MailScanner examines each incoming message and will prevent viruses and spam from making it into your Inbox. MailScanner has several more powerful content analysis features and dangerous content blocklists that make it more effective at catching both spam and dangerous phishing emails than any other mail filtering solution on the market. Phishing emails are very troublesome as they can trick even technically adept computer users into giving away financial, corporate, and personal information to attackers which will use and abuse this information.
How does MailScanner compare with the MailFoundry Appliance?
MailFoundry excels at catching computer generated spam from templates, where the basic message is the same, with only a name or weblink within the email being different. Spammers and Phishers have caught up to this technique and are generating ever shorter messages, sometimes with just a single link. Its very hard for the MailFoundry to block these emails without also blocking legitimate email. MailScanner is smarter as it has blacklists/blocklists of Spam and Phishing domains in its databases that are updated regularly. If an email contains a link to a known phishing domain, it is blocked, regardless of whether the message or message template as been seen before. MailScanner can also disarm or make safe an email and send it along to your Inbox. See below for more details.
What is this {Cleaned} tag in the subject line of some messages ?
MailScanner disarms or cleans dangerous HTML tags and commands that can cause your computer to become infected with spyware or trojanware that can steal your personal information. MailScanner can find html that is unsafe (where the CLAIMED web link destination does not match the ACTUAL weblink destination). MailScanner removes the links, but if the rest of the message is deemed safe, and not spam, it will send it on to your Inbox with the {Cleaned} header in the subject to let you know that the message has been made much safer. This is a good thing. Disarming or Cleaning a message is important because every day new vulnerabilities and bugs are discovered in web browsers and email clients, typically Microsoft Outlook and IE. As attackers attempt to create more and more clever ways of tricking you AND your computer, MailScanner puts a stop to the basic tactic of bait and switch web links RIGHT AT THE SOURCE - the html. If you have an email that comes from a mailing list or company that is {Cleaned} you can forward the email back to the owner of the list or company that sent the email and ask that they fix the emails so that they are safer. In particular, email messages that have hidden IFRAMEs are not a good idea, as attackers use these techniques to trick you and your browser.
Does the MailScanner have a delay in getting an email like with MailFoundry?
No, it does not. Since the MailFoundry needed time to detect spam signatures from new spams that are constantly generated, the MailFoundry box likes to hold all incoming email from a new source (sender) for up to 15 minutes while it waits to see if that sender or that message template appears is identified as spam by the MailFoundry team. This is of course irritating AND it does not always work! If you happen to have a directed attack of nasty spam messages at a certain user or few users, of if your domain happens to be at the TOP of a spammer list of thousands of domains that are about to get hit, then you may be out of luck with the MailFoundry! If the spammer is able to configure dns settings and buy IP transit from a legitimate host that is not currently blacklisted, then the spam will make it through to your Inbox. MailScanner is smarter about being able to actually look at the content of the message (words AND links, picture, etc) and not just the structure or template. Thus MailScanner is a stronger defense in some of these hard to handle situations like a targeted attack or a large domain that gets a lot of spam from many different sources.
Why are some domains hit so much harder than others with spam?
Domains that get a lot more spam have usually been around longer, and in almost all cases one (or more) users on that domain has clicked one or more link(s) in spam mails, or bought stuff advertised in spam. Spammers track EVERY single message that they send, and they know who you are when you click a spam-vertised link. Your domain is then marked as having willing recipients that WANT spam, and spammers spend a lot more effort spamming your domain; they figure they have more to gain looking for repeat business than going after brand new domains!
Is there a quarantine report for MailScanner?
MailScanner does not provide a report. MailScanner makes every attempt to disarm or fix messages and send them on to you in a safe state. If MailScanner blocks a message, it is very certain that the message is spam and it takes a system admin (at Richweb) to release the email. Most messages that are spam are detected as high scoring spam (what people tend to describe as "obvious" spam). These high scoring spams are discarded. What we discovered is that most users dont even look at the MailFoundry reports, and for busy mailboxes the reports are so long anyway that its a waste of time having to wade through the reports. MailScanner supports whitelisting of email senders and email domains. If you have a sender that you think is being rejected, send the email address to noc At richweb dot-com and we will take a look and whitelist the sender if it appears that the message is not making it through.
