Our official policy on RBL/blacklists
With more and more misconfigured mail servers generating junk rejections we felt it was time to discuss our official policy on realtime blacklists (RBL) and the extent to which we support them.
First of all, all Own Web Now Corp mail servers and every piece of mail leaving our network is scanned for SPAM, Viruses, malware and just about everything we scan inbound mail for we also scan outbound mail for. We do not allow open/blind relaying, we disinfect anything dangerous and take every precaution to keep dangerous content off the Internet. However, from time to time something may slip. Clients still get infected with viruses, clients still use weak passwords or their systems that open up their infrastructure to worms and mail blasts, stuff happens.
OWN Network Operations monitors network activity and RBL lookups 24/7/365 and if there is an item that slipped our post and made it into an RBL (it usually takes just one piece) we immediately quarantine the user and request removal. We monitor over 100 RBLs and immediately act to make sure none of your mail is returned or bounced.
However, as more and more mail server administrators lose control over their servers, they start implementing policies that affect the ability to deliver legitimate mail to them. Because some of the best RBLs are also commercial some users stoop to stealing DNS RBL zones, longer RBL lookup caching to avoid being rate-limited and kicked off the free service, or their mail servers simply have no resources to fight with the SPAM.
Because our servers act as a transparent stateful proxies, meaning that we deliver your mail on your behalf, if there is a time that we have to return the message you will see outbound.exchangedefender.com as the server providing information on why the message was returned. This does not mean that outbound.exchangedefender.com rejected your message, it is simply quoting the error it received from the remote server.
Own Web Now Corp does not have control of the remote servers, it usually does not have a relationship or contact information for neither the sending server (you) or the recipient (where you are sending mail) so we are unable to help with any rejections that happen outside of the generally accepted rules and protocols around mail delivery. If the mail server on the other side didn’t implement their RBL directives correctly, if they are overloaded, if they manually chose to program in a configuration to reject your mail or anything out of the normal course of server management – we can’t help.
If you are seeing sources that are not adhering to these generally accepted rules such as quoting why the IP was blocked or message returned, we recommend you remove outbound.exchangedefender.com from your smarthost configuration and route messages to them directly. If that fails as well, try to contact the mail server administrator if you can locate their contact information. If you are tech savvy, you can create an SMTP connector for a given address space and route mail for particular domains directly to their mail servers, bypassing ExchangeDefender outbound proxies completely.
Just to repeat, we constantly monitor network traffic and actively keep our servers off RBLs that you can find at www.dnsstuff.com. We do everything in our power to assure mail delivery but if the configuration change on the remote end specifically interferes with that delivery that is the place you need to contact and find a way to get mail from your network delivered to theirs.
When [SPAM] and [SureSPAM] slide through
Lately we have been fielding a lot of questions about why [SPAM] and [SURESPAM] messages keep on sliding through to the end users. We have also seen a lot of activity with users complaining about SPAM making it to them uninterrupted when it comes from an email address within their domain. Here is the problem:
In nearly all cases that we investigated, the user actually whitelisted their own domain or their own domains email address.
Why would this happen? Well, users tend to scan messages and look for familiar names and subjects. When they encounter something they recognize, like an email address from their colleague or from themselves, they trust the sender. When they trust the spoofed address, all future mail comes through, causing frustration for everyone involved.
Advise your users not to trust their own email address space when it shows up in ExchangeDefender SPAM reports. ExchangeDefender only intercepts messages going in and out of the organization, it does not filter internal messages. Any mail with the domains address space caught by ExchangeDefender is highly likely to be spoofed.
Of course, usage and configuration of ExchangeDefender is up to you, we make the product flexible enough to allow you to set your own policies. But blindly trusting entire domains and mirrored trust sets (from exchangedefender.com to exchangedefender.com for example) will only let dangerous items through. Consider tightening up the ship if you are seeing ExchangeDefender starting to slip, our metrics show that our detection rate keeps on going up as both volume and percentage.
As always, thanks for letting us clean your mail.
