Hi Mike, I wasn't aware of any discrepancies until I read this thread and your post over on the Usergroup forums. I must admit, you highlight some interesting observations.


I think I understand what you're saying here about the lengthy SMTP transactions but I'm struggling to understand how this is reflected by your netmeter graph? How were you sending these messages? Directly to mx-postini.core.plus.net using SMTP or via relay.plus.net or another third party mailserver?


As we know from past experiences, that's certainly a possibility given the proprietary nature of Postini's heuristics engine.


The problem with uk2.net wasn't as much a problem with the length of the SMTP transaction but more the fact that Postini's connection manager was outright refusing the connection.


I'm not sure what else people want to know about the uk2.net issues. For what it's worth though, here's an overview in case there's anything I've neglected to mention before. For the benefit of those who aren't familiar with this problem, the Service Status thread can be seen here.

It emerged back in August that email destined for uk2.net domains that were configured to forward to Plusnet addresses were being bounced. This bouncing was being done by Postini's email security proxies (the one's used to filter customer's email).

At this time we immediately raised tickets with both Postini and uk2.net asking for there support and cooperation in order to identify and resolve the root cause of the problem. Unfortunately, neither of the responses we received were of much assistance to us, least so uk2.net's (the last ticket we raised with them still remains unanswered if I'm honest).

Working with Postini we eventually established that connections were being refused due to the actions of their 'Connection Manager'.

As far as we were concerned, neither ourselves nor Postini had changed or altered any of these settings. This led to the belief that There must have been an habitual change at uk2.net's end to have caused the mail to get rejected. Despite asking uk2.net for their cooperation in this area, no details were ever forthcoming.

We eventually took the decision to decrease the severity of Postini's Connection Manager. This is not a decision we took likely as it could have resulted in us deluging our 500,000 strong customer base with spam, and could have severely impacted the integrity of our mail platform (this is because the Connection Manager settings are applied globally to
all accounts).

Originally we made a very subtle change as we didn't want this to have any adverse affect on customers. That was documented in the Service Status announcement here.

Unfortunately this didn't work and we had to revisit the settings again as per the Service Status announcement here.

This led to an increase in spam being delivered to our entire customer base which we had tried to avoid. We then made a third attempt, which seemed to do the trick as per the Service Status announcement here.


Usual problem?

From what I can see in the example you provided the email was received by the Postini proxies at around 11:26pm, it was then passed to our mx.core delivery servers at around 11:41pm and delivered to your mailbox. Is it the time it spent on the Postini servers that you're querying? I'm not sure I follow.

I've just tried sending an email to an account on Postini via a third party SMTP server and the dates looked in check:


Same when using relay.plus.net:



It isn't I don't think (assuming of course it is a 'feature' and not a genuine problem).


Are you asking why it spent so long on the Postini proxy? If so then I'd warrant an educated guess that we were having a problem with the mx.lasts/mx.cores around that time and Postini couldn't hand the email off.


I was about to ask you the same question. Are you still seeing this happening? Your Usergroup post suggests that things have returned to how you would expect.


I've only just had my attention brought to this thread.

Well Postini Quarantine spam filtering in conjunction with whitelisting and blacklisting of certain domains/addresses seems to have been working well for quite a while with no further serious major errors by Plusnet in the last month or two such as whiteisting all emails faked as being sent from your own Plusnet domain.

However in the last week or two quite a few obvious spams have begun to get through to my Inbox.  In addition my first compensation email from Icesave was blocked as spam but I do realise this is largely the fault of the mickey mouse mass emailing service employed by the FSCS (hearfrom/highfield) who sent their bulk emails in such a manner as to be likely to trip almost every known spam filter going.

But returning to the increase in blatant spams now getting through I have just received the below message as one of the very worst examples of stuff that Postini's Quarantine service should have trapped.  The subject of the email contains "2400 USD waiting for you"  Does Postini really believe there are any legitimate emails being sent with this kind of subject line.  Even the FSCS Icesave compensation emails didn't contain this kind of blatant spam tripping Subject line.

Does anyone at Plusnet have any comment as to why or how this one might have got through Postini's filters?

It looks to me like the email was sent from an AOL address via AOL's relay servers. AFAIK AOL implement SPF and this message will have passed SPF checks too.

Basically, it's origin seems pretty legitimate even if the content is quite clearly spam. BTW, have you seen the latest proposal for our spam filters?

Bob,

Well obviously the way you have written it up the move across to Ironport sounds like a huge improvement but as one of the unfortunate depositors in Icesave still awaiting my compensation for my lost savings from the Financial Services Compensation Scheme I eagerly studied the threads discussing this matter over in the savings section of the www,moneysavingexpert.com discussion forum.

