking in another $20 quicker than
> most of us do, I suspect). Or, are you assuming that spammers don't have
> multiple identities / businesses / bank accounts to make their payments from?

spammers don't invest money, never

spammers just use botnets and hacked machines and leave the collateral
damage for the hacked machines and network ranges to the owner

>> $20 is $20, but frankly most people pay more than that in snail mail
>> postage each year.
>
> Er, so? Most people pay more than $20 for lots of things per year - that
> doesn't mean you should just give $20 to anyone who asks for it, so that you
> can carry on running a legitimate business

there are more RBL's that you think which handle "bad neigbourhood" not
only Barracuda - example: http://www.uceprotect.net/de/index.php?m=3&s=4

it escalates based on network size and spammer ips detected:

/23: 9 abuser IP's
/22: 14 abuser IP's
/21: 24 abuser IP#s

On 21 Jun 2015, at 10:33, Jered Floyd wrote:

> Richard,
>
>> The BRBL may have listed the entire /24 that includes your sending
>> IPs.
>> Painful experience has shown that Barracuda won't hear your requests
>> for
>> delisting, and the listing may never go away.
>
> I believe you've got it in one. I heard back from a colleague on the
> same /24 (though not the same address!) and he had a client with a bad
> WordPress install that was generating spam.
>
> That seems to make this EmailReg situation even more egregious -- if
> they're really blocking whole networks based on a single IP then it
> really is a protection scheme operated (opaquely) by Barracuda. "Pay
> us money if you want mail to get through to our customers; we'll
> blacklist you arbitrarily otherwise." How can this possibly be legal
> under US racketeering laws?


I'm not defending Barracuda specifically, as I have long believed them
to be an opportunistic, ethics-free, low-quality organization selling
overpriced garbage to people too desperately clueless to know better...

However, even carelessly run blacklists of IPs for email have been
protected in US courts by 2 things:

1. Blacklist operators are not doing any actual blocking, their users
are. Senders on "collateral damage" IPs are free to appeal to the actual
sites rejecting their mail for exceptions and any
competently-administered site will be able to do so. Any DNSBL operator
is akin to a movie reviewer: they don't directly control anyone's
behavior, they merely influence those who choose to pay them heed.

2. Virtually every US law explicitly touching Internet filtering (COPPA,
COPPA2, CAN-SPAM, etc.) has included some "safe haven" provision for
those implementing and using filtering tools in good faith. The
interpretation of what constitutes "good faith" has been extremely
broad, essentially meaning that if Barracuda has a theory that listing
innocents in the vicinity of spammers helps avoid future spam, they
don't need to actually have evidence of its validity or weight any
tangible damage against theoretical benefit.

The flipside of this de facto immunity is that you are free to point out
to those who reject your mail due to Barracuda's shoddy advice that
Barracuda gives shoddy advice for which they do not deserve much
attention or any money.

On Sunday 21 June 2015 at 19:23:58 (EU time), Reindl Harald wrote:

> spammers don't invest money, never

Ah, my bad understanding - I followed the link you posted earlier
http://www.spamhaus.org/faq/section/Glossary#233 which pointed me to
http://www.spamhaus.org/news/article/641?article=641 which contains the quote
from a spam enabling entity:

"$70,875/month gets you 9 class C's spread across at least 5 providers with
bandwidth for 8 Millions HTML emails per day per class C. Network blocks
(class C's) will be replaced after at least 60 days if they are blocked.
Network Blocks may be replaced solely in the event such Network Block has been
blacklisted by SpamHaus."

That looked to me like the spammers were paying for the IP address ranges
which we were discussing being blocked.


Regards,


Antony.

--
It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

- Daniel C Dennett

Please reply to the list;
please *don't* CC me.

Am 21.06.2015 um 20:52 schrieb Antony Stone:
> On Sunday 21 June 2015 at 19:23:58 (EU time), Reindl Harald wrote:
>
>> spammers don't invest money, never
>
> Ah, my bad understanding - I followed the link you posted earlier
> http://www.spamhaus.org/faq/section/Glossary#233 which pointed me to
> http://www.spamhaus.org/news/article/641?article=641 which contains the quote
> from a spam enabling entity:
>
> "$70,875/month gets you 9 class C's spread across at least 5 providers with
> bandwidth for 8 Millions HTML emails per day per class C. Network blocks
> (class C's) will be replaced after at least 60 days if they are blocked.
> Network Blocks may be replaced solely in the event such Network Block has been
> blacklisted by SpamHaus."
>
> That looked to me like the spammers were paying for the IP address ranges
> which we were discussing being blocked

that's why spammers mostly use hijacked servers or enduser machines like
on ore most likely more IP's in the /24 network of the thread starter,
he is just a victim of another fool not are about security updates on
his webservers if you follow the thread

On Sun, 21 Jun 2015 19:23:58 +0200
Reindl Harald <h.reindl@thelounge.net> wrote:

> spammers don't invest money, never

Of course not. They pay using a stolen credit card.

I don't approve of Barracuda's behaviour. If they're blocking
/24s because of some bad machines, you should not have to pay for
delisting one IP. If they can prove that your specific IP was responsible
for a spam run, then it's legit to charge for delisting, but not
otherwise.

I also don't approve of blocking entire networks for one or a few
bad IPs. People who use DNSBLs that have those policies simply lack
decent spam filters, so they take a scorched-earth approach.

Regards,

Dianne.

On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll <dfs@roaringpenguin.com> wrote:
> you should not have to pay for delisting one IP.

and with BN you are NOT paying for a delisting. You are paying for
the upfront ID validation and verification process that goes into
fast-tracking your email flow. If you don't want that fine, don't
pay it.

-Jim P.

Am 21.06.2015 um 22:22 schrieb Dianne Skoll:
> On Sun, 21 Jun 2015 19:23:58 +0200
> Reindl Harald <h.reindl@thelounge.net> wrote:
>
>> spammers don't invest money, never
>
> Of course not. They pay using a stolen credit card.
>
> I don't approve of Barracuda's behaviour. If they're blocking
> /24s because of some bad machines, you should not have to pay for
> delisting one IP. If they can prove that your specific IP was responsible
> for a spam run, then it's legit to charge for delisting, but not
> otherwise.
>
> I also don't approve of blocking entire networks for one or a few
> bad IPs. People who use DNSBLs that have those policies simply lack
> decent spam filters, so they take a scorched-earth approach

agreed - at least partly - it's hard to say from outside how much "few
bad IPs" really did send junk and on the other hand there are RBL
operators which list whole /24 networks just because the operator don#t
like a single person which writes mails to mailing lists by hand and
with his full name......

