Might seem like a strange question but what happens if a previously 'spammed' PN alias is removed; what notification if any does the 'spammer' get. And on from this, would the alias be dropped by the spammer if turned off for a period of time so it can be reinstated again?

TIA

As per jnwright's post I to have received the admin@viagra.com e-mails (about 5 one after each other) but strangely in my spam box was one with the same address BUT was earlier than the one's in my inbox. I'm confused, but then it doesn't take a lot to confuse me.

I've seen this as well. If you look in the headers you can tell that the date was duff when the spam email was sent:

Date: Wed, 8 Jan 2008 17:58:15 -0300

That email was actually sent on Wednesday which was the 9th. It looks like there is a coding error in the trojan or whatever that is spewing them out!

Ah ha tricky devils....

Re differences between internal/external systems: Finally, the answer that I (and no doubt a few others) just knew was going to get teased out eventually.  The PN internal system and the customer facing system are/were indeed different animals. Thank you.

Can I therefore suggest that ALL of us bear the following in mind whenever considering possible problems and particularly so when trying to reproduce said problems.


Messages that are routed:

source -> postini system 200 -> plusnet -> username1/mailbox

are likely to be handled/analysed differently to messages routed:

source -> postini system 5 -> plusnet -> username2/mailbox


Also, a message that has been sent with the following routing:

source -> postini -> plusnet -> username1/mailbox

... is likely to be handled/analysed similarly to messages routed:

source -> postini -> plusnet -> username2/mailbox

... is likely to handled/analysed slightly differently to messages routed:

source -> plusnet -> postini -> plusnet -> username1/mailbox

... is likely to be handled/analysed quite differently to messages routed:

source -> mailserver -> plusnet -> postini -> plusnet -> username1/mailbox

I would suggest that the more servers that the message passes through prior to getting to postini then the more likely it is that the message will be handled/analysed differently and the greater that difference will be.

In addition, due to the dynamic nature of the postini system(s), even two identical messages sent via identical routes on one particular postini system are likely to be handled/analysed differently unless they were sent within a relatively short time frame.

I'm not in any way suggesting that these are 100% hard facts and that differences are always very significant but it is certainly what appears to be indicated from my various tests and other circumstantial evidence. There are so many variables here that getting much the same result twice isn't that common to say the least and different routing compounds this greatly.

Re x-pstn-2strike I'm still not sure that what you (and Bob) have said covers what is happening so let me state again what I think the situation is and you can confirm/deny it as appropriate. Again, without inside knowledge,  because of the time it takes to mess around and not to mention the danger of getting blacklisted if you try too hard, it is difficult to establish 100% hard facts but my various tests and other circumstantial evidence indicate the following:

"x-pstn-2strike: clear" is the indicator for a mechanism that allows a message that has been considered as pretty obvious spam by postini to be delivered to the customer because it has come from a source not previously known for sending spam.  The source is not currently blocked, has no long-term history or indeed anything else to indicate that it is a common source of spam messages but the routing, subject or content in general leads postini to conclude that it really is 100% spam. As the name would suggest, it means "two strikes and you're out" so you can only get away with it once in an undefined time frame. The "lock out" period appears to be several hours and possibly a day or more.

The existence of the header in a received message indicates that postini consider this message as pretty obvious spam but they have rather reluctantly delivered it to you on this particular occasion.

Any further messages from the same sender/IP within the "lock out" period that are also considered as pretty obvious spam by postini or have been given low scores will be refused and will never be delivered to the customer.

As I've said before, if a sender attempts to send you 6 messages over a period of a few hours and the messages are such that postini considers they are rather obvious spam then only the very first message will be delivered to you.  The remaining 5 will be refused by postini and the sender will either get a #571 when trying to send each message or will subsequently receive a non-delivery advice after sending each messages.  It doesn't matter if the messages are identical or different, all that matters is that postini consider them to be spam for one reason or another.

Messages that are often false positives on a good day and generally achieve particularly low spam scores are prime candidates for getting this treatment at some time or other.   Therefore mailing lists or forums and suchlike that can send out several genuine messages a day are prone to having messages rejected not only because postini routinely and incorrectly scores them low enough to be considered as spam but because sometimes they also classify them as rather obvious spam for one reason or another as well.  However, messages can still be considered by postini to be rather obvious spam even though the spam score does not necessarily indicate this. The previously mentioned Odeon Cinemas message(s) fall into this category. The spam score was actually 1.94 but it was still considered as rather obvious spam by postini so got the 2strike header.  This means that any following messages with low(ish) spam scores received within the 'lock out' period would have been (and I believe actually were) refused.

