How does Google Mail classify spam emails?

A lot of my emails end up in peoples' gmail spam boxes.

Spam classification has been a persistent problem although I have
never found my IP in any of the many blacklists.

I know my domain (peter2000.co.uk) is used by spammers a lot in forged
headers but so are countless others and no spam filter should work on
the domain name but on the IP.

Also my emails should not have obvious spam properties. I rarely
attach a GIF or a JPEG (the last one had a PDF attached) and all are
plain text. No HTML at all, ever.

I wonder if anybody has any ideas?

One possibility is that my antispam system is causing this. It is a
complex whitelist based system, using the open source TMDA
challenge/confirm software. Obviously all invalid usernames @ my
domain are rejected by sendmail (I run my own mail server, on a PC on
an ADSL line on a fixed IP which the ISP is adamant is not out of a
dynamic IP range), emails sent to specific usernames go straight in,
and email sent to the one default username gets challenged with an
email asking the sender to REPLY to it - unless on a whitelist or
containing any of a long list of keywords.

I know Spamcop used to run a deliberate policy of blacklisting all
mail servers that used the challenge/confirm system - presumably
because this competed with Spamcop's own commercial service, but does
Google do the same??

The last occurence of this problem (with gmail) was with a
long-ago-whitelisted person so if google is doing this, it must be
doing it across many accounts.

On Sun, 15 Nov 2009 09:43:38 +0000, nobody wrote:

> One possibility is that my antispam system is causing this. It is a
> complex whitelist based system, using the open source TMDA
> challenge/confirm software. Obviously all invalid usernames @ my domain
> are rejected by sendmail (I run my own mail server, on a PC on an ADSL
> line on a fixed IP which the ISP is adamant is not out of a dynamic IP
> range), emails sent to specific usernames go straight in, and email sent
> to the one default username gets challenged with an email asking the
> sender to REPLY to it - unless on a whitelist or containing any of a
> long list of keywords.

Is there:

a) a proper MX record for the mail server, not just an A record?
b) a PTR record corresponding to the A record which is pointed to by the
MX record?

In addition, does you server generate a real domain name on the outgoing
HELO/EHLO command?

--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org

On Sun, 15 Nov 2009 10:35:06 +0000, Mike Civil ate alphabet spaghetti and
shat out:

> If you're not already doing this it might be worth implementing DKIM to
> improve the trust-worthiness of your outbound mail. This can also be
> used to improve spam classification for inbound emails. If you check
> headers of emails coming from Gmail you can see they're using DKIM.
> Search Google for more info or have a look at :-
>
> http://www.dkim.org/
>
> and specifically :-
>
> http://www.dkim.org/deploy/index.html
>
> Mike

DKIM is a waste of time as implementation is sketchy.

The OP's MX dns records seem to contain partial bollocks, but are
complete:

ptr resolves to: kksystems.com. {mismatch, but has ptr}
spf is present: "v=spf1 mx a mx:zen.co.uk ?all"
and says that the mx is permitted to send for the domain
mail.peter2000.co.uk [82.153.174.150]
it also say the a record for peter2000.co.uk can send
[82.153.174.150]
along with ZEN's mx's
mailcluster.zen.co.uk. 10274 IN A 212.23.3.232
mailcluster.zen.co.uk. 10274 IN A 212.23.6.43
mailcluster.zen.co.uk. 10274 IN A 212.23.6.48
mailcluster.zen.co.uk. 10274 IN A 212.23.6.51
mailcluster.zen.co.uk. 10274 IN A 212.23.6.52
mailcluster.zen.co.uk. 10274 IN A 212.23.3.24

The only block list the IP appears on is l2.apews.org. Nobody in their
right mind uses that, but it *may* make up a part of the arrogate score
used by some blocking systems. I'm a Zen customer and I can assure you
that *my* ip blocks are also l2 listed with apews but it gives me *no*
issues at all.

If you mail is ending up in a spam bin it's either the mismatch in PTR
(unusual - but not impossible. Missing PTR being a much bigger issue),
you are not sending from the IP's shown in the SPF or the content you are
sending is scoring high.


--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

On Sun, 15 Nov 2009 11:49:49 +0000, Nick ate alphabet spaghetti and shat
out:

> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> I know Spamcop used to run a deliberate policy of blacklisting all mail
>> servers that used the challenge/confirm system - presumably because
>> this competed with Spamcop's own commercial service, but does Google do
>> the same??
>
> Good for Spamcop.
>
> Challenge/confirm is crap. It wastes time & bandwidth & is blocked by
> many admins.