Barracuda is far way from beeing perfect, otherwise i would not have
spent many hundret hours of my lifetime to build up a replacemnt and
maintain it, but what they don#t do is list something without any reason
just to make money

On Sun, 21 Jun 2015 16:26:54 -0400
Jim Popovitch <jimpop@gmail.com> wrote:

> On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll
> > you should not have to pay for delisting one IP.
> and with BN you are NOT paying for a delisting.

You are splitting hairs. Essentially, you are paying for delisting.

We run our own set of DNSBLs and we delist anyone who requests
delisting for free. That's how it should be done.

Regards,

Dianne.

Am 21.06.2015 um 22:52 schrieb Dianne Skoll:
> On Sun, 21 Jun 2015 16:26:54 -0400
> Jim Popovitch <jimpop@gmail.com> wrote:
>
>> On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll
>>> you should not have to pay for delisting one IP.
>> and with BN you are NOT paying for a delisting.
>
> You are splitting hairs. Essentially, you are paying for delisting.
>
> We run our own set of DNSBLs and we delist anyone who requests
> delisting for free. That's how it should be done

the question is *how* is that de-listing managed and how do you manage
"i will take care in the future" and if that's not true because
de-listing is just a click how easy is it for spammers to not realy care

in fact if someone had a hacked server that's bad luck, but if someone
sends spam by intention and need to spend money to get his IP's
de-listed there is a barrier because send spam is no longer a business model

On Sun, Jun 21, 2015 at 4:52 PM, Dianne Skoll <dfs@roaringpenguin.com> wrote:
> On Sun, 21 Jun 2015 16:26:54 -0400
> Jim Popovitch <jimpop@gmail.com> wrote:
>
>> On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll
>> > you should not have to pay for delisting one IP.
>> and with BN you are NOT paying for a delisting.
>
> You are splitting hairs. Essentially, you are paying for delisting.

/sigh

I'm not splitting hairs, you are redefining "delisting". Go read the
first sentence on emailreg.org and learn something about them.

-Jim P.

EmailReg.org operates a whitelist, so you pay to get listed there. The site doesn't say much at all about what sort of verification or later delisting for spam they might do.

However, they are promoted directly on the "Sorry, your email was blocked" page for Barracuda Reputation, and the page explicitly says that if you register at EmailReg.org then you'll bypass the BRBL.

There is a murky relationship between Barracuda and EmailReg. It's awfully suspicious that signing up on whitelist X clears you from "unrelated" blacklist Y.

So, it may not be "paying to delist one IP" in framing, but in action it seems to be pretty darn close to that...

--Jered


----- On Jun 21, 2015, at 5:43 PM, Jim Popovitch jimpop@gmail.com wrote:

> On Sun, Jun 21, 2015 at 4:52 PM, Dianne Skoll <dfs@roaringpenguin.com> wrote:
>> On Sun, 21 Jun 2015 16:26:54 -0400
>> Jim Popovitch <jimpop@gmail.com> wrote:
>>
>>> On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll
>>> > you should not have to pay for delisting one IP.
>>> and with BN you are NOT paying for a delisting.
>>
>> You are splitting hairs. Essentially, you are paying for delisting.
>
> /sigh
>
> I'm not splitting hairs, you are redefining "delisting". Go read the
> first sentence on emailreg.org and learn something about them.
>
> -Jim P.

Am 21.06.2015 um 23:50 schrieb Jered Floyd:
> There is a murky relationship between Barracuda and EmailReg. It's awfully suspicious that signing up on whitelist X clears you from "unrelated" blacklist Y.
>
> So, it may not be "paying to delist one IP" in framing, but in action it seems to be pretty darn close to that...

no, it is not

if somebody thinks he has a free ride for spam he will be removed from
EmailReg as fast as lightning - that said from a BN customers from 2005
until 2014/08 and aware all of bullshit BN do the last few years after
2013-11 (In November 2013, Barracuda Networks went public on the New
York Stock Exchange under the ticker symbol CUDA)

On Sun Jun 21 16:22:26 2015, Dianne Skoll wrote:
> I don't approve of Barracuda's behaviour. If they're blocking
> /24s because of some bad machines, you should not have to pay for
> delisting one IP. If they can prove that your specific IP was responsible
> for a spam run, then it's legit to charge for delisting, but not
> otherwise.

I don’t know how Barracuda manages /24 blacklisting, but generally the
abuse contact is contacted (in fact the ISP, unless you have your own IP
block) and if there isn’t answer for some IPs, the block is blacklisted.

--
Alarig Le Lay

On Sun, 21 Jun 2015 22:55:41 +0200
Reindl Harald <h.reindl@thelounge.net> wrote:

> the question is *how* is that de-listing managed and how do you
> manage "i will take care in the future" and if that's not true
> because de-listing is just a click how easy is it for spammers to not
> realy care

I delist anyone who asks without questioning them. The server stays
delisted for 45 days and then we once again re-evaluate it based
on observed reputation. We have the whole process pretty much
automated.

This system has worked very well for us.

Regards,

Dianne.

Hi Jered,

I'm not a Barracuda customer myself I can only report my own interaction
with them. I run several public mailservers.

1) I don't run public mailing lists and if I ever was going to do that I
would run them on a separate server with a separate IP address

2) I don't run my webserver on the same server as my mailservers.

3) I have gotten BLed by Barracuda a couple of times. It usually takes
about 3-4 days to get delisted so while I'm waiting I route outgoing
mail through an alternate server. I get BLed when a customer falls for
a phish mail and gives out their password.

My recommendation is you have at least 4 public IP address with servers,
one for your webserver, one for your mailserver and one for an alternate
mailserver and one for a mailing list server.

As for the "class C block" I think that is likely that you are trying to
do everything with a single static IP. If you had a subnet of public
IPs then the ISP that issued it to you would SWIP them to you and
you would have no problems proving to Barracuda that your not part of
the rabble.

I realize you said your in a data center. Contact the data center
provider and tell them you want a block they will SWIP to you. I
realize this may cost you some more money. But email is not one of
those things you can do well on the cheap.

Ted


On 6/20/2015 8:38 AM, Jered Floyd wrote:
>
> Hello SA-users,
>
> I have a question on the other side of things: outgoing mail. I know
> this is off-topic but this seems to the only venue where there might be
> knowledge of the problem, and the offender is a spamassassin "customer".
>
> (I operate an MTA host on which I run SpamAssassin -- it works
> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
> spamassassin 3.3.1-1.1) This system is in an Internap data center, and
> provides mail services for about a half-dozen organizations that I
> support. SPF and DKIM are correctly configured for hosted domains, as is
> user authentication for submitted mail.)
>
> I appear to be getting a shakedown scam from Barracuda Networks. They
> seem to be getting out of the "anti-spam" and into the "protection
> racket" business.
>
> A small number of recipients have been getting bounce-unsubscribed a
> community mailing list that I administer. The most recent bounces say
> that this "blocked using Barracuda Reputation;
> http://www.barracudanetworks.com/reputation/" Visiting that page
> provides no information on the specific reason my MTA has been blocked
> so I can't determine if there is a configuration issue, but there is a
> link for one-time removal.
>
> Below that the page says "One way to get your email through spam filters
> even if you are listed on the BRBL is to register your domain and IPs at
> EmailReg.org." OK, sounds good, I can prove that my IP address is
> allowed to send for my domains -- I thought that was what SPF and DKIM
> are for (which are configured) but whatever.
>
> However, I click through to emailreg.org <http://emailreg.org> and AFTER
> signing up for an account and configuring it they then reveal that there
> is a $20 "administrative fee" per domain.
>
> This sounds like a scam to me. They're blacklisting mail servers, not
> telling why, and then offering to take you off the list (without even
> correcting any problems) for "just" a $20 fee. I don't see how any
> legitimate RBL can operate with that model.
>
> Has anyone else here run into this? Is there a way out other than
> bribing Barracuda to not block my mail?
>
> Thanks,
> --Jered
>

Hi Ted,

Thanks for the advice. I'm doing pretty much all of that except reserving an alternate IP as a backup relay/smarthost. That's a good idea.

I use one IP for almost all web traffic (going through a reverse proxy to a VM farm), one for DNS/Kerberos, one for a legacy install of my MUA, and one as both my MX and MTA. All my internal services relay to the MTA which is listed in SPF and handles DKIM signing; on the inbound side it handles SA and relay to appropriate internal host based on domain.

Having everything relay through one system gives me the opportunity to monitor for unusual mail volume across all services/clients.

Having an "emergency MTA" in my SPF records that I can relay to (or just bring up as another address on the existing server) would definitely help as long as the netblock isn't listed... getting a spare address on a different network would be useful, but I'm not sure how hard that will be to pry from Internap.

The form does seem to have worked, and I'm not currently on the BRBL, although this morning I got bounces from a Barracuda customer for a very benign message with "rejected due to spam content," so who knows. I wish there was better visibility into the process.

Best,
--Jered


----- On Jun 23, 2015, at 12:00 AM, Ted Mittelstaedt tedm@ipinc.net wrote:

> Hi Jered,
>
> I'm not a Barracuda customer myself I can only report my own interaction
> with them. I run several public mailservers.
>
> 1) I don't run public mailing lists and if I ever was going to do that I
> would run them on a separate server with a separate IP address
>
> 2) I don't run my webserver on the same server as my mailservers.
>
> 3) I have gotten BLed by Barracuda a couple of times. It usually takes
> about 3-4 days to get delisted so while I'm waiting I route outgoing
> mail through an alternate server. I get BLed when a customer falls for
> a phish mail and gives out their password.
>
> My recommendation is you have at least 4 public IP address with servers,
> one for your webserver, one for your mailserver and one for an alternate
> mailserver and one for a mailing list server.
>
> As for the "class C block" I think that is likely that you are trying to
> do everything with a single static IP. If you had a subnet of public
> IPs then the ISP that issued it to you would SWIP them to you and
> you would have no problems proving to Barracuda that your not part of
> the rabble.
>
> I realize you said your in a data center. Contact the data center
> provider and tell them you want a block they will SWIP to you. I
> realize this may cost you some more money. But email is not one of
> those things you can do well on the cheap.
>
> Ted
>
>
> On 6/20/2015 8:38 AM, Jered Floyd wrote:
>>
>> Hello SA-users,
>>
>> I have a question on the other side of things: outgoing mail. I know
>> this is off-topic but this seems to the only venue where there might be
>> knowledge of the problem, and the offender is a spamassassin "customer".
>>
>> (I operate an MTA host on which I run SpamAssassin -- it works
>> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
>> spamassassin 3.3.1-1.1) This system is in an Internap data center, and
>> provides mail services for about a half-dozen organizations that I
>> support. SPF and DKIM are correctly configured for hosted domains, as is
>> user authentication for submitted mail.)
>>
>> I appear to be getting a shakedown scam from Barracuda Networks. They
>> seem to be getting out of the "anti-spam" and into the "protection
>> racket" business.
>>
>> A small number of recipients have been getting bounce-unsubscribed a
>> community mailing list that I administer. The most recent bounces say
>> that this "blocked using Barracuda Reputation;
>> http://www.barracudanetworks.com/reputation/" Visiting that page
>> provides no information on the specific reason my MTA has been blocked
>> so I can't determine if there is a configuration issue, but there is a
>> link for one-time removal.
>>
>> Below that the page says "One way to get your email through spam filters
>> even if you are listed on the BRBL is to register your domain and IPs at
>> EmailReg.org." OK, sounds good, I can prove that my IP address is
>> allowed to send for my domains -- I thought that was what SPF and DKIM
>> are for (which are configured) but whatever.
>>
>> However, I click through to emailreg.org <http://emailreg.org> and AFTER
>> signing up for an account and configuring it they then reveal that there
>> is a $20 "administrative fee" per domain.
>>
>> This sounds like a scam to me. They're blacklisting mail servers, not
>> telling why, and then offering to take you off the list (without even
>> correcting any problems) for "just" a $20 fee. I don't see how any
>> legitimate RBL can operate with that model.
>>
>> Has anyone else here run into this? Is there a way out other than
>> bribing Barracuda to not block my mail?
>>
>> Thanks,
>> --Jered

Am 23.06.2015 um 14:47 schrieb Jered Floyd:
> The form does seem to have worked, and I'm not currently on the BRBL, although this morning I got bounces from a Barracuda customer for a very benign message with "rejected due to spam content," so who knows. I wish there was better visibility into the process.

then it was not blocked by the RBL but by the contentfilter

making the process not visible is by intention on a spamfilter because
otherwise you leak informations how to bypass it

anyways, the biggest drawback of barracuda appliances is that you can
add additional blacklists but you can *not* score - the choices are
reject, quarantine, tag and that don't work senseful because if the
first response is froma RBL with "quarantine" it will not get rejected
at all while without that RBL listed on a differnt one it would have been

>> The form does seem to have worked, and I'm not currently on the BRBL, although
>> this morning I got bounces from a Barracuda customer for a very benign message
>> with "rejected due to spam content," so who knows. I wish there was better
>> visibility into the process.
>
> then it was not blocked by the RBL but by the contentfilter

Yes, I am aware of that. My point was that if they are feeling that benign content (I'm happy to forward to you) is spam, that may be a prelude to being on the BRBL again. (Although that does appear to have been due to a colleague's WordPress mishap.)


