[nSLUG] smtp relay through eastlink and ESET Nod32 tagline = disappearing email

D G Teed donald.teed at gmail.com
Fri Nov 6 09:45:03 AST 2009

On Fri, Nov 6, 2009 at 8:56 AM, Greg Estabrooks <greg at phaze.org> wrote:

>  I ran into this same thing a few weeks ago.
>  We had several customers call and complain that email they sent to many
> Aliant users hadn't made it yet I could see in the logs they had
> received every one of them. And it turned out that our Nagios system had
> noticed that they had changed the IPs on which they receive email the
> same day. Of course several of the customers didn't believe me but there
> wasn't much I could do to convince them since email is really an on your
> honour system and all I could do was show my logs of them accepting it.
>  I think a huge queue just hit the bit bucket over those days :)
It might have something to do with dodging reputation server black lists.
Switching your mail server's IP is one way to dodge a block list.

Here is my theory...

IronPort has been deleting malware and spam sent by users at the source
as a way to defend the ISP's smtp server from being reported and
This has been going on for a long time, and as long as the spam tagging
threshold had few false positives, no one noticed.

A few weeks ago there was a reported outage between many cable ISPs
where they could not deliver email to hotmail.  Perhaps whatever block
list reputation service hotmail uses (home grown at Microsoft?)
was still reporting Eastlink, Aliant, and others as having poor reputation.
To improve the reputation, the ISPs implement more agressive spam
checks, or lower the score threshold in Ironport for which emails
are quaranteed.   Now more emails are being caught and quaranteed.
As we have no mechanism to be aware of the quarantee, and no interface
for releasing false positives, the term quarantee is synonymous with delete.

If one googles "ironport", "email", and "delete", you'll find hits from many
sites which use IronPort.  They are help desk pages explaining how uses can
access a web site interface and release email quaranteed as spam.  Some say
their system will email users with a report on quaranteed spam.  So it is
possible to notify users of this using IronPort, but for some reason
the ISPs have elected not to or they require time to develop a solution.

Does anyone have knowledge of how the ISPs respond to customer PCs
with malware sending out spam?  Are they quickly denied access to
smtp?  If not, perhaps they are using IronPort as a hammer
(as in: "when all you've got is a hammer, everything looks like a nail").

This effects more than people with @eastlink and @sympatico addresses.
If your home Linux box does relay out through the ISP's smtp, it
will be potentially seeing lost email.

I know that something about my Linux box talking to smtp.eastlink.ca
is partially related to the delivery deletions.  If I include the NOD32
email tagging and send out directly to smtp.eastlink.ca from Windows,
the email is delivered.  If I send out via Linux, but have NOD32 not
add a tagged message, the email is delivered.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20091106/ca976144/attachment.html>

More information about the nSLUG mailing list