Hotmail NOC Contact

Jason_J_W_Williams · April 3, 2008, 2:22pm

Hi Suresh,

We are the outsourced provider.

-J

Fox_Thomas · April 3, 2008, 2:37pm

In the last 10 days or so, ever since ORDB re-activated itself and blacklisted everything, we have had deliverability problems to:

MSN
Hotmail
Bellsouth
AT&T (the same as Bellsouth I think)
Yahoo
Detroit Edison

In the case of MSN and Hotmail, they told us they were using Symantec’s Brightmail filtering system.

So, does that mean Brightmail is not updating their system properly, or MSN/Hotmail is not updating their Brightmail?

Seems like a huge waste of everyone’s time because some LARGE network operators can’t keep their stuff updated.

*grumble*

Raymond_L_Corbin · April 3, 2008, 3:01pm

Hey,

Are you having trouble emailing them, or them to you. I think this thread is about emails coming from hotmail never reaching the destinations. What type of problems are you having with these companies?

/r

Suresh_Ramasubramani · April 3, 2008, 3:06pm

No. Thats not because of ordb. Because you see, if hotmail or these
other providers were using ORDB (they sure as hell arent) none of the
subscribers to those srevices would be getting ANY email at all.

There's some other issue with your IP. And it is an issue that
multiple providers are seeing

NAT gateway and mailserver IP on the same interface, for instance? Or
an overactive marketing department with a newsletter? Or an ISP with
outbound spam problems from compromised user PCs?

srs

Al_Iverson1 · April 3, 2008, 3:15pm

No data has ever suggested that ORDB is/was used by any of those
entities you list. It was a peripheral blacklist at best. Just as an
additional data point, the clients I work with have all been able to
deliver mail to the sites you mention successfully in that same time
period.

Regards,
Al Iverson

Fox_Thomas · April 3, 2008, 3:19pm

We are having trouble sending to them.

MSN Said:
We have identified that messages from your IP (209.255.20.17) are being
blocked based on the recommendations of the Symantec Brightmail as
traffic/e-mail originating from your IP matched characteristics of recent
spam attacks from compromised, or 'zombie' infected, machines.
After reviewing the information you provided, we have taken steps to remove
the block. This change should take effect within the next 24-48 hours.

But, no other black lists have our IP on them, nor are we seeing any unusual
traffic on our mail server.

Tom

Fox_Thomas · April 3, 2008, 3:20pm

I'm suggesting that MSN/Hotmail and the others are using a system or systems
that aren't properly updated, not that they are necessarily querying ORDB
directly.

There are no issues with my outbound mailserver IP that shows up in any
monitoring system or blacklist of which I'm aware.

We had no issues with delivering mail to these sites until ORDB came back
online.

Thanks Suresh!

Michael_Holstein · April 3, 2008, 4:03pm

We have identified that messages from your IP (209.255.20.17) are being
blocked based on the recommendations of the Symantec Brightmail as
traffic/e-mail originating from your IP matched characteristics of recent
spam attacks from compromised, or 'zombie' infected, machines.

Do you rewrite/forward mail? .. we're a .edu, and allow our students to forward to hotmail/yahoo/whatever .. so when a phishing/malware sweep hits campus, about 60% is reflected back onto the Internet (sometimes our Anticrap gateway catches it, sometimes not). Because of the way addresses are re-written, it looks like it came from us.

After reviewing the information you provided, we have taken steps to remove
the block. This change should take effect within the next 24-48 hours.

They're true to their word here .. we got ourselves de-listed in ~12hrs.

Cheers,

Michael Holstein
Cleveland State University

Fox_Thomas · April 3, 2008, 4:26pm

Do you rewrite/forward mail? .. we're a .edu, and allow our students to
forward to hotmail/yahoo/whatever .. so when a phishing/malware sweep
hits campus, about 60% is reflected back onto the Internet (sometimes
our Anticrap gateway catches it, sometimes not). Because of the way
addresses are re-written, it looks like it came from us.

Hi Micheal,

We do host mail for about 100 companies, but no remailing.

Tom

Raymond_L_Corbin · April 3, 2008, 8:52pm

yeah,

We do hosting for about 300,000 users in our shared environment. They have forwarders setup or aliases that send to their external addresses. This forwards their spam as well. We purchased quite a few barracuda servers and became their case study for outbound units. They actually do a really good job at blocking the spam. But as spam changes every minute, we can only get updates every hour. The mail forwarders is the only spam that come from our network. Try subscribing to hotmails reporting services so you get reports on spam from your IP address, and they have the online reports that show if you add your AS so you can see a report for all ip's in your network.

-Ray

Suresh_Ramasubramani · April 4, 2008, 3:03am

What we did was to isolate our forwarding traffic out through a
separate set of IPs.

And then told Hotmail, Yahoo, AOL etc about the IPs. They were very
glad to tag these as such in their filters

This was over three years ago, and admittedly, our email traffic is
rather higher (by orders of magnitude) than most but it is still a
good idea to isolate forwarding traffic and separate it from regular
outbound email.

Another advantage - monitor the mail queue of your forwarding IP and
it gives you a very nice little snapshot of what kind of spam is
slipping through your filters

srs