> making the process not visible is by intention on a spamfilter because
> otherwise you leak informations how to bypass it

Of course! With SA I can see what rules are being hit, though, which is nice. I'm not sure if the same is possible for a Barracuda client -- I have asked the affected recipient.

--Jered

Am 23.06.2015 um 14:57 schrieb Jered Floyd:
>>> The form does seem to have worked, and I'm not currently on the BRBL, although
>>> this morning I got bounces from a Barracuda customer for a very benign message
>>> with "rejected due to spam content," so who knows. I wish there was better
>>> visibility into the process.
>>
>> then it was not blocked by the RBL but by the contentfilter
>
> Yes, I am aware of that. My point was that if they are feeling that benign content (I'm happy to forward to you) is spam, that may be a prelude to being on the BRBL again. (Although that does appear to have been due to a colleague's WordPress mishap.)

maybe the RCPT did train his appliance wrong?

most people do that because they don't realize that train ham is more
important than training spam after a suiteable amount is trained

>> making the process not visible is by intention on a spamfilter because
>> otherwise you leak informations how to bypass it
>
> Of course! With SA I can see what rules are being hit, though, which is nice. I'm not sure if the same is possible for a Barracuda client -- I have asked the affected recipient.
surely, you see even more on a Barracuda like which tokes of the message
was a hit and how often that token was marked as spam and as ham in case
of bayes via the webinterface

a highly customized spamassassin is part of the barracuda appliance

Jered Floyd <jered@convivian.com> wrote:

>
> Hi Ted,
>
> Thanks for the advice. I'm doing pretty much all of that except reserving an alternate IP as a backup relay/smarthost. That's a good idea.
>
> I use one IP for almost all web traffic (going through a reverse proxy to a VM farm), one for DNS/Kerberos, one for a legacy install of my MUA, and one as both my MX and MTA. All my internal services relay to the MTA which is listed in SPF and handles DKIM signing; on the inbound side it handles SA and relay to appropriate internal host based on domain.

One thing to keep in mind is that you may need to rotate your spare IPs in now and then. Others can correct me, but my understanding is that all the major email providers are going to treat an IP that regularly sends email to them very differently than a “new” IP. You’d essentially be starting to send from an IP that has no reputation (or a reputation based on it’s neighbors).

It’s a tempting idea, we had a misconfiguration (a forgotten “mynetworks” entry) allow a hacked biz customer to send a giant phishing campaign. Quick to clean up, but it is a PITA to sort things out with AOL and Verizon (and a few others that seem to have lightly-staffed postmaster departments). Being able to swap to some new IPs would have been handy, but I’m not confident it’s a silver bullet.

Charles

>
> Having everything relay through one system gives me the opportunity to monitor for unusual mail volume across all services/clients.
>
> Having an "emergency MTA" in my SPF records that I can relay to (or just bring up as another address on the existing server) would definitely help as long as the netblock isn't listed... getting a spare address on a different network would be useful, but I'm not sure how hard that will be to pry from Internap.
>
> The form does seem to have worked, and I'm not currently on the BRBL, although this morning I got bounces from a Barracuda customer for a very benign message with "rejected due to spam content," so who knows. I wish there was better visibility into the process.
>
> Best,
> --Jered
>
>
> ----- On Jun 23, 2015, at 12:00 AM, Ted Mittelstaedt tedm@ipinc.net wrote:
>
>> Hi Jered,
>>
>> I'm not a Barracuda customer myself I can only report my own interaction
>> with them. I run several public mailservers.
>>
>> 1) I don't run public mailing lists and if I ever was going to do that I
>> would run them on a separate server with a separate IP address
>>
>> 2) I don't run my webserver on the same server as my mailservers.
>>
>> 3) I have gotten BLed by Barracuda a couple of times. It usually takes
>> about 3-4 days to get delisted so while I'm waiting I route outgoing
>> mail through an alternate server. I get BLed when a customer falls for
>> a phish mail and gives out their password.
>>
>> My recommendation is you have at least 4 public IP address with servers,
>> one for your webserver, one for your mailserver and one for an alternate
>> mailserver and one for a mailing list server.
>>
>> As for the "class C block" I think that is likely that you are trying to
>> do everything with a single static IP. If you had a subnet of public
>> IPs then the ISP that issued it to you would SWIP them to you and
>> you would have no problems proving to Barracuda that your not part of
>> the rabble.
>>
>> I realize you said your in a data center. Contact the data center
>> provider and tell them you want a block they will SWIP to you. I
>> realize this may cost you some more money. But email is not one of
>> those things you can do well on the cheap.
>>
>> Ted
>>
>>
>> On 6/20/2015 8:38 AM, Jered Floyd wrote:
>>> Hello SA-users,
>>>
>>> I have a question on the other side of things: outgoing mail. I know
>>> this is off-topic but this seems to the only venue where there might be
>>> knowledge of the problem, and the offender is a spamassassin "customer".
>>>
>>> (I operate an MTA host on which I run SpamAssassin -- it works
>>> flawlessly. (I am running Debian Postfix 2.7.1-1+squeeze1 with
>>> spamassassin 3.3.1-1.1) This system is in an Internap data center, and
>>> provides mail services for about a half-dozen organizations that I
>>> support. SPF and DKIM are correctly configured for hosted domains, as is
>>> user authentication for submitted mail.)
>>>
>>> I appear to be getting a shakedown scam from Barracuda Networks. They
>>> seem to be getting out of the "anti-spam" and into the "protection
>>> racket" business.
>>>
>>> A small number of recipients have been getting bounce-unsubscribed a
>>> community mailing list that I administer. The most recent bounces say
>>> that this "blocked using Barracuda Reputation;
>>> http://www.barracudanetworks.com/reputation/" Visiting that page
>>> provides no information on the specific reason my MTA has been blocked
>>> so I can't determine if there is a configuration issue, but there is a
>>> link for one-time removal.
>>>
>>> Below that the page says "One way to get your email through spam filters
>>> even if you are listed on the BRBL is to register your domain and IPs at
>>> EmailReg.org." OK, sounds good, I can prove that my IP address is
>>> allowed to send for my domains -- I thought that was what SPF and DKIM
>>> are for (which are configured) but whatever.
>>>
>>> However, I click through to emailreg.org <http://emailreg.org> and AFTER
>>> signing up for an account and configuring it they then reveal that there
>>> is a $20 "administrative fee" per domain.
>>>
>>> This sounds like a scam to me. They're blacklisting mail servers, not
>>> telling why, and then offering to take you off the list (without even
>>> correcting any problems) for "just" a $20 fee. I don't see how any
>>> legitimate RBL can operate with that model.
>>>
>>> Has anyone else here run into this? Is there a way out other than
>>> bribing Barracuda to not block my mail?
>>>
>>> Thanks,
>>> —Jered

Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
> One thing to keep in mind is that you may need to rotate your spare IPs in now and then. Others can correct me, but my understanding is that all the major email providers are going to treat an IP that regularly sends email to them very differently than a “new” IP. You’d essentially be starting to send from an IP that has no reputation (or a reputation based on it’s neighbors).

and *because* you have *no* reputation you will get a bad result if it
comes to greylisting and similar spam prevention by treat a completly
new IP as suspect and hence premature rotate IP's until something bad
happened is exactly what you should *not* do

Heh Heh Heh Heh Heh

Since you and Charles have obviously never done this before why do you
feel qualified to comment?