Unfortunately the FSCS chose to use a mailing house called www.hearfrom.com (Highfield Solutions) to send their first and second emails to Icesave investors advising them that they were going to receive compensation and were then (in the second email) entitled to claim compensation.  Because of the volume of emails sent by Hearfrom/Highfield and the way they sent them (reply address not the same as sending domain and various other no nos for bulk mailing as I understand it) around 50% of these critical emails were classified as spam by most major ISPs, including Plusnet.  As a Plusnet Postini Quarantine user all I had to do was visit my Quarantine folder and release the required email and then whitelist the sending FSCS email address but it was reported by customers of ISPs with an Ironport filtering spam solution such as Eclipse and Utility Warehouse that there was no way at all for them to access a spam folder or change spam settings and release this vital email.  See http://forums.moneysaving.../showthread.html?p=156779

Now I suspect this is because the implementation of Ironport at these ISPs is sufficiently dumbed down that they just haven't given customers a way to access their spam folder and/or whitelist emails that they must get regardless of Ironport's spam filtering classification and it also sounds like the Ironport Postini Quarantine replacement solution is going to be significantly more sophisticated (although I don't like the sound of having to log in separately to check spam for each different email address variant I use and would much rather look at all the spam in one block) but it seems that no system is perfect and based on the FSCS spam treatment issue perhaps there are some aspects of the Ironport service that is not quite as good as it at first appears

Also almost any change of spam provider is likely to cause initial disruption where things go wrong on a large scale and as one of the free account email customers it seems that the switch to Ironport will take place any day now?

I should add that I would be very happy indeed to come back to Plusnet for my main broadband service if Plusnet would allow me as much bandwidth for the same prices as an Entanet broadband reseller (in this case ADSL24) does and/or more importantly if Plusnet could provide a service where my contended bandwidth could be guaranteed not to fall below about 2 Mbps even at peak times and/or if my internet connection could be guaranteed to be up basically 24/7 as it has been ever since I moved to Entanet based broadband providers.  I don't need as much bandwidth as 30Gb peak and 300Gb Off Peak but my bandwidth use is around 8Gb to 9Gb per month and with having two internet radios and thinking of moving my backup solution online I am always concerned I could accidentally hit up to 25Gb in a month at some point in the future.

I find it interesting that Entanet stands alone as a high quality and customer responsive ISP (the support is good if you telephone either ADSL24 for account issues or Entanet who provide technical support for the broadband connection 24/7) in the amount of bandwidth they will allow customers at the price level and and that other smaller ISPs who also focus on high quality broadband connections like Newnet and IDNet remain unbelievably restrictive with their bandwidth allowances.

We blogged about this here.

Hi All

Has any body been noticing an increase in email arriving directly into their inbox which has not been tagged as SPAM, when it clearly is SPAM.

I have noticed that the amount of SPAM actually arriving into my SPAM folder is decreasing a lot to, but I expect this is due to the recent hosts which have been shutdown which have been linked to SPAM sources.

I would usually get between 5-10 messages arriving directly into my inbox not marked as SPAM but since the beginning of the month is has raised to between 40-50 a day.

Thanks

Andy

I don't recall an increase in missed spam being mentioned elsewhere in the forums, and it's not something I've experienced. Please could you post sanitised headers for a couple of these messages?

Thanks

David

Hi David

Here is a few headers from this month of obvious spam that ended up in my inbox.
I know some have been identified as Spam 4/5, I uaually haev my level set at Level 2 and do not really want to change it.


****HEADER 1****

Return-path: <bill.hy@thewinternight.com>
Envelope-to: my.name@mydomain.f9.co.uk
Delivery-date: Wed, 19 Nov 2008 14:13:21 +0000
Received: from [64.18.0.90] (helo=psmtp.com)
     by pih-sunmxcore10.plus.net with smtp (PlusNet MXCore v2.00) id 1L2no0-0006lC-H8
     for my.name@mydomain.f9.co.uk; Wed, 19 Nov 2008 14:13:21 +0000
Received: from source ([70.38.75.206]) by exprod5mx267.postini.com ([64.18.4.13]) with SMTP;
     Wed, 19 Nov 2008 06:13:20 PST
Reply-To: <bill.hy@thewinternight.com>
In-Reply-To: 20081119091302.rcyyzfsemjj@mx6.thewinternight.com.9001
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----_=_NextPart_000_0097_b55e2c2c.b55e2c2c"
Content-class: urn:content-classes:message
Date: Wed, 19 Nov 2008 09:13:02 -0500
Message-Id: <20081119091302.rcyyzfsemjj@mx6.thewinternight.com>
Thread-Topic: Genuine United States Inaugural Presidential Dollar
From: "Obama Coin As Seen on TV " <obama@thewinternight.com>
To: <my.name@mydomain.f9.co.uk>
Importance: Normal
X-pstn-neptune: 252/82/0.33/72
X-pstn-levels: (S:13.37078/99.90000 CV:99.9999 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <obama@thewinternight.com> [606/32]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Genuine United States Inaugural Presidential Dollar