MailScanner info (intended for system admins)
I can't seem to get an email from a certain sender and it's not in the quarantine report!
What is likely happening is that the person that is sending you the message is sending from a computer system or network or company that has gotten blacklisted. This happens when an internet address (IP address) is either not setup to be able to originate (send email properly), or an infected PC has sent so much spam from that internet network address that the system is considered to no longer be a legitimate source of valid business or personal email. What you need to do is get the email administrator of the sending email domain involved. Richweb can in some cases whitelist (permanently allow) the domain to send email. In other cases the administrator of the sending domain simply needs to correct the technical problems with their configuration and policy. In all cases to dig into the problem Richweb needs the exact information below: A. Sending email domain B. Sending IP address (if possible) of the mail server that transmits the emails (i..e. the mail server public IP or NAT - NOT the ip address of the laptop sending the email). If the ip address you are given starts with 192.168, 10.x, or 172.16 thru 172.31, then you have been given the internal ip address, which of course is NOT useful in researching the problem. We need the public (routable) IP address. You should also check the ip address yourself first in a DNS black or blocklist tool such as: http://www.dnsbl.info/ If your (or the organization of the person trying to send you email) mail server domain name OR ip address is on this list as blocked, then you can expect moderate to severe mail delivery problems with most if not all email domains. Step one in solving this problem is addressing the underlying cause of getting blocked - someone is stealing your network resources to send spam. Richweb is happy to assist; of course we have to charge a consultation fee with sending domains that are not properly setup. Typical problems we see are: missing reverse DNS, bad SMTP HELO name, using a dynamic ip, shared host on a site with a poor reputation (i.e. a hoster that hosts spammers). Refer to this page for additional Richweb helpful information about DNS and email troubleshooting: http://www.richweb.com/mail_blocked
Most Email systems will not accept email attachments larger than 25 to 40 Megabytes (MB). Many email systems place strict limits/restrictions on maximum number of attachments, attachment types, and attachment content (zip files for example).
Richweb's MailScanner product provides a companion FTP manager solution that allows domain admins to create FTP dropboxes as well as web based download accounts that can be used to transit files for short and long term projects. You can create accounts for customers, vendors, projects, etc, and each account can only access files within its assigned folder.
1. The FTP Manager is built into the same console that you use to manage your MailScanner settings.
2. There is also a web account (download only) capability built into the system now. Each and every ftp user account can be accessed over http so users that need to download files and cant operate an ftp client can be given web links for download.
3. You can set an ftp user up with a root account (dir of /) and that account will have full web download and ftp upload/download access to your whole domain.
4. You can have multiple root accounts if you like. In fact you can point
multiple accounts at the exact same home dir folder if you like. Example - 5
different vendors all need their own access to download the same files in a
projectxyx/bids/ folder.
5. FTP Users can be inactivated but not deleted to temporarily remove access.
6. Passwords can be easily managed (changed/reset) by domain admins.
7. Each domain you control gets its own private FTP space.
8. FTP storage capacity and bandwidth can be purchased on an incremental basis.
Please contact Richweb for more information
http://www.richweb.com/contact
The following ip addresses need to be open for inbound SMTP for the mailscanner to work properly:
208.73.136.12
208.73.136.26
208.73.136.50
208.73.136.51
208.73.136.52
63.90.9.6
You can use 208.73.136.0/26 (208.73.136.0 255.255.255.192) in your firewall acl if you prefer.
The MailScanner machines are clustered and have the ability to fail over between them so you need to ensure that all of the above IP addresses are allowed.
From inside the MailScanner you can perform an SMTP connection test to ensure that your firewall is allowing smtp inbound properly:
[Run mydomain.com SMTP Connection Test]
If you get a message like this:
WARNING: Cannot connect to SMTP service at a.b.c.d; timeout: 15 sec.
that means that the MailScanner could not connect and you need to verify your firewall ACLs.
If you have changed the inbound SMTP ip address that your firewall conduits through to your mail server contact Richweb and we will update the SMTP transport database.
Step 1 - Look at the email headers carefully in the BOUNCED message that came back to you.
Look for a line like this in the body of the bounce message:
------ This is a copy of the message, including all the headers. ------
If your email server is mail.mydomain.com, or webmail.richweb.com, and you seea header like this as the top received line from Singapore (.sg is a singapore TLD) then you know the original message was forged.
