Hi
Some day ago, a account of our mail server has been misused to sent out some thousand of spam mails.
This could happen, because the spammer which misused the account logged in from different IPs (botnet?) over the whole world. Every time, he successfully (smtp) authenticated, he sent out a couple of mails (about 20-30). Then he disconnected and reconnected after 1-2 minutes from an other IP and sent again some 20-30 mails. This has been done for some hours, which generated some thousand of SPAM mails.
Since this started Friday night and was just discovered yesterday, we was listed on one blacklist. We changed the password of the misused account and removed our server from this blacklist.
We already was happy, that it's just was that simple, but we was to fast.
We got then complains, that some mail system still block our mail server. After some investigation, we found out, that this mail system or mail gateways are base on Cisco IronPort. First at all, this system didn't response with a clear response (Something like 5.7.1 Your access to submit messages to this e-mail system has been rejected, isn't really helpful for an mail admin to find out why his email get blocked.)
After we found out, that all this boxes are Ironport Boxes, we was pointed to the www.senderbase.org. But this site isn't very helpful. You can find out that your mail server has a bad email reputation, but that's it. A link to SpamCop on the webpage isn't helpful either, since we aren’t listed in their blacklist.
The only e-mail address on the webpage seem not to be the contact for when you have a bad e-mail reputation.
We thought, perhaps the Score will fall down over 24 hours, but that's not the case.
So, we tried to get some help from the cisco ironport support. There answer wasn't very helpful either. They told us, that senderbase.org is a complete other company and they don't have any contact and we should try their website www.senderbase.org. Otherwise, if we don't have a IronPort box, they will not help us.
Now, the question is, what can we do, do get our mails delivered to this ironport boxes?
We really take care, to do all against be used for spamming or to be known as a good source for mails (spf, dkim, smtp-auth, tarpiting, etc.etc.).
We think, that this reputation system isn't that great. We have one issue and get blocked for several days (or weeks) without an option to take care about the situation.
Any help or suggestion would be appreciated!
Kind Regards
Patrick Studer
****************************************************************************** X-NetConsulting GmbH Internet http://www.x-netconsulting.ch Grosspeterstrasse 21 E-Mail p.studer@x-netconsulting.ch CH-4052 Basel Telefon +41 61 315 85 55 Schweiz Fax +41 61 315 85 59 ******************************************************************************