It can also be used as a nasty backscattering piece of shit if hit right.
Spammers can actually *stage* attacks using it. (E-Mail Removed) is
one such example {ironic, given the general spamming nature of hostgator -
aka 'the planet'}


--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

"Nick" <127.0.0.1> wrote

>
>
><(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>
>> I know Spamcop used to run a deliberate policy of blacklisting all
>> mail servers that used the challenge/confirm system - presumably
>> because this competed with Spamcop's own commercial service, but does
>> Google do the same??
>
>Good for Spamcop.
>
>Challenge/confirm is crap. It wastes time & bandwidth & is blocked by many
>admins.
>
>Go to news.admin.net-abuse.email & say "what do you think of
>challenge/confirm" the wait to get your ear bent.
>
>The spammers are trying all day long to hit my mail server, but I use a few
>good blocklists + spamassassin + a well trained Bayesian filter, result, I
>haven't had any spam get through on any of my accounts for 6 month - a year.
>
>There is no need for challenge/confirm.

The above is OK so long as you are not running a business where you
want to be 100% sure that a previously unknown potential customer's
email will reach you.

All filters that are effective in blocking today's fairly clever spam
will also lose a % of emails.

I used to run Mailwasher with about 50 filters which one could load
into it, and it dumped quite a few legit emails.

Spam filters are OK for personal users who don't care if the
invitation for a beer is dumped, and they are OK for anonymous large
corporations who don't reply to most emails anyway.

But for a small business it is a poor solution.

Thank you all for the tips - I am passing them to the chap who looks
after the email server.

One thing we haven't got is something that recognises an email attack
i.e. more than say 10 emails from the same IP within the past hour,
and blocks that IP for say 1 week. Apparently, there is no easy way to
implement that. But it may be worth doing. The thing is it can't be
done in the server firewall because the server also does www. It would
need to be a sendmail plugin.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> A lot of my emails end up in peoples' gmail spam boxes.
>

You appear to have received many technical replies which I'm not capable of
giving, I too found good mail was not reaching me when I downloaded from
Google Mail into Windows Live Mail. So I stopped Googlemail filtering and
I let WLM sort things. One of my address's is in a bad way so I Mail Wash
that one first.

--
Regards,
David

FREESAT HD as it is now it is a joke.

On Sun, 15 Nov 2009 11:35:43 +0000 (UTC), Spamtastic Spastic
<(E-Mail Removed)> wrote this:

>political correctness: The safety net protecting deaf blind disabled
>ethnic minority gays & lesbians with odd religious beliefs from reality

What about hump backs who aren't deaf blind disabled nor belong to
ethnic minority gay groups with odd religious beliefs!?

..
--------------------------
The Internet will become the
Sacred Sanctuary for Nutters and Idiots.
(Michel Nostradamus, December 14, 1503, July 2, 1566).
--------------------------

On Sun, 15 Nov 2009 14:10:13 +0000, kraftee ate alphabet spaghetti and
shat out:

> "Oddi" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> On Sun, 15 Nov 2009 11:35:43 +0000 (UTC), Spamtastic Spastic
>> <(E-Mail Removed)> wrote this:
>>
>>>political correctness: The safety net protecting deaf blind disabled
>>>ethnic minority gays & lesbians with odd religious beliefs from reality
>>
>> What about hump backs who aren't deaf blind disabled nor belong to
>> ethnic minority gay groups with odd religious beliefs!?
>>
>> .
>> --------------------------
>> The Internet will become the
>> Sacred Sanctuary for Nutters and Idiots. (Michel Nostradamus, December
>> 14, 1503, July 2, 1566). --------------------------
>
> I'm sure Mr. SS could be all inclusive if you so wished

LOL, the inherit from the parent class {disabled}....

--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality

"Nick" <127.0.0.1> wrote

>
>
><(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>>
>>
>> The above is OK so long as you are not running a business where you
>> want to be 100% sure that a previously unknown potential customer's
>> email will reach you.
>
>If they are sending mail from known spammer addresses, dynamic IPs, etc, I
>wouldn't want their mail. Spamhaus.org Sorbs.net etc make short work of
>killing that crap.

With respect I am glad you are not in charge of my business
communications, for I would not want you to tell a perfectly decent
potential customer of mine (whose email system happens to be not
favoured by Spamhaus etc) that I don't want his £10,000 order.

The reality of email is that, for any international business which has
a properly managed customer interface and thus *wants* to hear from
*all* genuine people, traditional spam filtering is not a solution.

On a tangent, one can achieve a relative freedom from spam very
easily, by having fairly non-obvious sendmail usernames e.g.
(E-Mail Removed). The spam issue arises if you want to
publish something general like (E-Mail Removed). I don't actually do
that but I do have sales2@ on the company website, as a graphic (thus
vulnerable only to harvesters who use OCR, or to contacts with
trojan-infected PCs which is something that happens to all normal
people eventually).

The domain I mentioned in my original post has just one username which
causes the spam problem, at a rate of about 1000 per day. The username
is a fairly standard first name, and I can't really get rid of it, or
add "2" to it. If I didn't antispam it somehow, I would get the 1k
spams sent to it and then would be relying on Mailwasher etc which I
know is crap because I did that for quite a while.

I do actually publish an email address on a website on that domain,
for the initial contact, presented as a graphic, and that one is not
antispammed. The username is a name ending in a 3 digit number and I
find it lasts for about a year at a time, which is fine.

Blacklists like spamcop are not good either. We have found that while
hooking sendmail into spamcop reduced the TMDA challenges by about
75%, which *is* good, it also causes a lot of genuine senders to be
blocked. In particular much of say South America in habitually
blacklisted by spamcop, which is really crap but it perhaps reflects
the arrogance of so many Western and esp. American firms. And one
cannot implement a whitelist because the spamcop filtering works at
the sendmail connection level and there is no way to whitelist the
sender before that point.

>> All filters that are effective in blocking today's fairly clever spam
>> will also lose a % of emails.
>
>Anything that looks like spam, that makes it through the blocklists, is
>checked by Spamassassin & the Bayesian filter, & if they fail, they are
>dumped in a spam folder, so can be recovered if needbe.

I'd like to know how an email offering v*agra, with 4 lines of
genuinely sounding text content, and with the product offering totally
within an attached GIF, is going to be identified as spam. You would
have to OCR it, but even then the spammers use corrupted words.

We found, at one point, that dumping all emails that have a GIF
attachment (a trivial exercise, by scanning the email for the MIME
encoding keyword) would be extremely successful. The slight problem
was that a lot of people email on the "company letterhead" which ism
you've guessed, a GIF!

>> I used to run Mailwasher with about 50 filters which one could load
>> into it, and it dumped quite a few legit emails.
>
>The ONLY dumped legit emails resently, were from misconfigered server, i.e.
>one firm had a mail host called wxyz.corp instead of wxyz.com

There are loads of such firms, probably. Very few IT managers know
what they are doing, down to this level. But I still want their
business.

>> Spam filters are OK for personal users who don't care if the
>> invitation for a beer is dumped, and they are OK for anonymous large
>> corporations who don't reply to most emails anyway.
>
>See above. Emails get through.
>
>> But for a small business it is a poor solution.
>>
>> Thank you all for the tips - I am passing them to the chap who looks
>> after the email server.
>>
>> One thing we haven't got is something that recognises an email attack
>> i.e. more than say 10 emails from the same IP within the past hour,
>> and blocks that IP for say 1 week. Apparently, there is no easy way to
>> implement that. But it may be worth doing. The thing is it can't be
>> done in the server firewall because the server also does www. It would
>> need to be a sendmail plugin.
>
>God, what crap are you using. My server software does, mail, ftp, www,
>webmail. It blocks IPs on mail if they try directory attacks (more that a
>certain amount of tries on an IP), blocks ftp if 10 incorrect password are
>tried.

Can you tell me what tool you use and I will pass it on. I'd like to
see this done myself.

>On challenge/confirm, who/where do you send the challenge to ??

To the From: address. Yes, not very satisfactory. But about 99% of
those are fake anyway, and don't get delivered anywhere. So the number
that get delivered to *real* (but forged) addresses is perhaps dozens
per day, which should not be a problem.

On Sun, 15 Nov 2009 17:27:35 +0000, nobody ate alphabet spaghetti and shat
out:

>>If they are sending mail from known spammer addresses, dynamic IPs, etc,
>>I wouldn't want their mail. Spamhaus.org Sorbs.net etc make short work
>>of killing that crap.
>
> With respect I am glad you are not in charge of my business
> communications, for I would not want you to tell a perfectly decent
> potential customer of mine (whose email system happens to be not
> favoured by Spamhaus etc) that I don't want his £10,000 order.

If your customer had £10k to spend, he would have a properly set up
server and *not* be a spammer. Spamhaus have a near zero false positive
rate. That said, spammers have lots of money, so perhaps *your* 10K order
may be coming in from a spammer...

> Blacklists like spamcop are not good either. We have found that while
> hooking sendmail into spamcop reduced the TMDA challenges by about 75%,
> which *is* good, it also causes a lot of genuine senders to be blocked.

Bollocks - you are talking out of your arse. You been sniffing glue or
just been listening to 'bloke down the pub says'...

> In particular much of say South America in habitually blacklisted by
> spamcop, which is really crap but it perhaps reflects the arrogance of
> so many Western and esp.

More bollocks.
So much spam comes out of South America it's almost a joke. Notably
Brazil, Argentina and Columbia However, the majority of reputable block
lists block on an individual IP basis. It's not the fault of the rest of
the world that South American ISP's cannot deal with their spamming
customers. Even the maddest block list, UCEProtect, does *not* block on
country at level1. It may list blocks at level 2 and level 3 - but most
mail admins would use L1 only.

There are well known spam filters out there that give the user the option
to block, at IP level, countries and regions they don't do business with
or ship to. It's perfectly legitimate. My own mail server only allows
connections from the UK and that is legitimate for my needs. It's not a
one size fits all answer.

The rest of the post is mostly drivel and not worthy of comment.




--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality





--
political correctness: The safety net protecting deaf blind disabled
ethnic minority gays & lesbians with odd religious beliefs from reality