> Received: from bb219-74-229-111.singnet.com.sg ([a.74.229.111]:2232)
> by belogoxxx.net with esmtp (Exim 4.63 #1 (Mail server))
The reason the email came back to you was that the Return-path: or From: header listed your email address, so the bouncing mail system (remember most spam goes to defunct accounts anyway so many spam messages end up bouncing) sends it back to your inbox in some cases.
In 90% of the cases you will find that the mail is forged (fake), and there is not much that you can do about this other than ensure that your SPF record for your domain is correct and strict.
You can inspect your spf record by doing a TXT record search on your domain at a web-based DNS utility site or by using the dig cmd:
dig txt domain.com.
Here is a utility that can be used to generate spf records, or you can simply have Richweb create one for you:
http://old.openspf.org/wizard.html
It is important that you do not have ?all at the end of your spf record as that basically defeats the purpose. Remote mail systems need to be confident that if they get an email from an IP address that that IP address either is or is not an authorized sender for your domain. Grey areas are not good here. Richweb uses the -all at the end of the record for exactly this reason.
There are many older, poorly maintained, or simply broken email servers on the internet that will persist in sending bounces even on mail that is plainly forged/faked. There is not much you can do about this other than send an email to the postmaster / admin for that domain and request they implement SPF and STOP sending bounces for forged spam. This is called Backscatter.
http://en.wikipedia.org/wiki/Backscatter_(e-mail)
Step 2. If the headers of the bounce appear to be legit (i.e. from your mail server, OR from a WEB SERVER affiliated with you) then you need to investigate a possible compromise either at the local level (pc or mail server stolen user login/smtp auth account) or at the ISP level (hacked web form being used to relay email).
To prevent stolen email accounts use TLS (SSL security) for all IMAP, POP3 and SMTP sessions from your mail client, or use an HTTPS based webmail system - Richweb's Smartermail supports SSL for client-based and web-based email to protect your account credentials - use SSL!
If a web form has been compromised the tell-tale sign will usually be lots of messages backed up in a mail queue. Contact Richweb for help in resolving this issue and locking down your web-based forms.
Mail System Administrators have access to the Web based management tool:
Login to the MailScanner Manager at this URL:
https://vsmx1.richweb.com/
Use your assigned username and password.
Click: Tools
Under the Section/Menu:
Spam/Not Spam Databases
Under the heading: "Domain Admin Reported Susp / SPAM / Phish Msgs"
Click "Report a Message"
MAKE SURE that you upload the message with FULL HEADERS and FULL MESSAGE CONTENT. See below for details on how to do this properly.
NOTE: When you FORWARD a message the original headers are lost, so this is a waste of everyone's time - dont do this!
End users should have their mail system administrator look at the message and follow the process above, OR if that is not possible, use this information below to send the message to us for further investigation. The mail admin will have access to the report message tool. The steps below can be used to forward a message to the report spam inbox which should be used only if you do not have access to report the message directly to the MailScanner system.
Outlook 2010, 2007, or Outlook Web App (OWA) Premium
Displaying full headers
1. Open the mail message. In Outlook 2010, 2007, or Outlook Web App (OWA) Premium, double-click the message so that it opens in its own window.
Note: OWA now has the same functionality across major browsers in most cases. For more information on using OWA, with your Inbox displayed, click ? (the question mark) at the top right.
2. In Outlook 2010, in the Tags group, click the dialog box launcher (small square with an arrow).
In Outlook 2007, in the Options group, click the dialog box launcher (small square with an arrow).
In OWA, click the "Message Details" button (the icon is an envelope with a small document over it).
Inserting headers into a new email message:
1. Select all the headers by clicking and dragging the cursor from the top left corner to the bottom right corner of the header text.
2. Press Ctrl-c to copy the headers to the Clipboard.
3. Create a new email message, click in its main text window, and press Ctrl-v to paste the headers.
Outlook 2007/2003/XP
1. Outlook does not have a bounce feature. Instead, you will need to copy the full headers and paste them into the email you are bouncing.
2. Double-click on a message so that it is in its own window. Click on View Menu then click Options. In the Internet headers: box, you should see the raw message headers. The message headers are at the bottom of the window, in a box labeled "Headers:" or "Internet headers:".