Go ahead and not do this based on these logic castles you have built
that are not founded on any experience of reality. Your customers will
be suffering for a few days while you wait to get off a blacklist while
mine won't.

I have used this trick over many years while waiting for
AOL/Barracuda/etc. to pull their heads out on a de-list request. Of
course, adding a little sophistication in use helps. I ASSUMED I could
point you mules-heads in the right direction and you would use your
brains to figure out how to properly do this instead of figuring out how
to justify ass-sitting and not even trying it out.

But since your obviously too lazy to put any thought into the
technique, I don't see why I should waste my time elaborating any
further on it.

Jered, feel free to email me privately and I'll explain what you need to
do and how to set this up so that it works, if your interested.

Disgustedly,
Ted

On 6/23/2015 12:32 PM, Reindl Harald wrote:
>
> Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
>> One thing to keep in mind is that you may need to rotate your spare
>> IPs in now and then. Others can correct me, but my understanding is
>> that all the major email providers are going to treat an IP that
>> regularly sends email to them very differently than a “new” IP. You’d
>> essentially be starting to send from an IP that has no reputation (or
>> a reputation based on it’s neighbors).
>
> and *because* you have *no* reputation you will get a bad result if it
> comes to greylisting and similar spam prevention by treat a completly
> new IP as suspect and hence premature rotate IP's until something bad
> happened is exactly what you should *not* do
>

Am 26.06.2015 um 18:43 schrieb Ted Mittelstaedt:
> Heh Heh Heh Heh Heh
>
> Since you and Charles have obviously never done this before why do you
> feel qualified to comment?

*lol*

> Go ahead and not do this based on these logic castles you have built
> that are not founded on any experience of reality. Your customers will
> be suffering for a few days while you wait to get off a blacklist while
> mine won't.
>
> I have used this trick over many years while waiting for
> AOL/Barracuda/etc. to pull their heads out on a de-list request. Of
> course, adding a little sophistication in use helps. I ASSUMED I could
> point you mules-heads in the right direction and you would use your
> brains to figure out how to properly do this instead of figuring out how
> to justify ass-sitting and not even trying it out.
>
> But since your obviously too lazy to put any thought into the
> technique, I don't see why I should waste my time elaborating any
> further on it.
>
> Jered, feel free to email me privately and I'll explain what you need to
> do and how to set this up so that it works, if your interested.
>
> Disgustedly,
> Ted
>
> On 6/23/2015 12:32 PM, Reindl Harald wrote:
>>
>> Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
>>> One thing to keep in mind is that you may need to rotate your spare
>>> IPs in now and then. Others can correct me, but my understanding is
>>> that all the major email providers are going to treat an IP that
>>> regularly sends email to them very differently than a “new” IP. You’d
>>> essentially be starting to send from an IP that has no reputation (or
>>> a reputation based on it’s neighbors).
>>
>> and *because* you have *no* reputation you will get a bad result if it
>> comes to greylisting and similar spam prevention by treat a completly
>> new IP as suspect and hence premature rotate IP's until something bad
>> happened is exactly what you should *not* do

Although what you describe is a "workaround", the key is to keep your
house in order so you don't get listed, especially if you have not
actually fixed up the problem, DNBSBL's are just like local sys admins,
they get tired of adding in /32's after /32's for the same @$#holes,
thats when the /32's get removed and /24's get added, it wont take too
long to end up blocking all of your ranges. In fact since you've made
public your stance, it is likely anyone blocking your IP range, and
discovering its your service, may decide to block all of your IP ranges
first off to avoid wack-a-mole games.

Not many people I know have any faith in reputation services that try
"whitelist", but there are a tiny minority that apparently do, though
I've not known or in 25 years heard of, anyone getting blocked because
your using a new IP address on a system sending mail (why should we care
if its a new IP, or a 20yo IP - whats more of interest to us is how new
your "domain" is, who your registrar is, what your authoritative NS's
are, thats where we spam score you, backing off a bit as days and weeks
go by), I'd be more concerned for the users of such a wacky reputation
service than the fact they might block a new IP of mine or whosever.

Given most medium and large networks use multiple servers for sending
customer mails, when the load balancers are showing the existing cluster
needs expanding, we add more into the cluster, so I cant see anyone
stupid enough to use a service blocking new IP's, if they do, they
deserve all the hell they bring upon themselves :)

On 27/06/2015 02:43, Ted Mittelstaedt wrote:

> Heh Heh Heh Heh Heh
>
> Since you and Charles have obviously never done this before why do you
> feel qualified to comment?
>
> Go ahead and not do this based on these logic castles you have built
> that are not founded on any experience of reality. Your customers will be suffering for a few days while you wait to get off a blacklist while mine won't.
>
> I have used this trick over many years while waiting for AOL/Barracuda/etc. to pull their heads out on a de-list request. Of course, adding a little sophistication in use helps. I ASSUMED I could point you mules-heads in the right direction and you would use your brains to figure out how to properly do this instead of figuring out how to justify ass-sitting and not even trying it out.
>
> But since your obviously too lazy to put any thought into the technique, I don't see why I should waste my time elaborating any further on it.
>
> Jered, feel free to email me privately and I'll explain what you need to
> do and how to set this up so that it works, if your interested.
>
> Disgustedly,
> Ted
>
> On 6/23/2015 12:32 PM, Reindl Harald wrote:
> Am 23.06.2015 um 21:28 schrieb Charles Sprickman: One thing to keep in mind is that you may need to rotate your spare
> IPs in now and then. Others can correct me, but my understanding is
> that all the major email providers are going to treat an IP that
> regularly sends email to them very differently than a "new" IP. You'd
> essentially be starting to send from an IP that has no reputation (or
> a reputation based on it's neighbors).
> and *because* you have *no* reputation you will get a bad result if it
> comes to greylisting and similar spam prevention by treat a completly
> new IP as suspect and hence premature rotate IP's until something bad
> happened is exactly what you should *not* do

On 6/27/2015 4:02 AM, Noel Butler wrote:
> Although what you describe is a "workaround", the key is to keep your
> house in order so you don't get listed, especially if you have not
> actually fixed up the problem,

Oh Noel, why are you giving me fish in a barrel to shoot?