One other interesting thought is whether this mechanism works on a per destination address basis or across the board. If it works across the board then any one customer getting a message with x-pstn-2strike: clear from one particular sender/IP is likely to result in other messages from the same sender/IP to other customers all getting refused. I would hope it doesn't work like that though. Maybe I'll add it to my things-to-try-later list and see exactly what does happen.

Also, because of the now confirmed differences between the PN internal and customer facing postini systems, x-pstn-2strike: [number] will not be seen in any messages received by customers. This also means that the PN header "x-pn-pstn: spam 1" has not and will not ever be seen by customers either.  However, this situation could possibly change in the future because this functionality may be added/restored to the customer facing postini system at some point in the future.  I still rather suspect that this fuctionality has been superseded by something else - xfilter ?

false positives: It can be no surprise to anyone that spammers try to fool filters and make their junk look like forum notifications or whatever. That's the way the game works and that's why I believe it's a long-term losing battle that can ultimately only result in e-mail becoming so totally unreliable that it's completely unusable. All you're really telling me is what I already know - filtering isn't a long-term solution to the problem it can only ever be a temporary fix with a limited life span. The only way to truly resolve the problem is to tackle it at source not try to hide it at destination but that necessitates cooperation between ISPs various together with the will to act responsibly and fix the problem once and for all. Needless to say it's almost certainly never going to happen !

But the fact that forum notifications (or whatever) 'look' like spam is not a good excuse for marking them as such. What it actually means in reality is that Mr.Spammer is doing a far better job than Mr.Postini. I think it also perhaps indicates one of if not 'the' fundamental flaw in these systems.  postini and various others actively search for spam with a view to deleting/rejecting or marking as many messages as possible. They consider that the 'best' indicator of their performance is the number of messages deleted/rejected and marked. Well, no surprise there I hear you say ! But the problem IMHO is that is doing only half the job. What is equally if not far more important is to actively search for and deliver genuine messages.

To say that a forum notification (or whatever) just so happens to match the signature for some flavour of spam so gets dealt with accordingly is utter nonsense and a total cop-out. Where is the test for whether it is a genuine message or not ? If you compare the genuine and spam messages there absolutely WILL be indicators that the genuine message is indeed totally genuine.  It's not just a case of testing for spam the system should also have an effective test for genuine messages.  Maybe it has, I don't know, but the one thing I do know is that if it does then it clearly doesn't work !

I guess that means that the recent batch of spams that look very much like non-delivery advices (they aren't, they just kinda look rather like one) are going to result in genuine NDA's getting dumped sometime soon then.

And what about what appears to be Mr.Spammer's latest tactics of sending spam containing a link to a google search list to bring up their sites rather than adding a direct link to them ? Actually I find that really funny TBH. Using the same organisation to promote their dodgy sites as is also used by many to try and stop spam is simply brilliant !  So, are postini going to consider all messages containing a google search link as spam in future then ?  hehehehee. Sorry, I know it's sad and I know it's going to lead to more stupid problems, false positives and lots of unnecessary hassle for everyone but I still find it really amusing.

Re unanswered questions etc. There are several all over the place although recent ones such as regarding differences between internal/external systems now appear to have been addressed at last. There are still relevant others though I suspect but I'm not going to go search now but there certainly is one of major importance that I'll mention in a bit.  However my comment was actually in relation to a response Bob made which implied that the 2strike action had been sneakily changed from what I was seeing earlier. I think now that this may have been a misunderstanding from you've said since then but either way, I've detailed again how it appears to work above so someone can confirm or deny this as appropriate.

Apart from earlier queries concerning 2strike, This Post contains some interesting points particularly now that we have confirmation that internal and customer facing postini systems are different.  It relates to configuration management and the possibility of postini making changes in the future that somehow break the PN implementation.  Some typical recent examples illustrating the kind of problems that could arise in the future: the total confusion that has existed concerning how 2strike works, configuration errors resulting in dumping rather than rejecting messages and the fact that the PN SPAM 1 header cannot possibly exist because it relies on something that is not actually implemented in the current version of the postini system.

Can you please try to get a copy of the bounce message from him and then post it in the please post evidence of postini false positive here thread.  Thanks.

