Has postini been taken over?

Hank_Nussbacher4 · August 19, 2004, 10:43am

Lately, I am getting more and more spam coming via postini.com. See below:

Received: from source ([206.190.38.111]) by exprod5mx128.postini.com
([12.158.34.245]) with SMTP; Fri, 30 Jul 2004 04:40:47 CDT

Received: from psmtp.com (exprod5mx30.postini.com [12.158.34.185])
by psmtp.preferred.com (8.12.9-20030924/8.12.9) with SMTP id i6VB468i000751
Received: from source ([192.116.80.38]) by exprod5mx32.postini.com ([12.158.34.245]) with SMTP;Tue, 17 Aug 2004 19:45:45 PDT

Received: from psmtp.com (exprod6mx122.postini.com [12.158.36.114])
by mta-3.gci.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with SMTP id
<0I2F00HE8XHSVF@mta-3.gci.net> for x; Sat,
14 Aug 2004 06:27:31 -0800 (AKDT)

Received: from source ([80.253.126.147]) by exprod5mx115.postini.com ([12.158.34.245]) with SMTP;
Tue, 17 Aug 2004 14:08:37 CDT

Does anyone know whether Postini has been bought out by Alan Ralsky perhaps?

Thanks,
Hank

Jay_Hennigan · August 19, 2004, 4:14pm

Is it just spam that has Postini in its headers, or all mail to that
address?

Have you or a mail administrator for your domain signed up with Postini
for spam filtering? If so, all mail for the domain will flow through
Postini's servers. If your mailbox isn't enabled for filtering or is
set to not filter, all the spam you previously got from anywhere will
show Postini in the headers. For that matter, all of your mail to that
address will have Postini in the headers.

Tom_UnitedLayer · August 19, 2004, 4:59pm

More than likely, the mail is being sent to postini for filtering, and its
not being caught, or your mailbox is not being filtered by them.

Hank_Nussbacher4 · August 20, 2004, 4:53am

Have you or a mail administrator for your domain signed up with Postini
for spam filtering? If so, all mail for the domain will flow through
Postini's servers. If your mailbox isn't enabled for filtering or is
set to not filter, all the spam you previously got from anywhere will
show Postini in the headers. For that matter, all of your mail to that
address will have Postini in the headers.

How exactly does "all mail for the domain will flow through
Postini's servers"? I ask since the IP sending to some postini IP like exprod5mx30.postini.com is blocked for outgoing port 25+80. That means that the data is flowing to postini in 1 of the following ways:

a) auto-GRE tunnels
b) email packaged in some way
c) email is being sent via some dialup/DSL connection to postini

I am just trying to understand how postini is bypassing my anti-spam ACLs.

-Hank

Ray_Wong · August 20, 2004, 5:17am

>Have you or a mail administrator for your domain signed up with Postini
>for spam filtering? If so, all mail for the domain will flow through

How exactly does "all mail for the domain will flow through
Postini's servers"? I ask since the IP sending to some postini IP like
exprod5mx30.postini.com is blocked for outgoing port 25+80. That means
that the data is flowing to postini in 1 of the following ways:

a) auto-GRE tunnels
b) email packaged in some way
c) email is being sent via some dialup/DSL connection to postini

You're making this entirely too complicated. Just because mail can't
enter postini's network via the address it comes from, doesn't mean it
can't enter it on a different IP. Postini's a mail filtering company,
I'd be willing to bet they have a lot of IPs that allow inbound mail.

I am just trying to understand how postini is bypassing my anti-spam ACLs.

Again, you haven't answered his question.... Did your ISP or some other
email provider possibly sign up for Postini? How many different domain
addresses forward into your account? If you accept mail from any other
server for any other domain, that domain could be a postini customer.
Postini does not originate or forward spam, they filter mail destined for
their customer domains. Some spam gets through their filters, because
spammers are smart and adaptively evil. It's really quite simple.

Hank_Nussbacher4 · August 20, 2004, 5:27am

> I am just trying to understand how postini is bypassing my anti-spam ACLs.

Again, you haven't answered his question.... Did your ISP or some other
email provider possibly sign up for Postini? How many different domain
addresses forward into your account? If you accept mail from any other
server for any other domain, that domain could be a postini customer.

You are missing my point. I am the ISP. I have a *downstream* customer who may or may not have signed up to Postini. This *downstream* customer is bypassing my anti-spam ACLs by somehow using Postini. I am trying to figure out how Postini works.