3. Highlight the message headers using the mouse (click and hold the left mouse button at the start of the headers and drag the cursor over the message or click anywhere in the box and enter Ctrl-A to select all the text).
4. Once the headers are highlighted, right click on the highlighted text, and choose Copy from the menu. This will copy the text to the clipboard.
5. Ensure you still have the spam message selected. Click the Forward button and then paste the headers you copied above the text of the email you are bouncing (forwarding in this case).
6. Enter reportspam@richweb.com and click Send button to send your message with the headers.
Thunderbird and Mozilla Mail
1. Current versions of Thunderbird and Mozilla Mail do not have a true bounce feature. You will need to forward the message with the full headers.
2. Select the message you wish to bounce/report as spam. On the Thunderbird menu bar, click View > Headers > All. You may notice that the original message will display more information than it did previously.
3. Click the Forward button and enter reportspam@richweb.com as the recipient.
4. Once you have bounced your message, you may want to return your settings to their previous state. To do so, click View > Headers > Normal.
Richweb SmarterMail
1. The normal mail display is HTML format.
2. Click on the “headers” from the view section.
3. Cut and paste all of the headers and the body of the message into a new email that you will send to reportspam@richweb.com.
The answer is that it depends. There are 3 types of SPAM:
1. Legitimate marketing company or bulk sender that has your address on a list and will remove it if you ask them to do so. These spams typically are more professional looking and may have Constant Contact or Vertical Response in the mail headers. The goal of these spam messages is to get you to buy a legitimate product. The companies are engaged in an irritating way of selling the products and services but basically everything is legitimate. This kind of spam is never sent via a zombie computer (i.e. a broadband dsl or cable modem pc that has been cracked), or an open relay. Typically the headers of this message make sense - you can follow who the message is from and the mail servers that relayed the message will often match the from: domain or again it will be a known bulk mailing sender.
2. Black hat spam that is also trying to sell a product or service, but this spam will often be selling sex enhancements, pills, or other sketchy offerings. The headers on these messages won't make sense, as these messages are almost always relayed through accounts on stolen computers (PCs and or servers). When you look closely at the headers, the From, the To and the envelope sender won't match, or will be illogical - like the message will claim to be from someone you know to live down the street but using an email from Korea, or China, or in the Rcvd headers the message will go thru several hops in other countries that don't make sense. Remember, these spams are messages sent by spam gangs that are using stolen services, so the messages are often rushed out, which means they have typos and other grammatical errors that professional marketers and ad copy writers would not make. The quality of images is often cruder, and links that are in the message will use free web service providers that don't match where the email came from. The reason for this is that the websites that are setup to capture clicks (lets say for example Viagra orders) are setup just as quickly and torn down quickly to evade ISP security officers.
3. Phish / scam emails. These are the most dangerous kind of emails. In order for spam gangs to be able to send messages in group (2) above they have to have cracked/stolen accounts on personal computers and servers. This is how they get them - they trick users into clicking links that install software via holes in the web browser (typically but not always MS Internet Explorer). These messages will not usually have un-subscribe links anyway, as they are trying to be personalized (you just won the email lottery, 15M USD was found in a barrel in the bushes of Africa and we need you to help launder it, etc).
4. Mailing List Messages for lists you no longer want to get - This is not SPAM technically, but it can be a problem for users that don't understand how email and email marketing companies work. Subscribing to a mailing list and forgetting how to un-subscribe or being too lazy to do so is a major problem for legitimate list operators. Do not report these messages as SPAM - in most cases these messages will have clear instructions on how to get off the list and they will list your name and email in the body as a subscribed user. The reply-to and from addresses on these messages will make sense - if you are subscribed to a sports website of a US college for example, you wont be getting legit emails from that list that come from Russia or Korea.
You, of course, never want to click any link on a type 3 message, and would be best to avoid type 2 messages as well since any links related to unsubscribing will not work. In fact whether you order the pills or try to un-subscribe to a type 2 message your email will be added to their database as either a paying sucker OR as a working email, in which case they will sell your email address to other spammers.
Type 1 messages are safe to click, and generally they will work. Within 2 to 4 days they should have removed you from their list. Of course your email may still get bought and sold to other companies.
Type 2 and Type 3 messages will often have BAYES poison in them. This is text that is non-sense - random words and phrases, current events snippets, or often classical British literature excerpts. Mr Darcy and other Jane Eyre characters seem especially popular. In html emails this text will be be in a super small font, or colored to try to invisible or very hard to notice. But when you view the source (html code) of an email you can see it.
For text emails the poison will be at the bottom of the message. You may have to scroll way down to view it.
The line between a type 1 and a well-done type 2 message can be somewhat blurred. Typically type 2 messages use a graphic for the footer message. The footer message is in small font and it usually tries to excuse the message or provide some fake way of getting off this "list" that you never asked to be on in the first place. If you drag your mouse across the text and you can copy individual characters, then the message is not a graphic. If the block of text moves as if it were a picture then its a graphic. If you can right click on it and save it as a gif, jpg, or png then its a graphic. If it has a url that has a lot of characters like /images/128318383AB12.gif then its a graphic common to a lot of type 2 spam.
The reason type 2 spams use graphics is that Mail Scanners cant scan the graphics as easy for spam phrases and spam links. So if you see images where text would have worked fine, its 99% likely that this is a type 2 message.
Type 2 messages will also often ask you to send an email, or write (snail mail!) to get off the "list". Legitimate senders (type 1) will never do this - they typically provide a single click link that you can use to un-subscribe directly. And pay attention to the unsubscribe url - if the sender is a type 1 and the sending domain was vertical response, the unsubscribe link should match exactly. Remember domains are rooted from right to left, not left to right.
So if the spam was from massmailsender.com, and the un-sub url is:
www.massmailsender.com/unsub.cgi?email=yourmail@yourdomain.com
thats a good sign.
If the unsub url is:
www.massmailsender.freewebs.moscow.ru/u?e=abc
or similar then thats not a good sign. A legitimate sender spends a lot of money crafting the ads and the message and would not host the unsubscribe tool on a free russian website provider or anywhere else but where their main servers live.
So in summary:
Never ever click on any link in an email that has BAYES poison. A legit sender would never use Bayes poison to evade or confuse a spam filter.
Clicking an unsubscribe link for type 1 or type for messages should work.
if you are not sure what type of message you have on your hands, then report it as suspicious to us and we will take a look for you.
Just follow these steps to report the message:
http://www.richweb.com/spam_steps
If you are getting persistent spam of any type (more than 2 or 3 a week) let us know and we will create rules that can squash that spam for good.
MailScanner is disarming or cleaning what it thinks are unsafe emails. Most html newsletters and such are programmed by marketing companies that do not practice secure methods for html in email.
Richweb can disable this feature, though it does somewhat increase your chances of getting a trojan horse on your computer by clicking a web link off of a dangerous email. Even if this feature is turned off, MailScanner still will be able to detect Phishing attacks thanks to its ClamAV + anti-phishing engine as well as its advanced spam and dangerous URL detection.
So the increased risk with disabling this feature is light to moderate. Still if you have users that tend to get themselves into a lot of trouble, or if your desktop Anti-virus is not working well and you are having Windows pcs get damaged and need to be rebuilt, you might want to leave this feature on as your users are probably clicking links in emails and surfing to places where the malware is downloaded direct from the web.
You may also want to look at a squid proxy + open dns setup or a commercial offering like WebSense/SurfControl or Barracuda Web Filter or NetGear.
Here is a link to additional information:
http://www.richweb.com/opendns_proxy_cache
Richweb's outbound mail server limits each outgoing message to a MAXIMUM of 25 recipients. The reason for this is that users that send bulk email via their personal email account will cause our mail server(s) and mail relay(s) to get blacklisted when recipients of the message click the "REPORT SPAM" button in their mail clients.
Getting a server off a blacklist can be very time consuming so it is imperative to avoid being blacklisted in the first place, hence the restrictive policy.
Many users will have a list of business contacts, or friends that they wish to email all in one messages, which is understandable. However, the outgoing Mail filter will not always be able to distinguish the intent behind a human-generated email. Is it an email to 30 college friends about an upcoming re-union, or an email to 100 emails gathered from a website or list of hopeful customers?
When sending emails to groups of business contacts, especially ones that are not already customers you do recurring business with you must understand that as part of the US CAN-SPAM law that recipients must have an automated way of removing themselves from the list-send for future emails your email is non-compliant since it was not sent from a server that offers automatic removal.
