Senderbase as it is, is a good service but it can't be, that this service has a big cisco logo on the website and no one is able to answer my questions.

Evrin,

as you are an Cisco IronPort Customer, you could always open a ticket directly with support, and request further help on these problem. One comment on the discussion Senderbase vs. Blacklists though - as you probably know, Senderbase is not a blacklist, it only delivers a reputation score (SBRS) which then is used by IronPort appliances sto apply policies the owner has set for certain scores.  Blacklists, in comparation, simply deliver two results only - blacklisted or not blacklisted, so the results for every client using a certain blacklist will always be the same. That's why a low score on Senderbase does not mean an IP or host will also be listed on a blacklist. It just tells the client that there is a greater chance of seeing spam from that sender, but does not tell them to block that sender.

@Dennis - the best way to address your issue is to contact one of the domains you have problems delivering to, and ask them to contact Cisco or Senderbase for further details. As for your poor rating, one general recommendation is to check for any spam passing trough your outbound devices, also make sure the hostnames used on your interfaces and SMTP communication match the reverse lookup for your external IPs.

Hope that helps,

Andreas

Hello Andreas,

currently I've shut down the primary mailgateway and made a tcp dump on all machines, which are allowed to send mail through the firewall and there was nothing. So spam can't be the problem or some silly guys are reporting our newsletter as spam. The reverse DNS etc is all set up correctly, the systems are running now for years without any problems.

> the best way to address your issue is to contact one of the domains you have problems delivering to, and ask them to contact Cisco or Senderbase for further details

I tried, the answer from cisco was, that they can't give any info because the network does not belong to our customer...

As far as I can see, the only way to contact senderbase is via support@senderbase.org and as it seems. their mail clients are lacking a response button.

Hi Dennis,

apart from the reverse DNS lookup, also check which hostnames you use in your SMTP conversation, the culprit lies there pretty often. I agree that something like that never really mattered in the past, but with 95% of all mail traffic being spam right now, we (means antispam solutions) need to be more picky these days, to be honest:-)

Hope that helps,

Andreas

Hi Andreas,

the mail configuration of our systems is fine. Our primary gateway is back to neutral (It was shut down since thursday), but now our secondary gateway is rated as poor, if I'm reading the results correct.

http://www.senderbase.org/senderbase_queries/detailip?search_string=212.60.225.135

Whats very confusing the seconday server doesn't appear in the list which is shown. But still all *.zertificon.com domains have a poor web reputation, even systems that aren't even reachable from the outside...

It can't be, that one of the greatest IT Companies worldwide is providing a service which is used on every IronPort systems for blocking mail and in a case like this now one feels responsable. It is ridiculous that nobody can answer my mail and make a statement why this rating is as it is...

I don't want to change the subject but let's talk about konuk.net

http://www.senderbase.org/senderbase_queries/detaildomain?search_string=konuk.net;amp;max_rows=50;amp;snext_set=0;amp;tdaorder=lastmonth+desc;amp;dnext_set=50;amp;tddorder=ip+asc#page

We received and still receiving tons of spam from @konuk.net, but we never saw their IP as poor in senderbase. ( they were listed as "good" some time ago)

You say that you may flag an IP as poor according to "vol change vs last month" but you don't flag konuk.net's IPs as poor even that they are a definite source of spam. I can not understand this.

Hi Evren,

there is actually an error in the way you approach this issue, let me try to pointthat out for you. You state that you receive a lot of spam from senders @konuk.net, note that this is part of an email address.  Your query on senderbase.org however queries the actual mailserver hosts and IP that belong to konuk.net.  The difference here is that the spam you get is most likely not send via one of those mailserver that belong to the konuk.net network, as you certainly know sender addresses can be easily faked, and send from any PC or network. That's especial true for spam, and the reason why people get emails from bill.gates@microsoft.com, which definitely never have been sent via any of the Microsoft servers.  Of course it would be unfair if Senderbase takes such fake emails into account to lower the score of a domain a spammer is abusing in their sender address. That's why Senderbase is only monitoring the traffic on the originating hosts.

That's being said, to get this solved for you, check your mail logs or use message tracking for any of the spam you have recived with an  @konuk.net address. Look at the original sender host IP, the hostname if available, and it's most likely that they are not related to the konuk.net domain. You may also check that IP/Host on senderbase, to confirm if it has actually has a good reputation. Also check if these messages are getting scanned by your antispam engine, or if there are any issues at this point.

Hope that helps,

Andreas

Hi,

well, I know how spammers do spoofing. I have always checked the IP addresses when I recieved spam from konuk.net on senderbase database. The IPs are konuk.net's IP addresses for sure.

For the antispam agent, I have submitted so many messages to spam@access.ironport.com in the past 2 months and nowadays I sometimes see that mails are being flagged as "suspect" or "clean"

And our solution is to create  a policy for konuk.net and do not rely on senderbase or antispam engine when it comes to konuk.net

Hi Evren,

thanks for the clarification, now I'd like to know if the spam you receive is the traditional kind (Via***ra stuff and such), or if it more of newsletters and such. I am asking because there is a difference in categorization, and spam coming from the actual domain is quiet uncommon.

Cheers,

Andreas

well, I have submitted many spams from konuk.net via Outlook Plugin.

They are generally spams like "You have a message from Hotgirl, please click the link to read your message" (In Turkish)

"I don't want to change the subject ..."

Ok, so just start a new thread instead of hijacking an existing one.

Hello Robert, there will be sudden spikes every month or week, when we are sending a newsletter or new release announcement.

I'm aware that cisco doesn't block anything but senderbase seems to be a magic service where no one is responsable. In the case your systems are rated as poor, you can try to reach the IT Department from Dell or Citrix and ask them kindly if they whitelist your domain... or you can reach for the golden pot at the end of the rainbow, the chance of success is slightly higher.

Cisco is also using senderbase, so during your system rated as poor you can't even send a mail to cisco.com and ask for info or help. I always thought highly of Cisco but this behaviour is unacceptable.