More spam since rolling back ironport migration

IronportCJH · ‎04-07-2008

Hello,

We are currently migrating 60 or email domains to our ironport appliances.

We initially had migrated 55 or so of the lesser used domains when we became aware of a network configuration issue that caused us to move the domains back to our existing antispam solution.

Since moving the domains back, we have noticed a significant increase in the amount of spam being delivered to those domains that were migrated to the ironports for a week or so - to the point that we are receiving complaints from users about it.

Obviously we want to implement the ironports but has anyone else experienced this? Its as if the ironports are spam magnets! ;-)

Cheers,

Chris

tminchin_ironport · ‎04-07-2008

depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.

As soon as the domains are shifted back those IP addresses could offload their queued spam at full steam.

Just a theory...

Donald Nash · ‎04-08-2008

depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.

Are spammers actually queueing undeliverable mail now? They didn't used to, which is why greylisting would work. Last I heard (a couple of months or so ago), greylisting was still effective.

andre.hoffmann_ironport · ‎04-09-2008

depending on how your Ironport was configured you might be experiencing a queued spam effect from Senderbase throttling disreputable IP addresses.

Are spammers actually queueing undeliverable mail now? They didn't used to, which is why greylisting would work. Last I heard (a couple of months or so ago), greylisting was still effective.

Ironport greylisting ? Don't know

On my postfix-installation with blacklisting and greylisting, i have good results. It seems so that spammers not realy queueing. Because it is a question of time. I think they fire and forget to use the rent timeslot optimal.

Donald Nash · ‎04-09-2008

Ironport greylisting ? Don't know

No, I didn't mean that IronPort does greylisting. I meant that greylisting in general is still reasonably effective, which would indicate that spammers aren't queueing undeliverable mail. That in turn calls into question tminchin's theory.

That's not to say that he's wrong. Botnet spammers don't retry, but there may be a class of "less shady" spammers who have some pretensions of legitimacy, and who do value their mail enough to queue and retry. But this is just conjecture.

Doc_ironport · ‎04-09-2008

Are spammers actually queueing undeliverable mail now? They didn't used to, which is why greylisting would work. Last I heard (a couple of months or so ago), greylisting was still effective.

For the most part the spammers still are re-trying on 400 errors, but there's been a few rumors that a few of the botnet spamming programs are starting to add this functionality.

Greylisting was only ever going to be a stop-gap measure - as soon as it got enough critical mass the spammers were always going to program around it, especially as it's relatively easy to do. What's surprised me is that it's taken them so long...

Donald Nash · ‎04-09-2008

For the most part the spammers still are re-trying on 400 errors

I presume you meant to say "...the spammers still are not re-trying on 400 errors."

Greylisting was only ever going to be a stop-gap measure

Yep, that's why I've never been a big fan of it. Any anti-spam defense that depends on particular spammer behavior is eventually going to fail because the spammers will alter their behaviors in response to those defenses. I'm also surprised that greylisting has lasted this long.

Doc_ironport · ‎04-10-2008

For the most part the spammers still are re-trying on 400 errors

I presume you meant to say "...the spammers still are not re-trying on 400 errors."

That's what I get for replying to posts before I've had the first coffee of the morning! :)

Yes, I did mean they are NOT retrying! Yet.

Kevin_ironport · ‎04-10-2008

At our Org we had users receiving low levels of SPAM. We moved behind an Ironport C350. We stayed that way for 1 week.

Due to an error with our Infrastructure (not the Ironport device) we had to move off the Ironport back to the original mail flow device.

Those same users then received 100+ SPAM messages per day for the next week while we sort out the issue and then moved them back onto the Ironport.

The question is "Why did we see such an increase in SPAM by moving to (and then off) the Ironport?". Is it related at all? Suspect ...

We also see moderate connection numbers to the existing email infrastructure. The Ironport however (according to its own stats) receives 170,000+ connection attempts per day!

The big stats on the Ironport look amazing, but when you start to think "I don't think we ever saw those sort of levels before" you wonder. Are the numbers real? Is it attracting more connections? Is it advertised somewhere?

Just wondering ...

Donald Nash · ‎04-10-2008

These sorts of observations make me wonder is spammers are monitoring the performance of their tools and adjusting when they start encountering resistance. They wouldn't know about message drops, but they would know about connection refusals and rate limiting.