There are 2 solutions to the bulk-email sending issue:
1. Use a bulk mailing service like Veritcal Response, or Constant Contact. The advantage of these tools are the reporting (did the user open the message) capabilities. Bulk mailing services are appropriate for one to many communications where one sender is sending the message to many recipients.
2. Use a mailing list service or List-serv for short. List-servs are ideal for groups that use email to communicate with each other (email-based discussion groups). Lists can be moderated (emails have to be approved before being sent) or un-moderated (anyone can send).
Many people want to take advantage of "email forwarding" in which a
mail server auto forwards an incoming email to an email address on
that local server to a different domain on a remote server. Often
times a user will have an ISP email address (comcast, or verizon for
example), a freemail address (like gmail, yahoo or hotmail) and a work
email address. Instead of checking 2 or 3 different accounts the user
will setup forwards for 1 or more accounts into an account that he/she
will check, often times via a mobile device.
This is an extremely bad practice, and it is technically a broken
model for multiple reasons which will be covered below. The proper way
to do this (get email from multiple different accounts with different
providers) is to setup a pop3 or imap pull of email from one mailbox.
For example, suppose our user has 2 email accounts:
bestrealtor88@yahoo.com
bella.swan@bestrealty.net
Bella has had her yahoo account for 8 years and gets most of her email
from that account and she has her smart phone programmed to check her
yahoo account. Instead of setting up her Bella.Swan@bestrealty.net
account to FORWARD email to her yahoo.com account she should:
a. setup her smart phone to check both accounts OR
b. setup her yahoo account to login to her bestrealty.net account and PULL her email via pop3.
To understand why this is the case first we need to understand how
email forwarding works.
If Bella were to ignore our advice and forward
Bella.Swan@bestrealty.net to her yahoo account what might happen?
If Edward.Cullen@friendlyvampires.net decides to send Bella an email
to her Bella.Swan@bestrealty.net about an important contract, Bella
would expect to get the email in her yahoo.com inbox, but she ALSO
expects that the email will come FROM
Edward.Cullen@friendlyvampires.net and NOT Bella.Swan@bestrealty.net
when she looks at the email in her yahoo account.
So the email system that operates bestrealty.net email services
essentially has to impersonate friendlyvampires.net when it FORWARDS
the email to yahoo.com so that the FROM header is set correctly.
Meanwhile, Edward has had a problem with Spammers impersonating his
domain when they send spam. His service provider setup an SPF (Sender
Permitted From) record in DNS so that only the friendlyvampires.net
email servers are listed as authorized senders of email from
friendlyvampires.net.
The yahoo email servers will pay attention to this SPF record when
accepting email for Bella at her yahoo account. The yahoo servers may
decided to block or score as spam the forwarded email because
the emails servers for bestrealty.net ARE NOT listed in the SPF record
as authorized senders for email coming from @friendlyvampires.net.
Clearly Edward cant contact each of the thousands of people that he
emails and add any possible servers that might forward said emails he sends
to anyone and add SPF records for each possible forward.
This is why the combination of an email forward and a source (SENDING)
domain with an SPF record ALWAYS breaks. For source domains that DONT
use SPF records, the forwards may work (but generally be scored as
more likely to be spam) so end users get confused. Bella seems to
think the problem is with Edward, since "everyone else can send me
email" but the problem actually lies with Bella.
Lets look at another problem that forwarding causes:
Lets say Rosalie has the domain test.com. Rosalie sets up an email
forwarder for Rosalie@test.com to forward to her Rosalie2@hotmail.com.
The email service provider that runs test.com though has a big
problem. Rosalie expects that ANYTHING sent to Rosalie@test.com is
forwarded on - does the provider attempt to forward ALL email
including all the spam that she has been getting lately, or does it
try to filter the SPAM? Since Rosalie is only using the intermediate
email as a forward, she does not login to that account to set her spam
settings, or check her spam folder most likely on a regular basis. The
only reason she wanted to forward her email was to have only 1 mailbox
to check. Having to manage spam settings on multiple mailboxes and
track down where spam is trapped (if a legit message was snagged in a
filter) defeats the whole purpose of the forwarding for Rosalie.
