senderbase rating - how to appeal? - SpamAssassin

This is a discussion on senderbase rating - how to appeal? - SpamAssassin ; Does anyone know how you can appeal or query a senderbase rating? Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: senderbase rating - how to appeal?

  1. senderbase rating - how to appeal?

    Does anyone know how you can appeal or query a senderbase rating?


    Mr Michele Neylon
    Blacknight Solutions
    Hosting & Colocation, Brand Protection
    http://www.blacknight.com/
    http://blog.blacknight.com/
    Intl. +353 (0) 59 9183072
    US: 213-233-1612
    UK: 0844 484 9361
    Locall: 1850 929 929
    Direct Dial: +353 (0)59 9183090
    Fax. +353 (0) 1 4811 763
    -------------------------------
    Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
    Park,Sleaty
    Road,Graiguecullen,Carlow,Ireland Company No.: 370845


  2. Re: senderbase rating - how to appeal?

    > Does anyone know how you can appeal or query a senderbase rating?

    I think senderbase is automatic.. You start spamming, you get on the list.
    You stop spamming, (eventually) you get off the list.

    You must be new to the 'net', so you get one free clue:

    As for querying, did you even try to google for senderbase?
    www.google.com

    Type in 'senderbase'. Big as life, 'Lookup'.


    --
    Michael Scheidell, CTO
    >|SECNAP Network Security

    Winner 2008 Network Products Guide Hot Companies
    FreeBSD SpamAssassin Ports maintainer


    __________________________________________________ _______________________
    This email has been scanned and certified safe by SpammerTrap(r).
    For Information please see http://www.spammertrap.com
    __________________________________________________ _______________________


  3. Re: senderbase rating - how to appeal?


    "Michele Neylon :: Blacknight" wrote:

    > Does anyone know how you can appeal or query a senderbase rating?
    >



    No. I tried and failed over a period of many months.

    Last year a spammer was inserting a faked Received header into millions
    of messages a day, claiming that the spam originated at cs.columbia.edu
    128.59.16.20. Senderbase ranked cs.columbia.edu as by far the largest
    sender of mail in our domain. The catch? The host never sent mail at
    all. We know that from our network traffic analysis and from asking
    the system admins of the host. So actually the Senderbase rating and
    any other blocklist rating for that host did not affect anything, since
    no mail came from the host anyway. But for the sake of reputation we
    asked Senderbase to correct the listing. Repeatedly.

    NOTE, Senderbase is badly compromised because their software believes
    Received headers. Some ratings are based on faked headers. We know
    for a fact that the cs.columbia.edu rating was based 100% on faked
    headers. One of the several Senderbase people I reached finally
    agreed that they rated from Received headers instead of verified
    connections. But it didn't matter. They just kept stalling and
    referring it and so forth, and every month or two I'd try again,
    and finally the spammer moved on.

    If the spammer had faked a host that really sends mail, then we would
    have had a practical problem to solve. The cheapest solution would
    probably be to rename the host and change its IP, and let the spammer
    keep faking the old name and IP.

    Maybe a letter from your lawyer to Ironport would get attention. We
    did not go to that stage.

    Does that help?

    Joseph Brennan
    Lead Email Systems Engineer
    Columbia University Information Technology


  4. RE: senderbase rating - how to appeal?


    >
    > If the spammer had faked a host that really sends mail, then we would
    > have had a practical problem to solve. The cheapest solution would
    > probably be to rename the host and change its IP, and let the spammer
    > keep faking the old name and IP.
    >
    > Maybe a letter from your lawyer to Ironport would get attention. We
    > did not go to that stage.
    >
    > Does that help?
    >
    > Joseph Brennan
    > Lead Email Systems Engineer


    If you have alumni or full time lawyers on staff at Columbia, get out the
    lawyerStick much earlier

    Or (har har) you could always start a EDU class project in CS to find the
    ironport traps and send out emails to the traps in all their actual various
    ironport and affiliated business domains and see if they fix the issues

    ;->

    - rh


  5. Re: senderbase rating - how to appeal?


    On 4 Sep 2008, at 15:49, Michael Scheidell wrote:

    >> Does anyone know how you can appeal or query a senderbase rating?

    >
    > I think senderbase is automatic.. You start spamming, you get on the
    > list.
    > You stop spamming, (eventually) you get off the list.
    >
    > You must be new to the 'net', so you get one free clue:


    You must be new to the net as well or maybe you think you're "clever"?