Shockey Monkey 2 Beta Launched
Shockey Monkey 2.0 Beta (build 1.9.21) was upgraded on all portals last night and is fully supported by Own Web Now Corp as mentioned last week. We anticipate this beta interval to last roughly one month with most attention being paid to the sensible integration of all the Shockey Monkey features.
There are two threads activated specifically for build related bugfixes and feature requests. Simply login to https://support.ownwebnow.com and paste either shortcut to join the active development of the PSA system designed specifically for the needs of the small business specialists.
Roadmap: Once the beta is completed in late May, Shockey Monkey signup forms will be available on the homepage. In the meantime, Shockey Monkey is in a closed beta and only available to our valued partners that make it possible for us to build these solutions.
So join in on the fun and help us design something uniquely suited to your business. OWN is a dedicated partner company.
Sincerely,
Vlad Mazek, MCSE
CEO, Own Web Now Corp
Shockey Monkey 2 Official Support
Starting May 1, 2008, Own Web Now Corp will officially support Shockey Monkey 2.0 beta and further releases over the phone during business hours and over the web 24/7/365 as with all our other products. The support will be free and unlimited, a PSA first, and will not require extended support contracts that are a norm for this type of an application. We are also offering a 24 hour SLA, meaning your case will be assigned, processed and worked on within 24 hours of opening the case.
Scope of Support
Technical support will be limited to the use of the product as documented, installation and configuration, third party software integration and basic configuration troubleshooting. Any bugs or feature requests are not covered under the scope of support as they require development, testing, analysis, documentation and deployment management and will be handled by teams other than support. Should you encounter a bug or can think of a great feature, click on the Development tab in our system and provide a bug or a feature. If you create a support request that is a bug or a feature request we will move the support request to the feature request or bug sections of our portal on your behalf.
For support, https://support.ownwebnow.com
New ExchangeDefender outbound servers
With ExchangeDefender 4.x infrastructure already in place on the inbound servers, we are moving our focus to the implementation of ExchangeDefender 4.x on the outbound servers. The new systems will go into production this weekend, April 5-6, and will feature new IP address relay servers:
outbound1.exchangedefender.com 65.99.255.236
outbound2.exchangedefender.com 65.99.255.232
This is the same IP range that is currently in use so you should not have to make any modifications or changes to your systems. Everything will just work transparently.
If you are currently using SPF, which we do not recommend, you will have to adjust it to include the new IP addresses. For illustration purposes, here is a look at the possible SPF record:
domain.com = “v=spf1 ip4:65.99.255.236 ip4:65.99.255.232 ip4:65.99.192.8 ip4:65.99.192.91 a:outbound.exchangedefender.com -all”
This record will restrict relaying for domain.com to ExchangeDefender outbound servers only (naturally you should include your own IP as well for non-smarthosted deliveries) but the above should get you started.
We don’t expect any issues as the new system has been in beta testing for a few months with no significant problems. Performance, logging, reporting and enforcement functionality that it delivers are far beyond comparison with the current service so we are really looking forward to it!
Want to hear what we are up to?
Join Vlad Mazek, Own Web Now Corp CEO for a chat with Karl Palachuk of KP Enterprises at about noon today (Eastern -5:00 GMT) for a discussion about SMB technology and where OWN solutions fit in it as well as the road ahead:
Wednesday, March 26th
9:00 AM Pacific Time Zone, Noon EST
– Dial (319) 279-1000 (U.S. phone number)
– Your participant passcode is 1024518.
– This call is limited to the first 300 attendees.
ORDB no longer exists
Generally we reserve network events and alerts for our Network Operations site but the volume of support regarding this single issue has prompted us to post it here. I hope you are not offended by the technical information regarding a third party service that may not affect you.
In the old, dark ages of Internet when ExchangeDefender grew out of the primordial stew, people used connection-based filtering to blindly reject content using nothing but faith in the independent listing service. One of the popular realtime blacklists (RBL) was ORDB and it was a database of mail servers that were open relays. These servers could be used by anyone, without authentication of any sort, to send SPAM content all over the Internet.
In December of 2006, ORDB went offline.