Lets say Rosalie get 10 valid emails a day on average. For most email
addresses and/or domains that have been use for more than a year 10
SPAMs coming in for every legitimate email. This means that the
test.com email server is going to actually have to forward 100
additional SPAMs a day to hotmail or some lesser number depending on
how much they can filter out.
Of course the hotmail Mail Firewall sees this behavior (100 SPAMs a
day from the same sending machine) and quickly blacklists (refuses ALL
messages from) the test.com email server. Not only is the email server
that runs test.com seen as a SPAMMER, test.com is now seen as a SPAM
SOURCE. This means that the reputation of both Rosalie's domain and her
service provider is damaged - not good for Rosalie OR the operators of
the mail server she hosts her test.com domain at. Rosalie can always
get a new domain or try to get her domain off the blacklist, but for
the company that operates the mail servers that host her domain the
blacklisted ipv4 addresses of the mail server could cause thousands of
mails to be dropped or delayed and many hours to sort out with many
customers and domains affected.
Additionally, if Rosalie has setup a catch-all email address -
i.e. @test.com so that sales@, info@, jules@, etc all work and go to
her hotmail account via a forward then we all have an even bigger
problem. If a SPAMMER tries a dictionary attack against test.com - sending
hundreds or thousands of emails to made up addresses @test.com then
the test.com email service provider will be forwarding ALL of those
messages on to hotmail, which will have the server blacklisted within
minutes.
Suddenly Rosalie stops getting ANY email into her Hotmail account that
she expects from her forwarded account. Who does she call ? Well, she will
be lucky if she can actually get anyone from a large ISP
(Verizon/Comcast/Embarq, etc) or large mail provider (hotmail, gmail,
yahoo) to talk to. And even if she could she would get the no problem
here, must be on the other end response, because as far as that
provider is concerned, all they are doing is saving her the headache
of getting an additonal 110 SPAMs a day (her 100 SPAMs plus the 10
legit emails).
Remember, when one individual user tries to deal with large companies that
process millions of emails an hour, its impossible for them to really
care or worry much about a few legit emails that get blocked. Blocking
the massive SPAM inflow is much more important, because if their
customers get thousands of SPAMs each day, they would simply not use
and/or pay for their service.
So next Rosalie calls the provider of test.com to investigate the
problem on their side. The answer she will get is: "no problem here,
we see that hotmail.com is blocking our attempts to send email". The
provider may or may not be able to get hotmail.com to take action and
fix this. More often than not, this is very time consuming for the
providers to track down a human on the opposite side that is able to
fix the problem. So email remains broken, or in a state of flux
(sometimes works, sometimes does not, depending on whether hotmail
removes the blacklist after a period or not, and depending on how much
SPAM comes through the auto forward).
Finally, to avoid the forwarding of SPAM mess discussed above. most
providers (if they have any clue at all) will fully SPAM filter all
email BEFORE its forwarded, so they avoid getting blacklisted for
forwarding SPAM. This means that an email will take the following
path:
SENDER :: FORWARDER_FIREWALL :: FORWARDER :: RECIP_FIREWALL :: RECIPIENT
Either of the 2 firewalls - FORWARDER or RECIPIENT can possibly reject
a message due to it matching:
1. SPAM or SPAM-like content (often the case if you forward off color
jokes, or other chain letter type email)
2. VIRUS or SPYWARE
3. DANGEROUS file names or file contents (like a "cool" screensaver
you found)
4. LARGE FILE ATTACHMENTS (multiple photos for example)
Each of the firewalls will have different policies (support FORWARDING
firewall allows 20 MB attachments, but RECIPIENT firewall only allows
5 MB attachments because its a FREE ACCOUNT!)
Troubleshooting where the email was blocked wastes the time and
resources of each provider (FORWARDING and RECIPIENT) neither of which
will be sure where the problem really is unless they investigate
manually, which generates zero profits, only costs for the providers.
Many web hosts are now banning email forwarding to third party email
accounts, removing the capability all together. And the result for
these hosts is a serious decrease in spam complaints against their
servers. Richweb does not ban email forwarding just yet, but it is
inevitable that for most providers that forwarding email externally is
just too much trouble, and the benefits to everyone by turning it off,
far outweigh any benefits of having this so called "feature".