    Mr Michele Neylon
    Blacknight Solutions
    Hosting & Colocation, Brand Protection
    http://www.blacknight.com/
    http://blog.blacknight.com/
    Intl. +353 (0) 59 9183072
    US: 213-233-1612
    UK: 0844 484 9361
    Locall: 1850 929 929
    Direct Dial: +353 (0)59 9183090
    Fax. +353 (0) 1 4811 763
    -------------------------------
    Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
    Park,Sleaty
    Road,Graiguecullen,Carlow,Ireland Company No.: 370845


  6. Re: senderbase rating - how to appeal?

    >

    Joseph

    Thanks

    Our main issue wasn't with the listing but with the total lack of
    appeals procedure or delisting, as several large corporates seem to
    trust Senderbase and block based on its score

    Thanks again

    Michele


    Mr Michele Neylon
    Blacknight Solutions
    Hosting & Colocation, Brand Protection
    http://www.blacknight.com/
    http://blog.blacknight.com/
    Intl. +353 (0) 59 9183072
    US: 213-233-1612
    UK: 0844 484 9361
    Locall: 1850 929 929
    Direct Dial: +353 (0)59 9183090
    Fax. +353 (0) 1 4811 763
    -------------------------------
    Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
    Park,Sleaty
    Road,Graiguecullen,Carlow,Ireland Company No.: 370845


  7. Re: senderbase rating - how to appeal?

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (NetBSD)

    iEYEARECAAYFAkjBqIwACgkQ+vesoDJhHiW/ogCeJmpMxy2BNWEemwJU3YsrC06a
    I1EAn2mctXN66FbrMVUCOxDsa/mBrgLC
    =PlSN
    -----END PGP SIGNATURE-----

  8. Re: senderbase rating - how to appeal?

    On Fri, Sep 5, 2008 at 5:45 PM, Greg Troxel wrote:
    >
    > "Michele Neylon :: Blacknight" writes:
    >
    >> Does anyone know how you can appeal or query a senderbase rating?

    >
    > I resisted answering at first, because I'm perhaps a bit too cynical:
    >
    > The way to appeal is to file a bug with spamassassin saying that
    > senderbase is bogus and ask that any senderbase rules in SA be
    > dropped.
    >
    > I don't know that spamassassin pays attention to senderbase; if not this
    > probablly won't work. I say this, mostly joking, from my experience
    > with habeas. I have gotten spam on multiple occasions from senders that
    > are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely
    > zero useful response. I filed a bug:
    >
    > https://issues.apache.org/SpamAssass...ug.cgi?id=5902
    >
    > and soon heard from habeas, who claimed that they revoked the listing of
    > that sender.
    >
    > I then got more spam from a different habeas-accredited spammer, and
    > complained privately to complaints@habeas.com, and heard nothing back.
    >
    > So the only rational conclusion seems to be that habeas accreditation is
    > bogus, and they only respond to public pressure. Perhaps that's not
    > true and I've been unlucky, but that's how it feels from my end.
    >


    After seeing similar spam from "accredited" senders, we disabled any
    score from the habeas rules long ago and have yet to notice any
    increase in FP (we have ~5000 fairly sensitive users who definitely
    let us know when things don't work as they want them to). I've know
    of other sites that have disabled the habeas rules/score as well with
    similar results. IMHO, they are not worth scoring on since they
    obviously do accredit sites that send UCE. Does anyone see any
    benefit from using habeus? Does it outweigh the spam that gets
    through because of them?


  9. Re: senderbase rating - how to appeal?

    > On Fri, Sep 5, 2008 at 5:45 PM, Greg Troxel wrote:
    >


    > After seeing similar spam from "accredited" senders, we disabled any
    > score from the habeas rules long ago and have yet to notice any
    > increase in FP (we have ~5000 fairly sensitive users who definitely
    > let us know when things don't work as they want them to). I've know
    > of other sites that have disabled the habeas rules/score as well with
    > similar results. IMHO, they are not worth scoring on since they
    > obviously do accredit sites that send UCE. Does anyone see any
    > benefit from using habeus? Does it outweigh the spam that gets
    > through because of them?
    >


    Considering that only spammers (er... 'email marketing companies') pay for
    habeas, we have set a POSITIVE score for habeas accredited spam. We track
    any FP right up front, track any rule in a fp (releases from amavisd-new
    managed quarantine), we use sa-learn.pl on shared imap folders, and let
    users drag 'not spam' and 'whitelist user' to a shared folder (and keep
    track of all fp rules), so far, three years, no user has dragged a habeas
    certified email into the false positive folders.

