Hello,

We do have these mails going through a relayed policy and we turned Senderbase control to OFF.
We even configured a relaylist for corporate and another for all others(where we applied more strict rules.
I'll definitely contact support so that they look into it.

Thanks,
Vinesh

My question is that most infected machines (Botnets) won't use the ISP relay, they will simply try to send out direct to the internet on port 25, only valid mail clients would know what the IP address is of the IronPort's for relaying mail out.

Hi,

Perhaps getting the S-Series on the network might help in sustaining the infected hosts/spyware,etc.

Could this help?What do you think?

Vinesh

Absolutely, the L4TM Spyware audit will tell you who's infected and who's clean. Contact your local friendly Sales Representative for more information.

Monkeymadness is right: bots don't usually use a relay host, they send directly. If your IronPorts are getting blacklisted, then it may be because your whole network is getting blacklisted.

Have you checked your mail_logs to verify that the spam is actually traversing your IronPorts? If it's not, then identifying and individually blocking the infected systems may be feasible, depending on how many there are. If there are too many then your only recourse may be putting in a block on outbound port 25 connections. But that will cause problems for anyone on your network who runs a legitimate mail server, so it isn't to be done lightly.

Most ISPs are finally coming to the realization that the only way to stop spam getting out of their network is to block port 25 outgoing.

The vast majority of spam isn't going to be routed via an ISPs mail server (where it's much easier to detect/stop), but instead is going to try and go directly to the remote mail server.This makes detection difficult at best.

Like it or not, blocking outgoing port 25 to all hosts other than the ISPs mail servers is the only real choice. Giving customers an "opt-out" mechanism to this is a good idea, but to be effective it needs to default to blocked, and allow customers to unblock it if they want to do something like run their own mail servers - and for the most part those that unblock it are less likely to get infected with malware.

Is customers of an ISP want to send using another ISP/corporates mail server, that's what port 587 port is for - authenticated mail injection.

This is a big call for most ISPs to make, but it's the right one, and the only one that fixes this problem. I've spoken to many ISPs who have done this or are considering doing it , and in the end those that do it put up with some small pain for a while - but in the long run it saves them significant trouble!

Indeed, the spam goes through the IronPorts and just yesterday , i deleted about 40,000 recipients which were queued for the @subdomain.hinet.com and some other domains.

Good idea, but concerning the opt-out option you are suggesting, the ISP needs to exclude these senders on their firewall i guess and it could be hard managing?
Also, for your users who have their mails hosted outside(mostly in US), how do they connect to their hosting mail servers. I would guess that they wouldn't like the idea of changing this and also not sure whether all these hosting companies accept other ports apart from 25.

Can you pls elaborate on the port 587 implementation? I've configured relaylist on the same incoming listeners. So, do i need to create an outbound listener and use port 587 on that in order to receive mails from subscribers?


I also have 2 other ISPs as client and this problem is also applicable to them. One of them is already using SMTP authentication and it's eliminating some of the spam problem. But the biggest ISP has about 50,000 subscribers i would guess(both corporate and home users) and implementing the port blocking approach might be quite hard. But i'll do share your recommendations with the ISP guys.

Thanks,
Vinesh

Most ISPs are finally coming to the realization that the only way to stop spam getting out of their network is to block port 25 outgoing.

Indeed, the spam goes through the IronPorts

Good idea, but concerning the opt-out option you are suggesting, the ISP needs to exclude these senders on their firewall i guess and it could be hard managing?

Can you pls elaborate on the port 587 implementation?

Don,

I did contact Support and sent them some samples of the false positives.
They found out that the mails coming from teh subscribers are from blacklisted IPs(they also have very bad SBRS) and IPAS also evaluate this info about the blacklisted IP in their decision.
So, eventually, IPAS will surely see the mails as spam.
But they recommended an approach: Putting an incoming relay to be used as outgoing server by the subscribers and have the relay forward the mails to IronPort to be send to Internet. This way , IronPort will see the mails coming from the incoming relay and not from the blacklisted IPs.
What do you think?

As for the SMTP Auth and 587 port, the ISP told me that it will be hard to make all their users make this change. There would be some hard work involved !!

Thanks,
Vinesh

I also look after 2 C650 appliances that service ISP customers in our dynamic address space. We had been using Brightmail until recently. When we attempted to implement IPAS we found as you did that a large percentage of the email was marked as spam. We found that we had to disable SenderBase IP Profiling on the listener. When this was done the false positive rate fell within what we were seeing for Brightmail. It appears with SenderBase IP Profiling active IPAS uses this info and marks many messages as spam due to the low SBRS of most IP addresses within the dynamic address ranges.

To prevent blacklisting of the Ironport IP addresses we have rate limiting applied to dynamic IP addresses that send via the ISP relay. This is done by adding all our dynamic space to the hat and using a dynamic policy. The rate limit is done setting the mail flow policy flow control to
Use SenderBase for Flow Control:off
Group by Similarity of IP Addresses:32

We currently block port 25 outbound for our dynamic space, but there are bots that search for and discover the relay. We deal with these customers by specifically blocking them from the relay until they clean their machine.

Hello again,

Well interesting.
IN fact, i did create 2 relaylists. 1 with corporate clients IP range and another with home users(ADSL, Dial-up,etc having dynamic IPs). I've enabled strict rate-limiting on the second relaylist and i should say that we do throttle these bad senders. But eventually, some do get through because there are lots of infected hosts.

We already have this setting in place:
Setting the mail flow policy flow control to
Use SenderBase for Flow Control:off
Group by Similarity of IP Addresses:32


We have a public listener with the relaylist included. No dedicated private listeners for outbound mails. If i disable teh Senderbase IP Profiling, this will apply on incoming mails as well and could be a problem, isn't it?Perhaps IPAS will not evaluate these dynamic IPs SBRS for incoming.

Just to give you an idea, i've created an outgoing mail policy and included only one of the domains which the ISP hosts and on which i see lots of spoofed email addresses sending spam. From saturday 7am to sunday 7am, we got 10.2k spam and 580 virus on outgoing from one domain only.


Thanks,
Vinesh

Our C650's only have a single public listener and they only deal with email being relayed from our DSL customers. The Ironport itself does not relay the email but passes it to a second tier of MTAs which do the relaying using smtproutes. Also important to mention is that the Ironport server has a firewall in front that restricts port 25 access to IPs in our network only. Roaming customers are expected to use secure SMTP with authentication which is on a different IP/listener on the same Ironport servers.

How many customers do you have? We don't see anything like these volumes. Almost no virus traffic at all. This may be because we closed port 25 in/out in our dynamic space (except for the SMTP relay) and also some well know ports that are commonly used to infect clients. There are still infected clients that try to send through our SMTP relay, but a lot of the traffic is caught by IPAS and rate limiting holds down the level if it does happen.

The vast majority of spam that hits our SMTP relay is from business customers that have their own email servers and are using our relay as a smart host. Almost all these messages are NDR messages containing spam from MS SMTP servers because recipient checking is not done during conversation.

But they recommended an approach: Putting an incoming relay to be used as outgoing server by the subscribers and have the relay forward the mails to IronPort to be send to Internet. This way , IronPort will see the mails coming from the incoming relay and not from the blacklisted IPs.
What do you think?

As for the SMTP Auth and 587 port, the ISP told me that it will be hard to make all their users make this change. There would be some hard work involved !!