It appears that I failed to clear it up very well, it was perfectly clear when I wrote it, but reading it back now I can see where it's not clear.....


Would have been clearer if I'd said......

Ok to (hopefully) clear this up once and for all, when we did the first set of internal trials we were on Postini's System 200 which had a large number of large corporate customers on it. Shortly before starting to use if for customers we were offered the option to move to System 5 We therefore moved the internal mail routing to use System 5 for a few weeks before commencing the live customer trial which had about 3 months before been moved to a brand new data centre with brand new hardware and also was home to their circa 5 million ISP end users.


Therefore as it stands right now any internal mail routes via System 5, and here's a header to show that:

Return-path: <xxx@globalcrossing.com>
Received: from pih-gkfe01.plus.net ([84.92.0.120])
 by calendar.plus.net (Sun Java System Messaging Server 6.2-3.04 (built Jul 15
 2005)) with ESMTP id <0JUH000KQOJXDJ30@calendar.plus.net> for
 xxx@calendar.plus.net; Fri, 11 Jan 2008 16:59:58 +0000 (GMT)
Received: by pih-gkfe01.plus.net with spam-scanned (PlusNet Gatekeeper v2.0)
 id 1JDNM1-0003r0-LY   for xxx@calendar.plus.net; Fri,
 11 Jan 2008 17:07:37 +0000
Received: from gatekeeper.force9.net ([84.92.0.114] helo=mail.plus.net.uk)
   by pih-gkfe01.plus.net with smtp (PlusNet Gatekeeper v2.0)
 id 1JDNM0-0003pQ-Hu   for xxx@calendar.plus.net; Fri,
 11 Jan 2008 17:07:36 +0000
Received: (qmail 17629 invoked by uid 9000); Fri, 11 Jan 2008 16:48:20 +0000
Received: (qmail 17536 invoked from network); Fri, 11 Jan 2008 16:48:19 +0000
Received: from unknown (HELO mx.internal.plus.net) (10.100.20.27)
 by 0 with SMTP; Fri, 11 Jan 2008 16:48:19 +0000
Received: from exprod5mx214.postini.com ([64.18.0.73] helo=psmtp.com)
   by mx.internal.plus.net with smtp (PlusNet MXInternal v1.00)
 id 1JDN3K-00015E-B4 ; Fri, 11 Jan 2008 16:48:19 +0000
Received: from source ([64.208.159.230]) by exprod5mx214.postini.com
 ([64.18.4.10]) with SMTP; Fri, 11 Jan 2008 11:48:15 -0500 (EST)
Received: from uk2s32 (uk2s32.uk.fbn [10.44.17.32])   by mailsrv.ams.gblxint.com
 (Postfix) with ESMTP id ABA18984C; Fri, 11 Jan 2008 11:48:14 -0500 (EST)
Date: Fri, 11 Jan 2008 16:48:15 +0000 (GMT)
From: ISC Team <xxx@globalcrossing.com>
Subject: NCC Emergency  - ISC00403575  - PlusNet PLC
To: xxx@plus.net, xxx@plus.net, xxx@plus.net, xxx@plus.net
Reply-to: ISC Team <xxx@globalcrossing.com>
Message-id: <22640653.1200070095754.JavaMail.Remedy.Service@uk2s32>
MIME-version: 1.0
Content-type: multipart/alternative;
 boundary="----=_Part_546_10257140.1200070095066"
X-Priority: 0
Delivered-to: pop3-plusnet-xxx@plus.net
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:88.88828/99.90000 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-PN-SpamFiltered: by PlusNet MXInternal (v2.00)
Original-recipient: rfc822;xxx@calendar.plus.net

Bob or I will get back later on with and answer to the 2strike question but I thought it was important to clear up the System5/System200 confusion.

Phil

We have noticed a massive reduction in the spam recieved to the users mailbox since postini was enabled on Friday.

The only concern I have right now (as i manage a number of company's domains/email) is how I will be able to 'train' the system if a genuine email is flagged as [-Spam-].

good work though

Right,

Quick heads up guys about our plans for this week. I'm going to start work on the formal comms but thought I'd give people a heads up here first.

Tomorrow morning

• Enable subject line tagging based on Postini headers.
• Bypass Dspam for those on the Postini platform (effectively turning it off).
• Enable virus quarantining (The notifications have not been getting sent for those on Postini up until now).
  