****HEADER 2****

Return-path: <jeans@positionandride.com>
Envelope-to: my.name@mydomain.f9.co.uk
Delivery-date: Wed, 19 Nov 2008 09:47:15 +0000
Received: from [64.18.0.88] (helo=psmtp.com)
     by pih-sunmxcore13.plus.net with smtp (PlusNet MXCore v2.00) id 1L2jeU-0007FV-Lt
     for my.name@mydomain.f9.co.uk; Wed, 19 Nov 2008 09:47:15 +0000
Received: from source ([74.209.202.47]) by exprod5mx265.postini.com ([64.18.4.11]) with SMTP;
     Wed, 19 Nov 2008 09:47:14 GMT
Reply-To: <jeans@positionandride.com>
In-Reply-To: 200811190447.968
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----_=_NextPart_000_0097_positionandride.com.positionandride.com"
Content-class: urn:content-classes:message
Date: 19 Nov 2008 04:47:13 -0400
Message-Id: <1112.200811190447.11741749@positionandride.com>
Thread-Topic: Rates lowest in history
From: "Life Insurance Alert " <jeans@positionandride.com>
To: <my.name@mydomain.f9.co.uk>
Importance: Normal
X-pstn-neptune: 500/96/0.19/46
X-pstn-levels: (S:36.19386/99.90000 CV:99.9999 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <jeans@positionandride.com> [606/32]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Rates lowest in history

****HEADER 3****

Return-path: <jeans@thecaptainslocker.com>
Envelope-to: my.name@mydomain.f9.co.uk
Delivery-date: Tue, 18 Nov 2008 14:34:08 +0000
Received: from [64.18.0.85] (helo=psmtp.com)
     by pih-sunmxcore18.plus.net with smtp (PlusNet MXCore v2.00) id 1L2ReZ-0005eV-TG
     for my.name@mydomain.f9.co.uk; Tue, 18 Nov 2008 14:34:08 +0000
Received: from source ([74.209.241.226]) by exprod5mx226.postini.com ([64.18.4.14]) with SMTP;
     Tue, 18 Nov 2008 07:34:07 MST
Reply-To: <jeans@thecaptainslocker.com>
In-Reply-To: 200811180934.182
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----_=_NextPart_000_0097_thecaptainslocker.com.thecaptainslocker.com"
Content-class: urn:content-classes:message
Date: 18 Nov 2008 09:34:15 -0400
Message-Id: <1095.200811180934.4417421@thecaptainslocker.com>
Thread-Topic: What's your success story?
From: "Your Skinny Jeans " <jeans@thecaptainslocker.com>
To: <my.name@mydomain.f9.co.uk>
Importance: Normal
X-pstn-neptune: 294/52/0.18/64
X-pstn-levels: (S:36.67595/99.90000 CV:99.9999 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <jeans@thecaptainslocker.com> [606/32]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: What's your success story?

****HEADER 4****

Return-path: <support@kidskickbox.com>
Envelope-to: my.name@mydomain.f9.co.uk
Delivery-date: Sun, 02 Nov 2008 16:54:31 +0000
Received: from [64.18.0.38] (helo=psmtp.com)
     by pih-sunmxcore12.plus.net with smtp (PlusNet MXCore v2.00) id 1KwgDe-0007F3-C9
     for my.name@mydomain.f9.co.uk; Sun, 02 Nov 2008 16:54:30 +0000
Received: from source ([74.209.255.232]) by exprod5mx192.postini.com ([64.18.4.13]) with SMTP;
     Sun, 02 Nov 2008 11:54:30 EST
Reply-To: <support@kidskickbox.com>
In-Reply-To: 200811021154.680
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----_=_NextPart_000_0097_kidskickbox.com.kidskickbox.com"
Content-class: urn:content-classes:message
Date: 2 Nov 2008 11:54:28 -0400
Message-Id: <860.200811021154.4417421@kidskickbox.com>
Thread-Topic: Did Someone Search for You? We Know Who..
From: "Find People" <support@kidskickbox.com>
To: <my.name@mydomain.f9.co.uk>
Importance: Normal
X-pstn-neptune: 500/42/0.08/25
X-pstn-levels: (S:38.51594/99.90000 CV:99.9999 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <support@kidskickbox.com> [606/32]
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Did Someone Search for You? We Know Who..