OK, now that you put your foot in it, please elaborate on how a
"house is kept in order" that will protect it from idiots. This is
going to be fun!

Oh and don't forget to define the difference between chronic offenders
and just regular people who get nailed for no reason.

DNBSBL's are just like local sys admins,
> they get tired of adding in /32's after /32's for the same @$#holes,
> thats when the /32's get removed and /24's get added, it wont take too
> long to end up blocking all of your ranges. In fact since you've made
> public your stance, it is likely anyone blocking your IP range, and
> discovering its your service, may decide to block all of your IP ranges
> first off to avoid wack-a-mole games.
>

Did it ever, possibly, occur to you that my 'workaround' wouldn't work
if someone has a chronic problem? Nor would it work if someone was just
doing it because they were too lazy to fix an open relay because
the backup IP would just instantly get RBLed again.

Why do you think I RECOMMENDED doing it? Do you think that _I_ want to
get spammed by the OP if he doesn't know WTF he is doing?

The beauty of my suggestion is if the OP is just going to try doing
it because he doesn't want to clean up his setup, it won't work.

Get it, now?

That's precisely why anyone out there reading this who is running an RBL
is going to ignore "my stance" as you put it.

They know that if I can defeat their RBL by simply switching IP's then
their RBL has a problem. Because, switching IPs is what snowshoe
spammers do every day and if they cannot block me switching an IP then
they cannot block them and their RBL isn't worth a bucket of hog slop.

> Not many people I know have any faith in reputation services that try
> "whitelist", but there are a tiny minority that apparently do, though
> I've not known or in 25 years heard of, anyone getting blocked because
> your using a new IP address on a system sending mail

Nor have I which is one of the primary reasons I thought that what
Reindl said about new IPs was a load of baloney.

(why should we care
> if its a new IP, or a 20yo IP - whats more of interest to us is how new
> your "domain" is, who your registrar is, what your authoritative NS's
> are, thats where we spam score you, backing off a bit as days and weeks
> go by), I'd be more concerned for the users of such a wacky reputation
> service than the fact they might block a new IP of mine or whosever.
>

Agreed. Unfortunately, there ARE such wacky reputation service out
there - fortunately they are in the minority - and occasionally users
will want to email people who are using them and you have to know how
to get around those wacky services.

Ted

> Given most medium and large networks use multiple servers for sending
> customer mails, when the load balancers are showing the existing cluster
> needs expanding, we add more into the cluster, so I cant see anyone
> stupid enough to use a service blocking new IP's, if they do, they
> deserve all the hell they bring upon themselves :)
>
> On 27/06/2015 02:43, Ted Mittelstaedt wrote:
>
>> Heh Heh Heh Heh Heh
>>
>> Since you and Charles have obviously never done this before why do you
>> feel qualified to comment?
>>
>> Go ahead and not do this based on these logic castles you have built
>> that are not founded on any experience of reality. Your customers will
>> be suffering for a few days while you wait to get off a blacklist
>> while mine won't.
>>
>> I have used this trick over many years while waiting for
>> AOL/Barracuda/etc. to pull their heads out on a de-list request. Of
>> course, adding a little sophistication in use helps. I ASSUMED I could
>> point you mules-heads in the right direction and you would use your
>> brains to figure out how to properly do this instead of figuring out
>> how to justify ass-sitting and not even trying it out.
>>
>> But since your obviously too lazy to put any thought into the
>> technique, I don't see why I should waste my time elaborating any
>> further on it.
>>
>> Jered, feel free to email me privately and I'll explain what you need to
>> do and how to set this up so that it works, if your interested.
>>
>> Disgustedly,
>> Ted
>>
>> On 6/23/2015 12:32 PM, Reindl Harald wrote:
>>>
>>> Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
>>>> One thing to keep in mind is that you may need to rotate your spare
>>>> IPs in now and then. Others can correct me, but my understanding is
>>>> that all the major email providers are going to treat an IP that
>>>> regularly sends email to them very differently than a "new" IP. You'd
>>>> essentially be starting to send from an IP that has no reputation (or
>>>> a reputation based on it's neighbors).
>>>
>>> and *because* you have *no* reputation you will get a bad result if it
>>> comes to greylisting and similar spam prevention by treat a completly
>>> new IP as suspect and hence premature rotate IP's until something bad
>>> happened is exactly what you should *not* do
>>>

Ted, there is one ISP who insisted on blocking all emails sent from my system
because the internal network is "odd". It's not "localhost.localdomain" or
whatever it was they were looking for. And it appears on my email headers. They
decided "wizardess.wiz" is an illegal domain so the email from it should not be
allowed. Unfortunately one of my regular correspondents is on knology.net. So he
complained enough and they fixed it. Every once and awhile it kicks in again.
(Note that I do NOT run an MTA here. Email goes directly to dslextreme or
earthlink from here. Both were blocked at the same time. The only thing in
common with the two MTAs is the received from header from this machine I am on.)

There are any number of poorly thought out block lists. I rather carefully
consider their use here. At one point I got into a somewhat heated email
argument with Paul Vixie over his blocking my email addresses because of what we
now call "Joe Jobs". I made some unfortunate conclusions about his being a total
jerk despite his being one of the bind utility's chief daddies. He did good
work. He just had a screwdriver and needed a hammer which was more than 20' out
of his way so he banged on the problem with his Jolly Green Giant size
screwdriver handle. (And I am jerk enough I'd still like to stick his
screwdriver blade up his nose after subduing him with my rolling-pin stereotype.)

Fortunately or unfortunately it is impossible in the US to make it formally
illegal to be a total jerk. So we will always have jerks to deal with. Block
lists seem to be run by people who devolve into being total self-righteous jerks
over time. Sadly we have to deal with whatever we face.

