Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Getting off the "Cloudmark" formerly "spamnet" blacklist

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


tedm at ipinc

Nov 9, 2009, 4:51 PM

Post #1 of 11 (1633 views)
Permalink
Getting off the "Cloudmark" formerly "spamnet" blacklist
Hi All,

We have a customer who had a compromised mailserver, they fixed the
server but are apparently still blacklisted by this company called
"CloudMark (www.cloudmark.com) that Comcast uses.

In Googling around I see that Comcast just recently signed up
this company a month ago. This company apparently sells a
Spamassassin plugin, a spam filter for PC desktops, etc.

Anyway, our customer isn't delisted from this CloudMark blacklist,
even though all of the RBL checkers on the Internet I can find claim
that their IP address isn't spamming. I cannot find any delist request
on their website either.

The markeing baloney on their website claims " the most
widely-deployed messaging security solution in the world today..."
which I feel is highly suspect. Beyond this, I have no experience
with them and was wondering if anyone has bought their SA plugin
and can relate any good or bad experiences they have with them.

Ted


dan.mcdonald at austinenergy

Nov 10, 2009, 4:29 AM

Post #2 of 11 (1548 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
On Mon, 2009-11-09 at 16:51 -0800, Ted Mittelstaedt wrote:
> Hi All,
>
> We have a customer who had a compromised mailserver, they fixed the
> server but are apparently still blacklisted by this company called
> "CloudMark (www.cloudmark.com) that Comcast uses.
>
> In Googling around I see that Comcast just recently signed up
> this company a month ago. This company apparently sells a
> Spamassassin plugin, a spam filter for PC desktops, etc.

Yes, the free plugin is razor2. I seem to recall they have a
more-featured for-pay plugin, but razor2 uses cloudmark servers for all
of its functionality.


> Anyway, our customer isn't delisted from this CloudMark blacklist,
> even though all of the RBL checkers on the Internet I can find claim
> that their IP address isn't spamming. I cannot find any delist request
> on their website either.

Have you tried a razor-revoke?


--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com


tedm at ipinc

Nov 10, 2009, 7:06 AM

Post #3 of 11 (1551 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
Daniel J McDonald wrote:
> On Mon, 2009-11-09 at 16:51 -0800, Ted Mittelstaedt wrote:
>> Hi All,
>>
>> We have a customer who had a compromised mailserver, they fixed the
>> server but are apparently still blacklisted by this company called
>> "CloudMark (www.cloudmark.com) that Comcast uses.
>>
>> In Googling around I see that Comcast just recently signed up
>> this company a month ago. This company apparently sells a
>> Spamassassin plugin, a spam filter for PC desktops, etc.
>
> Yes, the free plugin is razor2. I seem to recall they have a
> more-featured for-pay plugin, but razor2 uses cloudmark servers for all
> of its functionality.
>
>
>> Anyway, our customer isn't delisted from this CloudMark blacklist,
>> even though all of the RBL checkers on the Internet I can find claim
>> that their IP address isn't spamming. I cannot find any delist request
>> on their website either.
>
> Have you tried a razor-revoke?
>

How can I? From what I know about razor-revoke, it's the recipients
who are using razor and who get messages that razor tags as spam who
are the ones that run this.

Their recipients who are saying that their messages are being marked
spam are comcast e-mail users. We aren't marking them as spam, we
don't use Razor, and after learning about what's happened to them,
it's doubtful that we ever will.

Ted


scheidell at secnap

Nov 10, 2009, 7:28 AM

Post #4 of 11 (1621 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
Ted Mittelstaedt wrote:
>
> How can I? From what I know about razor-revoke, it's the recipients
> who are using razor and who get messages that razor tags as spam who
> are the ones that run this.
>
> Their recipients who are saying that their messages are being marked
> spam are comcast e-mail users. We aren't marking them as spam, we
> don't use Razor, and after learning about what's happened to them,
> it's doubtful that we ever will.
>
actually, from the perspective of cloudmark, it did what it was supposed
to do.
it protected the clients who use if from a compromised system.

getting on a blacklist is easy. anyone's, sorbs, barracuda, DCC,
spamcop, anyones.

getting off is hard.

What you need to understand is that its really your clients fault for
not taking care of the security issue BEFORE he had a problem.

Sorry, but really, its your clients fault, and the world really needs to
protect itself from botnets.

Eventually (based on how cloudmark updates their system), your clients
ip will be removed from their database.

MAYBE (like barracuda, sorbs) they might have a way to for an
accelerated removal.
(barracuda, you either pay per domain, or fight your way though to
someone who will do it for you)
spamcop will automatically remove in (7 days?) if no more spam.
DCC is 30 days (if using the DCC reputation filter)

asking SpamAssassin group how to get off of cloudmark's list will be
useless.