-Hank

Suresh_Ramasubraman1 · August 20, 2004, 6:13am

Hank Nussbacher wrote:

Postini does not originate or forward spam, they filter mail destined for
their customer domains. Some spam gets through their filters, because
spammers are smart and adaptively evil. It's really quite simple.

Hank's issue is that he's got ports 25 and 80 blocked for some part of his network. Those IPs are generating spam reports though they shouldn't be. In the example he forwarded, the spam reached a user of gci.net, for which postini provides MX services - who then reported the email to Hank as spam from Hank's network.

What I can see happening is that Hank's port 25 filtering ACLs are being bypassed somehow ...

maybe zombied machines on his network running ip masquerading and spam sending proxies on unfiltered ports, or tunneling smtp requests out in some other way

Or maybe he doesn't source filter addresses and a spammer controlled machine on his network has two interfaces - one on hank's network [say a throwaway dialup / broadband account], and another a much fatter pipe. Packets (or rather in this case, junk mail) goes out through the fat pipe with Hank's IPs spoofed into the source address.

I would recommend that Hank set up port blocks both inbound and outbound, and also examine mrtg or other data that he may have about that host. If possible, sniffing the traffic inbound and outbound to it would also reveal a whole lot.

srs

W.D_McKinney · August 20, 2004, 6:27am

Did you just get the reply from CKM Hank ?

Dee

Christopher_L_Morro1 · August 20, 2004, 6:49am

Hank Nussbacher wrote:
>
>> Postini does not originate or forward spam, they filter mail destined for
>> their customer domains. Some spam gets through their filters, because
>> spammers are smart and adaptively evil. It's really quite simple.
>>

What I can see happening is that Hank's port 25 filtering ACLs are being
bypassed somehow ...

or delivering email via tcp/465 or tcp/587 to postini? (I can't make
connnections to postini hosts for GCI.NET on these 2 ports though)

Or maybe he doesn't source filter addresses and a spammer controlled
machine on his network has two interfaces - one on hank's network [say a
throwaway dialup / broadband account], and another a much fatter pipe.
Packets (or rather in this case, junk mail) goes out through the fat
pipe with Hank's IPs spoofed into the source address.

'fantasy mail' is what we call this It's a pain and you have to port25
filter in AND out

I would recommend that Hank set up port blocks both inbound and
outbound, and also examine mrtg or other data that he may have about

We've 'fixed' this for dial accounts (mostly) with in/out filters on their
connections as you've suggested.

Suresh_Ramasubraman1 · August 20, 2004, 7:02am

Christopher L. Morrow wrote:

'fantasy mail' is what we call this It's a pain and you have to port25
filter in AND out

that must have been a nightmare especially with a large provider of dialup pops for a whole lot of ISPs .. not as much as the filtering as keeping track of the holes you punched in the filters so that customers of an isp leasing pops from you can relay out through their own isp's servers.

is there a doc for this somewhere online? i know at least some isps who would appreciate being spoonfed a howto for this, right down to copy and paste cisco acls ...

thanks!
srs

Christopher_L_Morro1 · August 20, 2004, 7:09am

Christopher L. Morrow wrote:
> 'fantasy mail' is what we call this It's a pain and you have to port25
> filter in AND out

that must have been a nightmare especially with a large provider of
dialup pops for a whole lot of ISPs .. not as much as the filtering as
keeping track of the holes you punched in the filters so that customers
of an isp leasing pops from you can relay out through their own isp's
servers.

radius profile based filters, sorry I should have been more clear about
that.

is there a doc for this somewhere online? i know at least some isps who
would appreciate being spoonfed a howto for this, right down to copy and
paste cisco acls ...

it's mostly radius stuff, though I'm sure someone could put simple
examples together.

Suresh_Ramasubraman1 · August 20, 2004, 7:13am

now why wasnt i bright enough to think of radius

never mind, i think i got the hang of where to look for cookie cutter samples ...

thanks!

Christopher L. Morrow wrote:

Christopher_L_Morro1 · August 20, 2004, 7:18am

now why wasnt i bright enough to think of radius

never mind, i think i got the hang of where to look for cookie cutter
samples ...

twasn't me who thought of it either

Bob_Martin · August 20, 2004, 10:56pm

This won't work for resold ports, but we used to do all of our [dialup] filtering on the NAS. We could still do so with our TC1000's, but it's much simpler to do it with radius if you have multiple ISP's using the same box.

Bob Martin

Christopher L. Morrow wrote: