Strange spam filtering issue - help please

I have for a long time had a problem with emails to certain people
going missing, or ending up in their Spam folders.

I suspect that somehow the IP of my SMTP server (which is a PC running
on a fixed IP on a business account from Eclipse) is getting
blacklisted.

However, none of the various IP blacklists (mentioned here and
elsewhere) have ever shown that IP as being blacklisted.

I was originally worried because of rumours that dynamic IP blocks are
blacklisted whole, and I pressed Eclipse hard to confirm their 'fixed'
IP is not out of a dynamic IP block, with their DHCP server simply
being set up to always issue the same IP. Unlike with ZEN where one
can always get a proper tech reply, I never got through to anybody
technical but they said it is a real fixed IP and not out of a dynamic
block.

Some recipients get my emails but they are marked [SPAM] or "Spam
score x.x" in the subject header - obviously by their ISP. Yet these
can be really innocuous brief emails.

I wonder what is the best way to get to the bottom of something like
this?

Sometimes it seems that sending somebody a brief email containing a
URL is enough to get the email dumped.

On Sun, 24 Feb 2008 22:36:55 +0000,it is alleged that Peter
<occassionally-(E-Mail Removed)> spake thusly in
uk.telecom.broadband:

>I have for a long time had a problem with emails to certain people
>going missing, or ending up in their Spam folders.
>
>I suspect that somehow the IP of my SMTP server (which is a PC running
>on a fixed IP on a business account from Eclipse) is getting
>blacklisted.
>
>However, none of the various IP blacklists (mentioned here and
>elsewhere) have ever shown that IP as being blacklisted.
>
>I was originally worried because of rumours that dynamic IP blocks are
>blacklisted whole, and I pressed Eclipse hard to confirm their 'fixed'
>IP is not out of a dynamic IP block, with their DHCP server simply
>being set up to always issue the same IP. Unlike with ZEN where one
>can always get a proper tech reply, I never got through to anybody
>technical but they said it is a real fixed IP and not out of a dynamic
>block.
>
>Some recipients get my emails but they are marked [SPAM] or "Spam
>score x.x" in the subject header - obviously by their ISP. Yet these
>can be really innocuous brief emails.
>
>I wonder what is the best way to get to the bottom of something like
>this?
>
>Sometimes it seems that sending somebody a brief email containing a
>URL is enough to get the email dumped.

I am sure someone with more experience will be along in the morning,
but one thing that can cause this is the forward and reverse dns being
different. Say for example your server claims to be (and is)
mail.smallcompany.example, but when the receiving mailserver does a
dsn lookup on the IP and gets static.something.123.eclipse.co.uk, it
flags it as suspicious. This never used to be the case, but
unfortunately spammers have almost ruined email as a medium :-(

--
_
( ) ASCII ribbon campaign against html e-mail
X and usenet posts
/ \

In message <(E-Mail Removed)>, Peter
<occassionally-(E-Mail Removed)> writes
>I have for a long time had a problem with emails to certain people
>going missing, or ending up in their Spam folders.
>
>I suspect that somehow the IP of my SMTP server (which is a PC running
>on a fixed IP on a business account from Eclipse) is getting
>blacklisted.
>
>However, none of the various IP blacklists (mentioned here and
>elsewhere) have ever shown that IP as being blacklisted.
>
>I was originally worried because of rumours that dynamic IP blocks are
>blacklisted whole, and I pressed Eclipse hard to confirm their 'fixed'
>IP is not out of a dynamic IP block, with their DHCP server simply
>being set up to always issue the same IP. Unlike with ZEN where one
>can always get a proper tech reply, I never got through to anybody
>technical but they said it is a real fixed IP and not out of a dynamic
>block.
>
>Some recipients get my emails but they are marked [SPAM] or "Spam
>score x.x" in the subject header - obviously by their ISP. Yet these
>can be really innocuous brief emails.
>
>I wonder what is the best way to get to the bottom of something like
>this?
>
>Sometimes it seems that sending somebody a brief email containing a
>URL is enough to get the email dumped.

Are you sending via DNS? A lot of ISPs seem to block mail unless it
comes from a known and established IP address of an SMTP server. Will
your ISP allow your SMTP server to send through its SMTP server? This
has cured the problem for me a few times.
--
Devs
"Punchdown Pete the old Kroner"
Un autre 4 ans!

In news: (E-Mail Removed) - Peter wrote :
>> I have for a long time had a problem with emails to certain people
>> going missing, or ending up in their Spam folders.
>>
>> I suspect that somehow the IP of my SMTP server (which is a PC
>> running on a fixed IP on a business account from Eclipse) is getting
>> blacklisted.
>>
>> However, none of the various IP blacklists (mentioned here and
>> elsewhere) have ever shown that IP as being blacklisted.
>>
>> I was originally worried because of rumours that dynamic IP blocks
>> are blacklisted whole, and I pressed Eclipse hard to confirm their
>> 'fixed' IP is not out of a dynamic IP block, with their DHCP server
>> simply being set up to always issue the same IP. Unlike with ZEN
>> where one can always get a proper tech reply, I never got through to
>> anybody technical but they said it is a real fixed IP and not out of
>> a dynamic block.
>>
>> Some recipients get my emails but they are marked [SPAM] or "Spam
>> score x.x" in the subject header - obviously by their ISP. Yet these
>> can be really innocuous brief emails.
>>
>> I wonder what is the best way to get to the bottom of something like
>> this?
>>
>> Sometimes it seems that sending somebody a brief email containing a
>> URL is enough to get the email dumped.