On the morning of March 25, 2008 relays.ordb.org came back online, blacklisting everything. How, why, when and so on are not important, the only relevant task here is to stop using this RBL. If you receive the following context error, the remote server is still using ORDB to detect SPAM and it is dropping all your inbound mail:
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< outbound.exchangedefender.com #5.0.0 SMTP; 530 Recipient refused. Open relay found, refer to http://www.ordb.org/lookup/?host=65.99.192.91>”
If you use Exchange 2003 Service Pack 2 you can quickly remove ORDB from your RBL query list by opening up Exchange System Manager, navigating to Global Settings, right clicking on Message Delivery and selecting properties. On the Connection Filtering tab you will find the RBLs you currently query. If you are protected by ExchangeDefender, this list should be blank. If you use a mail server other than Exchange consult your vendor.
I hope you have a wonderful day and thank you for letting us manage your SPAM so you don’t have to deal with the above every day 🙂 Thank you for your business.
Vlad Mazek
The New Soul of ExchangeDefender
At times in software development it becomes easier to make little optimizations to the process so long as the processing power becomes more affordable and available. Then one day you look up from what you’ve built on your monitor and see a wall of lights, indicators, pie charts and trends that use pretty pictures and colors to paint the portrait of the complexity that manage all the “little” issues you didn’t fix along the way. We are happy to report that after working around the clock for weeks we have regained a lot of control and a wall!
The story of ExchangeDefender is pretty simple. In the 90’s, we could not keep our Exchange servers up, fighting with relaying, viruses, hackers and platform instability became a daily frustration. So we figured, “Let’s put a box in front of it to just scan the junk and pass on valid stuff to Exchange” and it worked. The little AMD K5-100 workstation with an IDE hard drive and McAfee virus scanner did enough to keep our Exchange infrastructure running. Fast forward 12 years, the rise of SPAM, the rise of Malware, the pdf spam, the composite jpg spam, the rise of botnets and we have the ExchangeDefender of today, a 2,800 server network spread over 26 data centers and a full shift dedicated to just racking the new hardware and provisioning new nodes as our company and our load grow.
With data center space starting to shrink, power demands growing, power cost growing and the trend of SPAM increases turning vertical, we had a choice: change the way we manage SPAM flow or start breeding hamsters to generate power. Since nobody volunteered to clean the cage, we changed the way content is passed through and into our network.
The Old Way
Messages were accepted and scanned in the order they arrived with no bias shown for RBLs, origin or content. We took the message, checked it, and if it was clean we delivered it. With the SPAM loads constantly over the 95% range, legitimate messages had a 95% chance of being scanned with less urgency than their SPAM counterparts. To further complicate the issue, we scanned all messages equally: SPAM checks, heuristics, viruses, RBL presence, message integrity, the works. This created an immense demand for processing power, storage and network capacity.
Simply put, imagine a window of one second during which 10 messages were received and scanned sequentially from first to last. If the clean message was message #1, no worries. But if it was #10 in the scanning order it would have to wait for us to check for every minor chance that the nine messages before it had content anywhere from a pharmaceutical ad to banking fraud.
The New Way
We first changed the way we rely on our extensive knowledge of SPAM sources and senders and we created a system in which a bias is placed on messages coming from reputable senders. RBLs and statistical models are not perfect, that is why we will never bounce or delete an incoming messages without 100% certainty. Legitimate organizations can end up on RBLs from time to time, etc. But if we received over a million SPAM messages from a host in China with no reverse DNS, why should we treat the message #1,000,0001 from the same IP address with the same priority as the messages from hosts that constantly deliver legitimate mail that our users want to read? The good news is, we no longer do because messages are prioritized well before they hit the beef of ExchangeDefender.
Over the past month we have implemented a new SPAM filtering traffic shaping process that takes messages from known SPAM sources and puts them into a low priority queue to be scanned with far less of our arsenal than the messages from sources that are not as proven of SPAM heavens. So if you’ve mismanaged your infrastructure enough to end up in SpamCop, SpamHaus, SORBS, have an open relay, no reverse DNS the only thing we need to know is if the recipient trusts you. If they don’t, store/drop/delete, if they do, we scan for viruses, complex checks, custom filters and more.
