Tag Archive for 'Technical'

AOL and DKIM

Published
by
laura
12Nov
in Delivery Improvement
.

Yesterday, on an ESPC call, Mike Adkins of AOL announced upcoming changes to the AOL reputation system. As part of these changes, AOL will be checking DKIM on the inbound. Best estimates are that this will be deployed in the first half of 2009, possibly in Q1. This is something AOL has been hinting at for most of 2008.

As part of this, AOL has deployed an address where any sender can check the validity of a DKIM signature against the AOL DKIM implementation. To check a signature, send an email to any address at dkimtest.aol.com.

I have done a couple of tests, from a domain not signing with either DK or DKIM, from a domain signing with DK and from a domain signing with both DK and DKIM. In all cases, the mail is rejected by AOL. The specific rejection messages are different, however.

Unsighng domain: host dkimtest-d01.mx.aol.com[205.188.103.106]
said: 554-ERROR: No DKIM header found 554 TRANSACTION FAILED (in reply to
end of DATA command)

DK signing domain: “205.188.103.106 failed after I sent the message.
Remote host said: 554-ERROR: No DKIM header found
554 TRANSACTION FAILED”

DK/DKIM signing domain: “We tried to delivery your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554-PASS: DKIM authentication verified
554 TRANSACTION FAILED (state 18).”

As you can see, in all cases mail is rejected from that address. However, when there is a valid DKIM signature, the failure message is “554-PASS.”

As I have been recommending for months now, all senders should be planning to sign with DKIM early in 2009. AOL’s announcement that they will be using DKIM signatures as part of their reputation scoring system is just one more reason to do so.

0 Comments

Ironport response

Published
by
laura
20Feb
in Industry
.

Last week I posted about a ESP that had a misconfiguration in their Ironport A60s that let spammers use the A60s to relay email to AOL. Earlier this week, Pat Peterson from Ironport approached me to talk about the problem and clarify what happened.

Ironport has provided me with the following explanation.

As part of a normal implementation a customer has a number of options they can choose from to setup their system.  How they handle messages on both their public and private interfaces can be easily configured based on the needs of their business.  IronPort has made sure that customers have the capability they require to configure their systems appropriately.  As with most products and services, proper usage is require for desired results.

In this case a configuration that is appropriate for some environments was viewed as a vulnerability because it was not appropriate for this specific environment.  Customers are warned about not configuring their systems to allow unauthorized domains to relay mail.  There are legitimate reasons why someone would want to allow external hosts to send mail through their IronPort, and functionality exists that allows customers to configure their systems to do that.  It should be noted that allowing any external host to relay mail through the appliance is neither encouraged nor recommended by IronPort.

In fact, the user documentation and CLI both clearly warn customers about the risk of allowing external hosts to relay mail through their IronPort.

Our customers are specifically warned during setup not to configure their systems to allow “any host to relay mail through your server.”  If someone purposely ignores these warnings and instead chooses to setup their IronPort to allow unknown domains to relay mail they can make themselves appear as an open relay, but that’s certainly not how the system was designed or intended to be used.

There is a broader message here. Anyone using any MTA needs to understand the configuration options as presented and make sure that the configuration does not allow unauthorized relay. In this case it was an Ironport MTA, but it could happen to any other MTA out there. Everyone should test their MTA after any configuration change to verify that it will not function as an open relay.

0 Comments

ESP unwittingly used to send spam

Published
by
laura
11Feb
in Industry
.

Late last week I heard from someone at AOL they were seeing strange traffic from a major ESP, that looked like the ESP was an open relay. This morning I received an email from AOL detailing what happened as relayed by the ESP.

IronPort Open Relay Vulnerability

Systems Affected
IronPort A60 running software version 2.5.4-005. According to IronPort, later devices and software versions using the same filtering mechanisms are vulnerable.

Overview
In recent weeks, one or more rogue spammers have been using misconfigured IronPort A60s as open relays to send unsolicited emails for AOL users via open relay. It is important for IronPort device administrators to review their configuration to shore up any vulnerability to this web server exploit.

Diagnosis
A seemingly minor configuration mistake made years ago internally has been exploited over the last several weeks to send out massive amounts of unsolicited email to AOL users. The spam mail originated from an outside zombie server, apparently infected with remote mailing viruses (such as BackDoor.Servu.76) according to the IT contact at IP 66.139.77.16. <ESP> has a filter specifically designed to deliver email over IP ranges set for AOL only. However, it was listed before a filter designed to log and discard bounced emails coming in through the Internet-facing of the IronPort appliance.

Impact
We have received 6,500 customer complaints so far through the AOL feedback loop. As the IronPort devices are black boxes, we are unable to determine how many unsolicited emails were delivered across them. It is difficult to ascertain whether or not the rogue spammer(s) knew only AOL addresses were delivered using this exploit. It is important to note that only AOL addresses were delivered in our specific case due to the order of the filters.

Solution
The solution was simple: move the filter designed to log and drop bounce messages coming in from the Internet to the top of the filter list so it will run first, as other filters may direct the IronPort device to deliver the emails through this vulnerability.

Authors: Jake Lanza, Baigh Auvigne, Daniel Fox

Congrats to the ESP for noticing this so quickly and being on the ball to stop this leak so quickly.

The compromise was first noticed when email coming back through the AOL FBL did not match any mail sent by the ESP. Initially, the ESP contacted AOL to report a problem with the FBL, but in working with AOL employees determined the email was coming from the ESP’s IP addresses.

This highlights the need to not just process FBL emails, but also monitor them and react when there are emails in a FBL that you do not recognize.

Ironport has responded here.

1 Comment

Comcast rate limiting

Published
by
laura
25Jan
in Best Practices
.

Russell from Port25 posted a comment on my earlier post about changes at Comcast.

Our (Port25) understanding is that Comcast is rate limiting such that they’re only accepting 6 recipients per second per sending IP.

This matches what I’ve been hearing from other bits of the industry over the last few days. I am recommending clients close the connection between each set of 6 email addresses.

0 Comments

AOL checking DKIM

Published
by
laura
23Jan
in Best Practices
.

Sources tell me that AOL announced on yesterday’s ESPC call that they are now, and have been for about a week, checking DKIM inbound. This fits with a conversation I had with one of the AOL delivery team a month or so back where they were asking me about what senders would be most concerned about when / if AOL started using DKIM.

The other announcement is that AOL, like Yahoo, would like to know how you categorize your outgoing mail stream as part of the whitelisting process.

Both of these changes indicate to me that AOL will be improving the granularity of their filtering scheme. DKIM signing will let them separate out different domains and different reputations across a single sending IP address. The categorization will allow AOL to evaluate sender statistics within the context of the specific type of email. Transactional mail can have different statistics from newsletters from marketing mail. Better granularity means that poor senders will be less able to hide behind good senders. I expect to hear some wailing and gnashing of teeth about this change, but as time goes on senders will clean up their stats and their policies and, as a consequence will see their delivery improve everywhere, not just AOL.

2 Comments

Update on Yahoo and the PBL

Published
by
laura
23Jan
in Industry
.

Last week I requested details about Yahoo rejections for IPs pointing to the PBL when the IP was not on the PBL. A blog reader did provide me with extremely useful logs documenting the problem. Thank you!

Based on my examination of the logs, this appears to be a problem only on some of the Yahoo! MXs. In fact, in the logs I was sent, the email was rejected from 2 machines and then eventually accepted by a third.

I have forwarded those logs onto Yahoo who are looking into the issue. I have also talked with one of the Spamhaus volunteers and Spamhaus is aware of the issue as well.

The right people are looking at the issue and Spamhaus and Yahoo are both working on fixing this.

Thanks for the reports and for the logs.

0 Comments

AOL and AIM mail

Published
by
laura
18Jan
in Industry
.

Earlier this week a question came up on a mailing list. The questioner recently started seeing an increase in rejections to @aol.com addresses. These rejections said

<redacted@aol.com>: host mailin-03.mx.aol.com[205.188.109.56] said: 550 We would love to have gotten this email to redacted@aim.com. But, your recipient never logged onto their free AIM Mail account. Please contact them and let them know that they’re missing out on all the super features offered by AIM Mail. And by the way, they’re also missing out on your email. Thanks. (in reply to RCPT TO command)<redacted@aol.com>

The poster was confused because the addresses were aol.com addresses that had successfully delivered in the past. He was unsure why AOL would be rejecting good aol.com addresses with the aim.com.

After some investigation and some discussion with a friendly AOL representative, the underlying reason for this sudden increase in rejections became clear. The mailer was seeing an increase for two interacting reasons.

  1. When an AOL user abandons their account, AOL converts the account to a free aim.com address. That is why the aol.com addresses were getting the aim.com rejection.
  2. The marketing group at the company who saw the rejections “dug deep into their database” and sent mail to a number of addresses that had not received email in a while.

The increase in bounces is the result of pulling older addresses and the @aol.com addresses getting @aim.com bounces is the result of AOL’s policy of converting abandoned aol addresses to aim addresses.

3 Comments

Why do ISPs limit emails per connection?

Published
by
steve
16Jan
in Best Practices
.

A few years ago it was “common knowledge” that if you were sending large amounts of email to an ISP the most polite way to do that, the way that would put the least load on the receiving mailserver, was to open a single SMTP session to the mailserver and then to send all the mail for that ISP down that single connection.

That’s because the receiving mailserver is concerned about two main resources when handling inbound email - the pool of “slots” assigned one per inbound SMTP session, and the bandwidth (network and disk, and related resouces such as memory and CPU) consumed by the inbound mail - and this approach means the sender only uses one slot, and it allows the receiving mailserver to control the bandwidth used simply by accepting data on that one connection at a given rate. It also amortizes all the connection setup costs over multiple emails. It’s a beautiful thing - it just doesn’t get any more efficient than that.

That seems perfect for the receiving ISP - but ISPs don’t encourage bulk senders to do this. Instead many of them have been moving from “one connection, lots of mail through it” to “multiple connections, a few messages through each”. They’re even limiting the number of deliveries permitted over a single connection. Why would that be?

The reason for this is driven by three things. One is that the number of simultaneous inbound SMTP sessions that a mailserver can handle is quite tightly limited by the architecture of most mailservers. Another is that the amount of mail that’s being sent to large ISP mailservers keeps going up and up - so there are sometimes more inbound SMTP sessions asking for access than the mailserver can handle. The third is that ISPs know that there are different categories of email being sent to their users - 1:1 mail from their friends that they want to see as soon as possible, wanted bulk mail that their users want to see when it arrives and spam; lots and lots of spam.

So ISPs want to be able to do things like accept 1:1 mail all the time, while deferring bulk mail and spam to allow them to shed traffic at times of peak load. But they can only make decisions about whether to accept or defer delivery in an efficient way at SMTP connection time - they pick and choose amongst the horde of inbound connection attempts to prioritize some and defer others, letting them keep within the number of inbound sessions that they can handle simultaneously.

But once the ISP lets a bulk mailer connect to deliver their mail, they lose most of the ability to further control that delivery as the sender might send thousands of emails down that connection. (Even if the ISP has the ability to throttle bandwidth - as some do to control obvious spam - that just means that the sender would tie up an expensive inbound delivery slot for longer).

So, in order to allow them to prioritize inbound connections effectively the ISP needs to terminate the session after a few deliveries, and then make that sender start competing with other senders for a connection again.

So ISPs aren’t limiting the number of deliveries per SMTP connection to make things difficult for senders, or because they don’t understand how mail works. They’re doing it because that lets them prioritize wanted email to their users. The same is true when they defer your mail with a 4xx response.

It might be annoying to have to deal with these limits on delivery, but for legitimate bulk mail senders all this throttling and prioritization is a good thing. Your mail may be given less priority than 1:1 mail - but, if you maintain a good reputation, you’re given higher priority than all the spam, higher priority than all the email borne viruses, higher priority than all the junk email, higher priority than the 419 spams. And higher priority than mail from those of your competitors who have a worse reputation than yours.

1 Comment

DKIM “i=” vs “d=” and Reputation

Published
by
steve
29Oct
in Best Practices
.

This really should be part seven of a twelve part series or some such as it deals with an aspect of DKIM that’s really important, but is way down in the details of implementation. (dkim.org is a reasonable place to start for a general overview of DKIM).

There’s an apparently endless thread on the DKIM-SSP spec development mailing list at the moment about the differences between two fields in a DKIM signature that could be used to tie a senders reputation to. Several ESP delivery folks asked me to explain what everyone was talking about, and this post is a first cut at that.

“i=” vs “d=”

There are two possible fields in a DKIM signature that could be used to identify the sender of a message, and so to tie a sender history and reputation record to. They are the so-called “i=” and “d=” field, from the syntax used to include them in the signature.

Continue reading ‘DKIM “i=” vs “d=” and Reputation’

0 Comments