You will find a lot of answer here:
http://postmaster.aol.com/

Qnce you can get you mail to aol you can get it anywhere...

Chris

--
Superb hosting & domain name deals http://dn-22.co.uk
The Handyman http://www.looker.me.uk

Devs <(E-Mail Removed)> wrote

>Are you sending via DNS? A lot of ISPs seem to block mail unless it
>comes from a known and established IP address of an SMTP server.

How would one define 'known and established'?

I do suspect this is happening but find it hard to get evidence. If it
is happening to me, it seems sporadic, for a given ISP.

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
>I have for a long time had a problem with emails to certain people
> going missing, or ending up in their Spam folders.
>
> I suspect that somehow the IP of my SMTP server (which is a PC running
> on a fixed IP on a business account from Eclipse) is getting
> blacklisted.
>
> However, none of the various IP blacklists (mentioned here and
> elsewhere) have ever shown that IP as being blacklisted.
[snip]
> Some recipients get my emails but they are marked [SPAM] or "Spam
> score x.x" in the subject header - obviously by their ISP. Yet these
> can be really innocuous brief emails.
>
> I wonder what is the best way to get to the bottom of something like
> this?

Anti-spam tools usually add details of how they computed the spam score to
the headers of the email - getting hold of some examples is probably the
best way to get to the bottom of the matter. If you are not sure how to
interpret them, post here - you can remove the subject and local parts (bit
before the @) of any email addresses. That said...

From what you say, it probably isn't the case, but worth double-checking
that your server is not an open relay.

I run a mail server on a home Eclipse connection with static address with no
such problem (at least, as far as I know). However, I have two connections
with static addresses: the one with the email server, which I have had for
several years, clearly has an address from a static pool whereas this is not
clearly the case for the other one (ie it may just be a fixed address from a
pool used for both static and dynamic addresses). So it's possible that your
address appears in "dynamic IP" lists - and you just haven't found which
one(s).

Eclipse don't appear to assign any reverse DNS by default which may cause a
slight spam weighting but not as much as a mismatch. As Chip suggested, make
sure you have reverse DNS set up (I can do this via the website, probably
the same for you) to the name your mail server uses when it says HELO/EHLO.

If you have good control over DNS records and your server sends mail with
addresses in domains you own, you could add SPF records for the domains (see
http://www.openspf.org/).

Routing all mail through Eclipse's SMTP server(s) will likely avoid the
problem. For a bit more effort, routing "problem domains" only will also
likely avoid the problem whilst introducing minimal dependency on Eclipse's
server(s).

Alex

"Peter" <occassionally-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Devs <(E-Mail Removed)> wrote
>
>>Are you sending via DNS? A lot of ISPs seem to block mail unless it
>>comes from a known and established IP address of an SMTP server.
>
> How would one define 'known and established'?

That, unfortunately, is the main problem - anti-spam tools are forced to
guess.

Alex

>"Peter" <occassionally-(E-Mail Removed)> wrote in message
>news(E-Mail Removed).. .
>>I have for a long time had a problem with emails to certain people
>> going missing, or ending up in their Spam folders.
>>
>> I suspect that somehow the IP of my SMTP server (which is a PC running
>> on a fixed IP on a business account from Eclipse) is getting
>> blacklisted.
>>
>> However, none of the various IP blacklists (mentioned here and
>> elsewhere) have ever shown that IP as being blacklisted.
>[snip]
>> Some recipients get my emails but they are marked [SPAM] or "Spam
>> score x.x" in the subject header - obviously by their ISP. Yet these
>> can be really innocuous brief emails.
>>
>> I wonder what is the best way to get to the bottom of something like
>> this?
>
>Anti-spam tools usually add details of how they computed the spam score to
>the headers of the email - getting hold of some examples is probably the
>best way to get to the bottom of the matter. If you are not sure how to
>interpret them, post here - you can remove the subject and local parts (bit
>before the @) of any email addresses. That said...
>
>From what you say, it probably isn't the case, but worth double-checking
>that your server is not an open relay.

I am as sure as I can be. We use SMTP AUTH only, and the password is
nontrivial, and the logs have been checked fairly regularly. We see
loads of hacking attempts...

>I run a mail server on a home Eclipse connection with static address with no
>such problem (at least, as far as I know). However, I have two connections
>with static addresses: the one with the email server, which I have had for
>several years, clearly has an address from a static pool whereas this is not
>clearly the case for the other one (ie it may just be a fixed address from a
>pool used for both static and dynamic addresses). So it's possible that your
>address appears in "dynamic IP" lists - and you just haven't found which
>one(s).