Ask cloudmark.




> Ted

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________


g.tomassoni at libero

Nov 10, 2009, 7:28 AM

Post #5 of 11 (1537 views)
Permalink
RE: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
> Daniel J McDonald wrote:
>
> ...omissis...
>
> How can I? From what I know about razor-revoke, it's the recipients
> who are using razor and who get messages that razor tags as spam who
> are the ones that run this.
>
> Their recipients who are saying that their messages are being marked
> spam are comcast e-mail users. We aren't marking them as spam, we
> don't use Razor, and after learning about what's happened to them,
> it's doubtful that we ever will.
>
> Ted

For what I know, Razor works on message hashes (more or less like DCC and IXHash do). So, the Cloudmark site doesn't supply any delisting tool because it is not the source IP to get listed, but the spammy messages hashes.

I don't even know details about how razor hashes the message, so it *may* eventually be that some piece of message (like, in example, an automatic foot sign, or an automatic logo image) triggers the razor plugin. I would suggest to manage with the recipient to attempt razor-revoking the FP messages.

You could also attempt to get help at the Vipul's Razor list: Razor-users [at] lists .

Regards,

Giampaolo


tedm at ipinc

Nov 10, 2009, 7:48 AM

Post #6 of 11 (1530 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
Giampaolo Tomassoni wrote:
>> Daniel J McDonald wrote:
>>
>> ...omissis...
>>
>> How can I? From what I know about razor-revoke, it's the recipients
>> who are using razor and who get messages that razor tags as spam who
>> are the ones that run this.
>>
>> Their recipients who are saying that their messages are being marked
>> spam are comcast e-mail users. We aren't marking them as spam, we
>> don't use Razor, and after learning about what's happened to them,
>> it's doubtful that we ever will.
>>
>> Ted
>
> For what I know, Razor works on message hashes (more or less like DCC and IXHash do). So, the Cloudmark site doesn't supply any delisting tool because it is not the source IP to get listed, but the spammy messages hashes.

Wikipedia has a decent enough explanation of how it works.

>
> I don't even know details about how razor hashes the message, so it *may* eventually be that some piece of message (like, in example, an automatic foot sign, or an automatic logo image) triggers the razor plugin. I would suggest to manage with the recipient to attempt razor-revoking the FP messages.
>

Well, I don't think this is possible since Cloudmark wraps the Razor
system in a blanket, the ISP that buys Cloudmark is never told that
Razor is behind it, and Comcast further wraps whatever Cloudmark
gives them, so that their own users don't know what it is that
Comcast uses for spam filtering (Comcast probably rebrands Cloudmark
as "comcast spam filter" or some such.)

I would presume, knowing Comcast, and knowing the average ability
of the typical Comcast e-mail user, that the razor-report and
rezor-revoke is being done silently, automatically, behind the
scenes. Perhaps when a user pulls a message out of their junk
mail folder, it razor-revokes it.

The customer already called Comcast and complained, they were told
essentially to do nothing and the system will fix itself eventually.

> You could also attempt to get help at the Vipul's Razor list: Razor-users [at] lists .
>

It's not really my problem, to be honest. In this scenaro we are
only assisting our customer with running their -own- mailserver,
the customer -isn't- using -our- mailserver. If they were, this
never would have happened.

The situation is your typical small-company-mentality of well we
have 15 employees here and Exchange is so superior that we are gonna
spend 10 thousand dollars on it, on a server for it, and on paying
someone (our ISP in this case) to put it together for us since we
don't know how it goes together - instead of merely paying our ISP
a nominal fee per year per mailbox hosted on a UNIX system. You cannot
argue with this logic, which is why we decided a long time ago we
wouldn't, and got into the on-site support business as well as the
ISP.

In actuality, in this situation it technically wasn't the mailserver
that actually got compromised, it was a desktop PC - but since the
desktops and exchange server are both behind a NAT, from the outside
world they are considered the same device.

Our role is that of a consultant - and we have to play ball by
their rules, not ours. Meaning that once the helpful people on this
list pointed me in the right direction so that I could figure out
what we were dealing with, the ball is now in our customers court.
They don't want to pay our labor to sit for hours on the phone with
Comcast tech support, and I can't blame them, I wouldn't either.

Ted

> Regards,
>
> Giampaolo
>
>


jhall at tbi

Nov 10, 2009, 8:51 AM

Post #7 of 11 (1520 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
Oh, come now; like calling Comcast is going to get you anywhere. Per:
http://www.spamresource.com/2009/10/top-five-tips-for-dealing-with.html

I've had success with Comcast. Been good to me.
Generic Abuse: http://postmaster.comcast.net/

Personally, I'd fill out Comcast's form at:
http://www.comcastsupport.com/rbl

Then bill your customer.

Regards,

Jared Hall
General Telecom, LLC.


Ted Mittelstaedt wrote:
> Giampaolo Tomassoni wrote:
>>> Daniel J McDonald wrote:
>>>
>>> ...omissis...
>>>
>>> How can I? From what I know about razor-revoke, it's the recipients
>>> who are using razor and who get messages that razor tags as spam who
>>> are the ones that run this.
>>>
>>> Their recipients who are saying that their messages are being marked
>>> spam are comcast e-mail users. We aren't marking them as spam, we
>>> don't use Razor, and after learning about what's happened to them,
>>> it's doubtful that we ever will.
>>>
>>> Ted
>>
>> For what I know, Razor works on message hashes (more or less like DCC
>> and IXHash do). So, the Cloudmark site doesn't supply any delisting
>> tool because it is not the source IP to get listed, but the spammy
>> messages hashes.
>
> Wikipedia has a decent enough explanation of how it works.
>
>>
>> I don't even know details about how razor hashes the message, so it
>> *may* eventually be that some piece of message (like, in example, an
>> automatic foot sign, or an automatic logo image) triggers the razor
>> plugin. I would suggest to manage with the recipient to attempt
>> razor-revoking the FP messages.
>>
>
> Well, I don't think this is possible since Cloudmark wraps the Razor
> system in a blanket, the ISP that buys Cloudmark is never told that
> Razor is behind it, and Comcast further wraps whatever Cloudmark
> gives them, so that their own users don't know what it is that
> Comcast uses for spam filtering (Comcast probably rebrands Cloudmark
> as "comcast spam filter" or some such.)
>
> I would presume, knowing Comcast, and knowing the average ability
> of the typical Comcast e-mail user, that the razor-report and
> rezor-revoke is being done silently, automatically, behind the
> scenes. Perhaps when a user pulls a message out of their junk
> mail folder, it razor-revokes it.
>
> The customer already called Comcast and complained, they were told
> essentially to do nothing and the system will fix itself eventually.
>
>> You could also attempt to get help at the Vipul's Razor list:
>> Razor-users [at] lists .
>>
>
> It's not really my problem, to be honest. In this scenaro we are
> only assisting our customer with running their -own- mailserver,
> the customer -isn't- using -our- mailserver. If they were, this
> never would have happened.
>
> The situation is your typical small-company-mentality of well we
> have 15 employees here and Exchange is so superior that we are gonna
> spend 10 thousand dollars on it, on a server for it, and on paying
> someone (our ISP in this case) to put it together for us since we
> don't know how it goes together - instead of merely paying our ISP
> a nominal fee per year per mailbox hosted on a UNIX system. You
> cannot argue with this logic, which is why we decided a long time ago we
> wouldn't, and got into the on-site support business as well as the
> ISP.
>
> In actuality, in this situation it technically wasn't the mailserver
> that actually got compromised, it was a desktop PC - but since the
> desktops and exchange server are both behind a NAT, from the outside
> world they are considered the same device.
>
> Our role is that of a consultant - and we have to play ball by
> their rules, not ours. Meaning that once the helpful people on this
> list pointed me in the right direction so that I could figure out
> what we were dealing with, the ball is now in our customers court.
> They don't want to pay our labor to sit for hours on the phone with
> Comcast tech support, and I can't blame them, I wouldn't either.
>
> Ted
>
>> Regards,
>>
>> Giampaolo
>>
>>
>
>


kremels at kreme

Nov 10, 2009, 8:58 AM

Post #8 of 11 (1514 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
On 10-Nov-2009, at 08:48, Ted Mittelstaedt wrote:
> I would presume, knowing Comcast, and knowing the average ability
> of the typical Comcast e-mail user, that the razor-report and
> rezor-revoke is being done silently, automatically, behind the
> scenes. Perhaps when a user pulls a message out of their junk
> mail folder, it razor-revokes it.


Really? My impression of Comcast would lead me to believe that they completely disabled any sort of razor-revoke at all.

--
From deep inside the tears that I'm forced to cry
From deep inside the pain I--I chose to hide


richard at buzzhost

Nov 13, 2009, 2:24 AM

Post #9 of 11 (1480 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
On Fri, 2009-11-13 at 10:58 +0100, Matus UHLAR - fantomas wrote:
> > On Fri, 2009-11-13 at 09:12 +0100, Matus UHLAR - fantomas wrote:
> > > On 12.11.09 13:55, Chris Hoogendyk wrote:
> > > > I don't know about Linux viruses; BUT, I do remember less than ten years
> > > > ago when it was virtually impossible to build a Linux box with a hot
> > > > online connection, because you would get hacked before you could even
> > > > download the patches. I had a friend who built his system and got hacked
> > > > several times before he decided he needed to download patches ahead of
> > > > time and build it all in an off line environment. That gave him enough
> > > > time to go through all the patches and lock down procedures before he
> > > > put it online. He still got hacked again at least once after that.
> > > >
> > > > I also heard stories of my son doing battle with hackers who had gotten
> > > > into his Linux system.
>
> On 13.11.09 08:38, richard [at] buzzhost wrote:
> > I think you may have your Windows -v- Linux mixed up and this kind of urban myth
> > belongs in the battles that go on in the COLA Flame Wars (that often surface around
> > the release of a new Windo$e)
>
> Since I didn't clearly write the part you are reacting on, it would be nice
> from you to remove my name from the begin, as you removed the rest of
> e-mail.
Matus has emailed me *off list* and asked me to point out that there is an error in my post.
That is, his name appears at the top of it, but it is not his quote. Whilst it is clear
to most people by the indentation that I was responding to Chris Hoogendyk, I must for my error
and the clear confusion that it must have caused some people.

to my error in the interests of the childnishness and game playing that goes on in this list.
Therefore, the correct follow it that I should have posted is below.

I'm sure your email to me, Matus, is genuine and in no way some kind of gam eplaying
or point scoring exercise - but could I ask you KINDLY please *don't* email me off list.
If you have a point to make about something I have written on a list, it would be better to
make it *on* that list. Thank you.

Correction:
> > On 12.11.09 13:55, Chris Hoogendyk wrote:
> > > > I don't know about Linux viruses; BUT, I do remember less than ten years
> > > > ago when it was virtually impossible to build a Linux box with a hot
> > > > online connection, because you would get hacked before you could even
> > > > download the patches. I had a friend who built his system and got hacked
> > > > several times before he decided he needed to download patches ahead of
> > > > time and build it all in an off line environment. That gave him enough
> > > > time to go through all the patches and lock down procedures before he
> > > > put it online. He still got hacked again at least once after that.
> > > >
> > > > I also heard stories of my son doing battle with hackers who had gotten
> > > > into his Linux system.
>
I think you may have your Windows -v- Linux mixed up and this kind of urban myth
belongs in the battles that go on in the COLA Flame Wars (that often surface around
the release of a new Windo$e)


uhlar at fantomas

Nov 13, 2009, 2:40 AM

Post #10 of 11 (1462 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
> > Since I didn't clearly write the part you are reacting on, it would be nice
> > from you to remove my name from the begin, as you removed the rest of
> > e-mail.

On 13.11.09 10:24, richard [at] buzzhost wrote:
> Matus has emailed me *off list* and asked me to point out that there is an error in my post.
> That is, his name appears at the top of it, but it is not his quote. Whilst it is clear
> to most people by the indentation that I was responding to Chris Hoogendyk, I must for my error
> and the clear confusion that it must have caused some people.

Hello,

please configure your mailer to wrap lines below 80 characters per line.
72 to 75 is usually OK.

Thank you.

> to my error in the interests of the childnishness and game playing that goes on in this list.
> Therefore, the correct follow it that I should have posted is below.
>
> I'm sure your email to me, Matus, is genuine and in no way some kind of gam eplaying
> or point scoring exercise - but could I ask you KINDLY please *don't* email me off list.
> If you have a point to make about something I have written on a list, it would be better to
> make it *on* that list. Thank you.

Am I the only one who thints that issues clearly off-topic should be sent
off-list?

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.


richard at buzzhost

Nov 13, 2009, 5:15 AM

Post #11 of 11 (1470 views)
Permalink
Re: Getting off the "Cloudmark" formerly "spamnet" blacklist [In reply to]
On Fri, 2009-11-13 at 11:40 +0100, Matus UHLAR - fantomas wrote:

> Am I the only one who thints that issues clearly off-topic should be sent
> off-list?
>

Your response was to correct an onlist reply to an onlist remark. Is
there some reason why you would feel it appropriate to off-list that?
AFAIR it's good manners to *not* send off list replies in general?
Butnotwithstanding that, you could have easily cleared up any confusion
by posting onlist.

As said elsewhere, some folk are a little too big for their boots
perhaps? It's quite OK for them to be rude, off list, off topic and show
bad netiquette whilst pointing out their loathing of others doing it. Me
thinks that == 'hypocritical' yes?

You may, btw, wish to configure your mailer so the 'reply to' does not
populate with your own email address - but instead
'users [at] spamassassin' , a good read of the documentation
should help.

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.