• Lower the spam threshold so that the subject line of emails are only tagged for messages scoring below 0.15 (The original perception was that we'd be doing this for messages scoring below 0.30 - This is of course subject to review and feedback).
• Introduce a 'sliding scale' for the X-pn-pstn header. There will be 5 basic levels of spam detection:
  
  X-pn-pstn: Spam 1 (Subject line tagged with [-SPAM-])
  X-pn-pstn: Spam 2
  X-pn-pstn: Spam 3
  X-pn-pstn: Spam 4
  X-pn-pstn: Spam 5
  
  These levels will be based on the following spam scoring (hope this makes sense):
  
  (1) < 0.15 > (2) < 0.30 > (3) < 1.00 > (4) < 3.00 > (5) < 8.00
  
  @jelv, you may want to update your header interpretation sticky based on the back of this
  
  The main reason for us doing this is so that we can eventually introduce a sliding scale to the portal that allows customers the ability to set the aggressiveness of the filter as per their own preferences.
  
  Wednesday
  
  Migrate approximately 40,000 PlusNet customers to the Postini platform.
  
  Thursday
  
  Migrate a further 40,000 PlusNet customers to the Postini platform.
  
  Next week we'll be looking to move the remaining customers across (there'll be about 100,000 left at that point).
  
  I'm working at creating a ticket path for opt-out purposes, however if there's anybody here who objects to being moved then drop me a PM and I'll ensure you're on an exclusion list. So far there's Gary and Mike that I'm aware of (although I think I have them already, you may want to PM me your usernames just so I know I'm looking at the right accounts).

Is there now any point in me opting in @ trials.plus.net ?

SW

Is the mxcore/mxlast blocking that was rolled back at the end of last week due to the force9.net problem due to be re-instated middle/end of this week?

I assume that the blocking will also be put in place as part of the process for the new people as they are added (I think it it was automatic after 7 days?).

Possibly. You might not get migrated until next week. I'll run another batch of trialists mid-week if possible.


We just reset the timer, so it should be back in place 7 days after I said we'd rolled it back without us having to intervene.


Yes, that's right.

I'm not at all sure about the thresholds for the spam levels based on the monitoring I've been doing.

For people who are just using the Plusnet subject tagging (i.e. only Spam 1 is considered spam) I can very confidently predict that 15-20% of spam emails arriving in peoples in-boxes will not be identified as spam. The fact that in the headers (which are a total mystery to most users) it says Spam 2,3,4 or 5 will not provide them with any comfort.

I and a number of other people have reported emails wrongly identified as spam by Postini - they all have a common factor - they do not have the X-pstn-neptune-rslt: qtine header present. On the other hand I have received a considerable number of blatant spams with S: levels in the range 0.15 to 0.3 which will not now be tagged as spam in the subject. They all had the X-pstn-neptune-rslt: qtine header present.

Beyond that, on one mailbox I am monitoring that receives nothing but spam, 66 out of 569 (11.6%) had an S level of 0.3 or higher and had the X-pstn-neptune-rslt: qtine header present.

I don't see any use whatsoever in the proposed Spam 4 and Spam 5 markers - many, many genuine emails fall in to that range (I won't be taking any notice of them).

I would suggest something like:

Spam 1: 0.0 to 0.14999 (as proposed)
Spam 2: 1.5 to 0.29999 AND X-pstn-neptune-rslt: qtine
Spam 3: 1.5 to 0.29999 (X-pstn-neptune-rslt: qtine not present)
Spam 4: 0.3 to 0.99999 AND X-pstn-neptune-rslt: qtine
Spam 5: 0.3 to 0.99999 (X-pstn-neptune-rslt: qtine not present)

and that Spam 1 AND Spam 2 be tagged as spam and treated accordingly.

As I've asked elsewhere - it appears that for people who have recently been moved to Postini (within the last 7 days) and for whom the blocking has not been put in place, any mail received direct to mx.core/mx.last will not be checked for spam by either Postini or DSPAM.

If this is the case it is a whopping great hole as nearly all the email that comes that route is spam.

Fear not.

The system will look for the presence of Postini headers. If they are present then Dspam will be bypassed. if they are not then the message will still be fed through Dspam.

So in a nutshell, stuff that's getting sent directly via the mx.lasts/mx.cores will still be at the mercy of Dspam

Hi Bob

I have sent you my info.