{^_^} Joanne

On 2015-06-29 10:16, Ted Mittelstaedt wrote:
>
> On 6/27/2015 4:02 AM, Noel Butler wrote:
>> Although what you describe is a "workaround", the key is to keep your
>> house in order so you don't get listed, especially if you have not
>> actually fixed up the problem,
>
> Oh Noel, why are you giving me fish in a barrel to shoot?
>
> OK, now that you put your foot in it, please elaborate on how a
> "house is kept in order" that will protect it from idiots. This is
> going to be fun!
>
> Oh and don't forget to define the difference between chronic offenders
> and just regular people who get nailed for no reason.
>
> DNBSBL's are just like local sys admins,
>> they get tired of adding in /32's after /32's for the same @$#holes,
>> thats when the /32's get removed and /24's get added, it wont take too
>> long to end up blocking all of your ranges. In fact since you've made
>> public your stance, it is likely anyone blocking your IP range, and
>> discovering its your service, may decide to block all of your IP ranges
>> first off to avoid wack-a-mole games.
>>
>
> Did it ever, possibly, occur to you that my 'workaround' wouldn't work
> if someone has a chronic problem? Nor would it work if someone was just doing
> it because they were too lazy to fix an open relay because
> the backup IP would just instantly get RBLed again.
>
> Why do you think I RECOMMENDED doing it? Do you think that _I_ want to
> get spammed by the OP if he doesn't know WTF he is doing?
>
> The beauty of my suggestion is if the OP is just going to try doing
> it because he doesn't want to clean up his setup, it won't work.
>
> Get it, now?
>
> That's precisely why anyone out there reading this who is running an RBL
> is going to ignore "my stance" as you put it.
>
> They know that if I can defeat their RBL by simply switching IP's then
> their RBL has a problem. Because, switching IPs is what snowshoe spammers do
> every day and if they cannot block me switching an IP then
> they cannot block them and their RBL isn't worth a bucket of hog slop.
>
>> Not many people I know have any faith in reputation services that try
>> "whitelist", but there are a tiny minority that apparently do, though
>> I've not known or in 25 years heard of, anyone getting blocked because
>> your using a new IP address on a system sending mail
>
> Nor have I which is one of the primary reasons I thought that what
> Reindl said about new IPs was a load of baloney.
>
> (why should we care
>> if its a new IP, or a 20yo IP - whats more of interest to us is how new
>> your "domain" is, who your registrar is, what your authoritative NS's
>> are, thats where we spam score you, backing off a bit as days and weeks
>> go by), I'd be more concerned for the users of such a wacky reputation
>> service than the fact they might block a new IP of mine or whosever.
>>
>
> Agreed. Unfortunately, there ARE such wacky reputation service out there -
> fortunately they are in the minority - and occasionally users will want to email
> people who are using them and you have to know how
> to get around those wacky services.
>
> Ted
>
>> Given most medium and large networks use multiple servers for sending
>> customer mails, when the load balancers are showing the existing cluster
>> needs expanding, we add more into the cluster, so I cant see anyone
>> stupid enough to use a service blocking new IP's, if they do, they
>> deserve all the hell they bring upon themselves :)
>>
>> On 27/06/2015 02:43, Ted Mittelstaedt wrote:
>>
>>> Heh Heh Heh Heh Heh
>>>
>>> Since you and Charles have obviously never done this before why do you
>>> feel qualified to comment?
>>>
>>> Go ahead and not do this based on these logic castles you have built
>>> that are not founded on any experience of reality. Your customers will
>>> be suffering for a few days while you wait to get off a blacklist
>>> while mine won't.
>>>
>>> I have used this trick over many years while waiting for
>>> AOL/Barracuda/etc. to pull their heads out on a de-list request. Of
>>> course, adding a little sophistication in use helps. I ASSUMED I could
>>> point you mules-heads in the right direction and you would use your
>>> brains to figure out how to properly do this instead of figuring out
>>> how to justify ass-sitting and not even trying it out.
>>>
>>> But since your obviously too lazy to put any thought into the
>>> technique, I don't see why I should waste my time elaborating any
>>> further on it.
>>>
>>> Jered, feel free to email me privately and I'll explain what you need to
>>> do and how to set this up so that it works, if your interested.
>>>
>>> Disgustedly,
>>> Ted
>>>
>>> On 6/23/2015 12:32 PM, Reindl Harald wrote:
>>>>
>>>> Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
>>>>> One thing to keep in mind is that you may need to rotate your spare
>>>>> IPs in now and then. Others can correct me, but my understanding is
>>>>> that all the major email providers are going to treat an IP that
>>>>> regularly sends email to them very differently than a "new" IP. You'd
>>>>> essentially be starting to send from an IP that has no reputation (or
>>>>> a reputation based on it's neighbors).
>>>>
>>>> and *because* you have *no* reputation you will get a bad result if it
>>>> comes to greylisting and similar spam prevention by treat a completly
>>>> new IP as suspect and hence premature rotate IP's until something bad
>>>> happened is exactly what you should *not* do
>>>>
>

On 6/29/2015 1:37 PM, jdow wrote:
> Ted, there is one ISP who insisted on blocking all emails sent from my
> system because the internal network is "odd". It's not
> "localhost.localdomain" or whatever it was they were looking for. And it
> appears on my email headers. They decided "wizardess.wiz" is an illegal
> domain so the email from it should not be allowed. Unfortunately one of
> my regular correspondents is on knology.net. So he complained enough and
> they fixed it. Every once and awhile it kicks in again. (Note that I do
> NOT run an MTA here. Email goes directly to dslextreme or earthlink from
> here. Both were blocked at the same time. The only thing in common with
> the two MTAs is the received from header from this machine I am on.)
>

I've seen the same thing. Not with any of my servers but I have had
that happen over the years with customers running Exchange servers
behind scanning firewalls back when I was working for an ISP that did
connectivity. They would call us when their recipient's sysadmin
started speculating that it was the sender ISPs (us) fault. Naturally
the recipient IT manager never assumed their own crap was to blame, that
it was triggering off the internal pass between Exchange server and
firewall. I got so tired of explaining the problem I finally gave
up and when a customer would call I'd tell them I'd only fix it if
I could webex into their Exchange server console. Then I'd fix it
in front of them while they watched so they would get a clue. That
usually was right after they had gotten done explaining why it must
be our fault for not being able to route to the recipient's ISP or
some such rubbish.

> There are any number of poorly thought out block lists. I rather
> carefully consider their use here. At one point I got into a somewhat
> heated email argument with Paul Vixie over his blocking my email
> addresses because of what we now call "Joe Jobs". I made some
> unfortunate conclusions about his being a total jerk despite his being
> one of the bind utility's chief daddies. He did good work. He just had a
> screwdriver and needed a hammer which was more than 20' out of his way
> so he banged on the problem with his Jolly Green Giant size screwdriver
> handle. (And I am jerk enough I'd still like to stick his screwdriver
> blade up his nose after subduing him with my rolling-pin stereotype.)
>
> Fortunately or unfortunately it is impossible in the US to make it
> formally illegal to be a total jerk. So we will always have jerks to
> deal with. Block lists seem to be run by people who devolve into being
> total self-righteous jerks over time. Sadly we have to deal with
> whatever we face.
>

And, for some reason the absolute worst offenders are the commercial
blocklists. It's not so much their dizzying methods to get delisted
as much as their faulty logic that lists you in the first place.

Governments also have to be right up there. I had one time once where
City of Portland was running it's own DNS servers and had a number of
separate subdomains for various departments - and NONE of the subdomains
had MX records even though all of them had different mailservers
accepting mail, and the users in the departments were using the
subdomain email address instead of some global thing like
user@cityofportland.gov. I had users wanting to mail to
billybob@police.pdx.or.us or whatever they were using (I forget) and DNS
showed no MX record for police.pdx.or.us

Later, the City "fixed" this (a couple years later) by creating MX
records - except they were not consistent - not all of the city-run DNS
servers had them.

I had to just shortcut it in the mail
configuration to deliver straight to the IP addresses they used.
That configuration stayed in the server for almost a decade, in fact
I removed it last year just to see what would happen. Nobody complained
so I guess the city must have finally fixed it.

I'm so glad to be out of the connectivity market these days. I never
have to hear "I'm losing thousands of dollars because your service is
down" again. It never ceases to amaze me how people will fall apart
when the Internet connection is down. Particularly when I can clearly
recall 25 years ago when I would tell people about the new Internet and
they would get that expression of "why would anyone want that"

Ted

> {^_^} Joanne
>
> On 2015-06-29 10:16, Ted Mittelstaedt wrote:
>>
>> On 6/27/2015 4:02 AM, Noel Butler wrote:
>>> Although what you describe is a "workaround", the key is to keep your
>>> house in order so you don't get listed, especially if you have not
>>> actually fixed up the problem,
>>
>> Oh Noel, why are you giving me fish in a barrel to shoot?
>>
>> OK, now that you put your foot in it, please elaborate on how a
>> "house is kept in order" that will protect it from idiots. This is
>> going to be fun!
>>
>> Oh and don't forget to define the difference between chronic offenders
>> and just regular people who get nailed for no reason.
>>
>> DNBSBL's are just like local sys admins,
>>> they get tired of adding in /32's after /32's for the same @$#holes,
>>> thats when the /32's get removed and /24's get added, it wont take too
>>> long to end up blocking all of your ranges. In fact since you've made
>>> public your stance, it is likely anyone blocking your IP range, and
>>> discovering its your service, may decide to block all of your IP ranges
>>> first off to avoid wack-a-mole games.
>>>
>>
>> Did it ever, possibly, occur to you that my 'workaround' wouldn't work
>> if someone has a chronic problem? Nor would it work if someone was
>> just doing
>> it because they were too lazy to fix an open relay because
>> the backup IP would just instantly get RBLed again.
>>
>> Why do you think I RECOMMENDED doing it? Do you think that _I_ want to
>> get spammed by the OP if he doesn't know WTF he is doing?
>>
>> The beauty of my suggestion is if the OP is just going to try doing
>> it because he doesn't want to clean up his setup, it won't work.
>>
>> Get it, now?
>>
>> That's precisely why anyone out there reading this who is running an RBL
>> is going to ignore "my stance" as you put it.
>>
>> They know that if I can defeat their RBL by simply switching IP's then
>> their RBL has a problem. Because, switching IPs is what snowshoe
>> spammers do
>> every day and if they cannot block me switching an IP then
>> they cannot block them and their RBL isn't worth a bucket of hog slop.
>>
>>> Not many people I know have any faith in reputation services that try
>>> "whitelist", but there are a tiny minority that apparently do, though
>>> I've not known or in 25 years heard of, anyone getting blocked because
>>> your using a new IP address on a system sending mail
>>
>> Nor have I which is one of the primary reasons I thought that what
>> Reindl said about new IPs was a load of baloney.
>>
>> (why should we care
>>> if its a new IP, or a 20yo IP - whats more of interest to us is how new
>>> your "domain" is, who your registrar is, what your authoritative NS's
>>> are, thats where we spam score you, backing off a bit as days and weeks
>>> go by), I'd be more concerned for the users of such a wacky reputation
>>> service than the fact they might block a new IP of mine or whosever.
>>>
>>
>> Agreed. Unfortunately, there ARE such wacky reputation service out
>> there -
>> fortunately they are in the minority - and occasionally users will
>> want to email
>> people who are using them and you have to know how
>> to get around those wacky services.
>>
>> Ted
>>
>>> Given most medium and large networks use multiple servers for sending
>>> customer mails, when the load balancers are showing the existing cluster
>>> needs expanding, we add more into the cluster, so I cant see anyone
>>> stupid enough to use a service blocking new IP's, if they do, they
>>> deserve all the hell they bring upon themselves :)
>>>
>>> On 27/06/2015 02:43, Ted Mittelstaedt wrote:
>>>
>>>> Heh Heh Heh Heh Heh
>>>>
>>>> Since you and Charles have obviously never done this before why do you
>>>> feel qualified to comment?
>>>>
>>>> Go ahead and not do this based on these logic castles you have built
>>>> that are not founded on any experience of reality. Your customers will
>>>> be suffering for a few days while you wait to get off a blacklist
>>>> while mine won't.
>>>>
>>>> I have used this trick over many years while waiting for
>>>> AOL/Barracuda/etc. to pull their heads out on a de-list request. Of
>>>> course, adding a little sophistication in use helps. I ASSUMED I could
>>>> point you mules-heads in the right direction and you would use your
>>>> brains to figure out how to properly do this instead of figuring out
>>>> how to justify ass-sitting and not even trying it out.
>>>>
>>>> But since your obviously too lazy to put any thought into the
>>>> technique, I don't see why I should waste my time elaborating any
>>>> further on it.
>>>>
>>>> Jered, feel free to email me privately and I'll explain what you
>>>> need to
>>>> do and how to set this up so that it works, if your interested.
>>>>
>>>> Disgustedly,
>>>> Ted
>>>>
>>>> On 6/23/2015 12:32 PM, Reindl Harald wrote:
>>>>>
>>>>> Am 23.06.2015 um 21:28 schrieb Charles Sprickman:
>>>>>> One thing to keep in mind is that you may need to rotate your spare
>>>>>> IPs in now and then. Others can correct me, but my understanding is
>>>>>> that all the major email providers are going to treat an IP that
>>>>>> regularly sends email to them very differently than a "new" IP. You'd
>>>>>> essentially be starting to send from an IP that has no reputation (or
>>>>>> a reputation based on it's neighbors).
>>>>>
>>>>> and *because* you have *no* reputation you will get a bad result if it
>>>>> comes to greylisting and similar spam prevention by treat a completly
>>>>> new IP as suspect and hence premature rotate IP's until something bad
>>>>> happened is exactly what you should *not* do
>>>>>
>>