This system allows us to enhance our scrubbing of unknown mail and keep you safe from more innovative threats while keeping SPAM stored just in case. Messages will still be accessible, still scanned. This new process shifts the burden of mail server management on the sender to keep their infrastructure in check while improving the security of our recipient customer. The era of trust on the Internet is long gone, mail servers that are mismanaged to the extent that they spew millions of SPAM messages, viruses and malware cannot be trusted not to have their logs scanned and malware routes replicated through the social means of replaying legitimate mail traffic to bypass filtering systems.
The Story So Far
So far, we have been able to improve nearly all tracked metrics of ExchangeDefender.
The level of SPAM detected is way up. The level of false positives (messages ExchangeDefender thought were SPAM but were released from quarantines by end users) is way, way down. The latency in delivery, scanning and processing are way down. Nearly everything we do has significantly improved over the past few weeks and while it took an enormous amount of hard work we feel it leaves the Internet a safer place for our clients and a far less profitable or even viable business for spammers.
Results
We have done our way to make sure the messages you receive get to you faster, safer while reducing the time needed to manage whitelists, review junk folders or worry about non-receipts. Our support has reflected this as well, despite February being the strongest sales month on record for ExchangeDefender, ever, we have had less support requests, ever!
Now, after a little deserved break, we turn to ExchangeDefender 4.x and think of ways we can use the new savings to make our service work for you even better.
As always, thank you for your business and thank you for trusting us to keep your inbox clean.
Update on ExchangeDefender Maintenance
Generally we keep ExchangeDefender maintenance on the NOC site but due to the extent of the maintenance done we felt it was important to place it here as well. Over the past 12 hours we have conducted urgent maintenance on the following systems:
- ExchangeDefender reporting servers (ongoing, 8-10 hours remaining)
- ExchangeDefender antispam engine (ongoing, up to 99.2% efficiency)
- ExchangeDefender outbound network (complete)
- ExchangeDefender global load balancing (complete)
- ExchangeDefender cluster upgrades (complete)
It will take another 2-3 hours for the latency across the network to go down. The email reports will resume later today. The new outbound network hardware is online and active. The new reporting servers will go online this weekend along with the global network upgrade to Microsoft Exchange 2007 Service Pack 1.
We apologize for the inconvenience the additional mail latency has caused you and your clients, this will be the last major network upgrade for quite some time and the last major maintenance before the start of the ExchangeDefender 4.0. Most of the engine underneath of ExchangeDefender is running 4.x code already.
For updates on the ExchangeDefender maintenance please keep an eye on our NOC site at www.ownwebnow.com/noc
Enhanced SPAM filtering engine now online
Over the weekend we deployed a few enhancements to the antispam engine and hopefully starting tomorrow you should see far less junk in your Inbox. We have been testing this engine in parallel and have not seen a significant increase in false positives so we are positive this will be an improvement in overall performance and filtering rates.
As usual, if anything slips please forward it to spam@ownwebnow.com
Note on the forwards:
In the event that an obvious SPAM message gets through ExchangeDefender and into your mailbox, you can forward it to us at spam@ownwebnow.com for further inspection. There are times that the SPAM you received was from a source that is not known for spamming or that the message just did not contain enough obvious junk content to be filtered through. We also ask that you forward inline SMTP headers (in Outlook right click on the message in the listing, select Message Options and copy Internet headers) to us so we can verify that the message indeed passed through our network and that it was not released by one of your coworkers that it was cc’ed to (this happens all the time, someone releases the message from a familiar looking sender/subject and its a SPAM that was either cc’ed or bcc’ed to everyone in the organization). For 4.0, we are working on an Outlook addin.
If you are one of our partners and would like to hide the ownwebnow.com domain name, you can have messages sent to spam@exchangedefender.com. If you would rather give your customers your own address just create a mail enabled contact in your organization and forward it to either alias. Be advised that we may sometimes reply from that address in which case they will see our company name and our contact information – however, this is very infrequent! (mostly when people forward a few dozen identical items to which they have obviously subscribed to, such as popular newsletters, shopping sites, etc)