I have never found any of these mysterious lists - this would be
highly interesting and relevant.

I have always suspected Eclipse allocate their 'fixed' IPs from a
dynamic pool, but one cannot get hold of anybody there who sounds like
they know what they are talking about. They don't provide access to
another level of tech support, no matter how hard I have tried.

>Eclipse don't appear to assign any reverse DNS by default which may cause a
>slight spam weighting but not as much as a mismatch. As Chip suggested, make
>sure you have reverse DNS set up (I can do this via the website, probably
>the same for you) to the name your mail server uses when it says HELO/EHLO.

I got them to add reverse DNS - no problem. They seem to be used to
such requests.

>If you have good control over DNS records and your server sends mail with
>addresses in domains you own, you could add SPF records for the domains (see
>http://www.openspf.org/).

We have done SPF.

I don't think SPF can be used by any ISP as a definitive spam
indicator because currently so few people use SPF. Also the larger
ISPs have a number of SMTP server IPs so their SPF records will be
quite comprehensive, or perhaps they set them up dynamically as they
switch from one server to another...

>Routing all mail through Eclipse's SMTP server(s) will likely avoid the
>problem. For a bit more effort, routing "problem domains" only will also
>likely avoid the problem whilst introducing minimal dependency on Eclipse's
>server(s).

We used to do that for a year or two. Sendmail was configured to
forward all emails to Eclipse's SMTP server, and it was done precisely
to avoid those mysterious 'dynamic IP pool' blacklists.

Unfortunately we had a bit of a problem with Eclipse. We get about 20k
incoming email spams a day. About 18k of those are rejected at the
connection level (not in sendmail user table), leaving 2k which are
received. Of these 99% are spam. We dump about 3/4 of them on keywords
("medication, viagra, v1agra" etc etc). The rest, a few hundred per
day, are to valid usernames. Those on a whitelist (all contacts going
back to 1995, including all those we email *to*) and ones with
whitelist keywords (product names etc) go through. The remainder (a
few hundred per day) are challenged with an email asking the sender to
REPLY to it.

Now, there is a possible problem here. Those challenges are sometimes
classified as spam at the receiving end, and (apart from the sender
not seeing them, which is a pain) this could place us on a blacklist.
I have also read that Spamcop deliberately target IPs that carry
challenge/response antispam measures, presumably for commercial
reasons as Spamcop offer an antispam service. But our IP has never
been seen on Spamcop's public blacklist....

Anyway, a few hundred challenges per day going out via Eclipse is
nothing. Unfortunately, very occassionally, one of the constant spam
attacks succeeds in stumbling across one of the valid usernames and
hits us with 10k emails. We then send out 10k challenges... and
Eclipse cuts off the connection if you do that.

We should have a more intelligent system here, like scanning sender
IPs and if we get a flood from the same IP, the whole lot can
obviously be dumped. Unfortunately I don't understand FreeBSD/sendmail
myself and I am relying on a friend who does this part time, a few
hours per week, and all previously suggested solutions to this would
take much longer to implement than he has time.

Also Eclipse have significant downtimes on their servers. Their ADSL
connection occassionally changes the IP, killing everything at this
end for a few hours, and they put a recorded message on their phone
lines telling people to reset their routers etc. But their SMTP/POP
servers are down much more often than ADSL itself.

I could use Zen who are much better but I already use Zen at home
where I have a backup server, rsynced from the office one at night.
One should not have the same ISP for main and backup...

Sorry for the long description.

If there is some simple FreeBSD firewall or sendmail add-on which
would identify a flood from the same IP and dump it all, that might
help. Whether we would want to go back to Eclipse's SMTP server I
don't know though, because we had the same missing email problem with
that - their server seems to get blacklisted quite often.

On Tue, 26 Feb 2008 11:43:31 UTC, occassionally-(E-Mail Removed)
wrote:

> >I run a mail server on a home Eclipse connection with static address with no
> >such problem (at least, as far as I know). However, I have two connections
> >with static addresses: the one with the email server, which I have had for
> >several years, clearly has an address from a static pool whereas this is not
> >clearly the case for the other one (ie it may just be a fixed address from a
> >pool used for both static and dynamic addresses). So it's possible that your
> >address appears in "dynamic IP" lists - and you just haven't found which
> >one(s).
>
> I have never found any of these mysterious lists - this would be
> highly interesting and relevant.

http://www.spamhaus.org/pbl/index.lasso

--
[ 7'ism - a condition by which the sufferer experiences an inability
to give concise answers, express reasoned argument or opinion.
Usually accompanied by silly noises and gestures - incurable, early
euthanasia recommended. ]

"Bob Eager" <(E-Mail Removed)> wrote

> http://www.spamhaus.org/pbl/index.lasso

Thank you. The IP is not in there...