****HEADER 5****

Return-path: <support@moultonlong.com>
Envelope-to: my.name@mydomain.f9.co.uk
Delivery-date: Sun, 02 Nov 2008 03:10:11 +0000
Received: from [64.18.0.43] (helo=psmtp.com)
     by pih-sunmxcore10.plus.net with smtp (PlusNet MXCore v2.00) id 1KwTLu-0005AY-67
     for my.name@mydomain.f9.co.uk; Sun, 02 Nov 2008 03:10:10 +0000
Received: from source ([74.209.255.98]) by exprod5mx197.postini.com ([64.18.4.14]) with SMTP;
     Sat, 01 Nov 2008 20:10:10 PDT
Reply-To: <support@moultonlong.com>
In-Reply-To: 200811012310.062
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----_=_NextPart_000_0097_moultonlong.com.moultonlong.com"
Content-class: urn:content-classes:message
Date: 1 Nov 2008 23:10:08 -0400
Message-Id: <862.200811012310.4417421@moultonlong.com>
Thread-Topic: Learn and work from home?
From: "Med Billing Admissions" <support@moultonlong.com>
To: <my.name@mydomain.f9.co.uk>
Importance: Normal
X-pstn-neptune: 500/156/0.31/46
X-pstn-levels: (S: 7.33964/99.90000 CV:99.9999 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <support@moultonlong.com> [606/32]
X-pn-pstn: Spam 5
X-PN-Virus-Filtered: by PlusNet MXCore (v4.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v4.00)
Subject: Learn and work from home?

I can post more headers if needed.

Andrew

And here is a particularly bad NatWest bank customer spoofing blatant spam that has just got through to me.  A couple more like this were trapped in my Postini Quarantine folder previously but this one got straight through to my Inbox.

Of particular note is that I only ever get these spoof emails quite regularly for NatWest and I am a NatWest bank customer.  Could just be a coincidence as they are a large bank or has a spammer been sold a list of everyone who is a NatWest customer but does not have the full password details (not even visible to staff) and is now trying to get them.

I just checked my whitelist and natwest.com is not whitelisted as a sender address.

It therefore seems inexcusable that Postini are letting this really dangerous kind of spam through when the content of the scam messages is always the same and there is a mismatch between the quoted sending Natwest.com address and the Reply To address.

Or at least I'm assuming this is still Postini as nothing leads me to get the impression my Quarantine is now provided by Ironport.

er um it was natwest.co.uk not natwest.com in the form

That is the spoof website link but the From address is @natwest.com and the Return Path is 5ZFXON8@yahoo.com>   So all the more reason why Postini should have trapped it.

The forged natwest.co.uk link is fortunately also being blocked by phishing filters in Firefox 3 but if they know it is spam then why doesn't Postini?

I get these as well (usually quarantined by Postini) and I don't have any Nat West accounts.

I did used to get Phishing emails for HSBC a very long time ago but not for ages (not even in my Postini Quarantine).  I have never had them for Lloyds, Barclays, Nationwide, Alliance & Leicester etc.

You would think they would target all the major banks and building societies and not just NatWest.

The below email is one of a number of spams that have got through to my Inbox in recent days from AOL addresses.

Two obvious things should have caused Postini to detect it as spam.

Firstly the "Envelope To" and the "To" field addresses were not the same.   The To addresses that appeared in the To field of the email in Thunderbird (without expanding the headers) were not my email addresses and only the Envelope To field was my actual email address.  Presumably this is a normal sign of a deliberate and more sophisticated spam attack.

Secondly part of the URL link to the spam site in question is promoclk and I believe promoclk are well known to be associated with spam.

So in my view not good enough Postini.  One can only hope that the Ironport spam filtering service in which Plusnet are now putting so much faith will actually prove to be more reliable.

My spam filtering was migrated from Postini to Ironport today (I received an email telling me this from Plusnet) and almost immediately received a blatant spam message two hours later from the supposedly infallibile Ironport (the headers had changed to prove it was their spam filtering system and not Postini's).

Plusnet has also not clarified the position for the 500 or so of using Postini Quarantine as when I looked at the Spam email settings in my Plusnet account I could now toggle select the severity of spam filtering between 1 and 5 (which I could not previously do after enabling Postini Quarantine)  but no toggle level is set by default and I am also not clear of how the promised new Ironport Quarantine arrangements will interact with these settings.

The thread discussing the implementation timetable for the switch over to Ironport can be found at:-

http://community.plus.net...ex.php/topic,70240.0.html

The thread showing the content of the spam message that Ironport let through to me only two hours after being switched across from Postini can be found at:-

http://community.plus.net...ex.php/topic,71606.0.html