    (on the other hand, lots of fps last month on failed dkim messages. New
    messages from gmail not even being signed.. I wonder if gmail knows
    something broke lately in dkim).

    --
    Michael Scheidell, CTO
    >|SECNAP Network Security

    Winner 2008 Network Products Guide Hot Companies
    FreeBSD SpamAssassin Ports maintainer


    __________________________________________________ _______________________
    This email has been scanned and certified safe by SpammerTrap(r).
    For Information please see http://www.spammertrap.com
    __________________________________________________ _______________________


  10. RE: senderbase rating - how to appeal?


    >
    > Considering that only spammers (er... 'email marketing companies') pay for
    > habeas, we have set a POSITIVE score for habeas accredited spam. We track
    > any FP right up front, track any rule in a fp (releases from amavisd-new
    > managed quarantine), we use sa-learn.pl on shared imap folders, and let
    > users drag 'not spam' and 'whitelist user' to a shared folder (and keep
    > track of all fp rules), so far, three years, no user has dragged a habeas
    > certified email into the false positive folders.
    >
    > (on the other hand, lots of fps last month on failed dkim messages. New
    > messages from gmail not even being signed.. I wonder if gmail knows
    > something broke lately in dkim).
    >
    > --
    > Michael Scheidell, CTO


    Michael,

    May we ask and know what you are setting those scores to please?

    -rh


  11. Re: senderbase rating - how to appeal?



    RobertH wrote:
    >
    > Michael,
    >
    > May we ask and know what you are setting those scores to please?
    >
    > -rh
    >
    >


    http://www.mail-archive.com/dev@spam.../msg25017.html
    (note, even after complaints above, habeas still claims 'secure
    referrals': proof I think that SA should lower these scores A LOT.

    host 41.233.149.63.sa-accredit.habeas.com.
    41.233.149.63.sa-accredit.habeas.com has address 127.0.0.50


    *

    10 to 39 : *Personal, transactional, and Confirmed Opt In*

    *

    40 to 59 : Secure referrals and Single Opt In

    *

    60 to 99 : Checked but not accredited by Habeas.

    HABEAS_ACCREDITED_SOI is 'opt in or better' (orig -4.3) their score 49-59.
    HABEAS_ACCREDITED_COI is 'accredited or confirmed opt in or better'
    (orig -8) their score 10-39

    https://issues.apache.org/SpamAssass...ug.cgi?id=5921

    since habeas does nothing about spammers, I set (including flags to take
    'nice' off)

    score HABEAS_ACCREDITED_SOI 2.5
    tflags HABEAS_ACCREDITED_SOI net

    score HABEAS_ACCREDITED_COI 0
    tflags HABEAS_ACCREDITED_COI net

    I added:
    score HABEAS_UNCONFIRMED 8.0
    tflags HABEAS_UNCONFIRMED net
    header HABEAS_UNCONFIRMED eval:check_rbl('habeas-firsttrusted',
    'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[6789]\d')


    even though spamassassin team says this is a habeas issue, there is
    enough documented proof that the only people who use habeas are email
    marketing companies, the very existence of an ip in the habeas network
    proves it is bulk email, commercial bulk email. the decision as to if
    your clients want (or should have) commercial bulk email is up to your
    TOS. If you are an ISP, you should NOT use these above rules if you
    have consumer clients. If you are the email administrator for a
    business, and your business forbids users to use their email address for
    personal use, then use them. If your marketing department has signed up
    for 'permission based email', have them whitelist the senders.

    Some might even use different tests to blacklist them at the MTA level,
    graylisting won't help, these come from 'real' mail servers.
    for postfix:
    |smtpd_recipient_restrictions =
    {standard tests}
    reject rbl_client sa-accredit.habeas.com
    |

    --
    Michael Scheidell, President
    Main: 561-999-5000, Office: 561-939-7259
    > *| *SECNAP Network Security Corporation


    * Certified SNORT Integrator
    * Everything Channel Hot Product of 2008
    * Shaping Information Security Award 2008
    * CRN Magazine Top 40 Emerging Security Vendors

    __________________________________________________ _______________________
    This email has been scanned and certified safe by SpammerTrap(r).
    For Information please see http://www.spammertrap.com
    __________________________________________________ _______________________


+ Reply to Thread