Ironport response

Last week I posted about a ESP that had a misconfiguration in their Ironport A60s that let spammers use the A60s to relay email to AOL. Earlier this week, Pat Peterson from Ironport approached me to talk about the problem and clarify what happened.
Ironport has provided me with the following explanation.

As part of a normal implementation a customer has a number of options they can choose from to setup their system.  How they handle messages on both their public and private interfaces can be easily configured based on the needs of their business.  IronPort has made sure that customers have the capability they require to configure their systems appropriately.  As with most products and services, proper usage is require for desired results.
In this case a configuration that is appropriate for some environments was viewed as a vulnerability because it was not appropriate for this specific environment.  Customers are warned about not configuring their systems to allow unauthorized domains to relay mail.  There are legitimate reasons why someone would want to allow external hosts to send mail through their IronPort, and functionality exists that allows customers to configure their systems to do that.  It should be noted that allowing any external host to relay mail through the appliance is neither encouraged nor recommended by IronPort.
In fact, the user documentation and CLI both clearly warn customers about the risk of allowing external hosts to relay mail through their IronPort.
Our customers are specifically warned during setup not to configure their systems to allow “any host to relay mail through your server.”  If someone purposely ignores these warnings and instead chooses to setup their IronPort to allow unknown domains to relay mail they can make themselves appear as an open relay, but that’s certainly not how the system was designed or intended to be used.

There is a broader message here. Anyone using any MTA needs to understand the configuration options as presented and make sure that the configuration does not allow unauthorized relay. In this case it was an Ironport MTA, but it could happen to any other MTA out there. Everyone should test their MTA after any configuration change to verify that it will not function as an open relay.

Related Posts

Comcast rate limiting

Russell from Port25 posted a comment on my earlier post about changes at Comcast.

Read More

SenderScore Certified expands

ReturnPath announced yesterday that SenderScore Certified now covers 1.2 billion inboxes, including mail handled by Hotmail, Time Warner Cable, GoDaddy and eventually Yahoo. A number of filters are also using SSC, including Spam Assassin, IronPort Systems, Barracuda Networks and Cloudmark.

Read More

Predictions for 2008

I did not have a lot of predictions for what will happen with email at the beginning of the year so I did not do a traditional beginning of the year post. Over the last 3 – 4 weeks, though, I have noticed some things that I think show where the industry is going.
Authentication. In January two announcements happened that lead me to believe most legitimate mail will be DK/DKIM signed by the end of the year. AOTA announced that approximately 50% of all email was currently authenticated. They did not separate out SPF/SenderID authentication from DK/DKIM authentication, but this still suggests email authentication is being widely adopted. AOL announced they will be checking DKIM on their inbound mail. I expect more and more email will be DKIM signed in response to this announcement.
Filtering. The end of 2007 marked a steady uptick in mail being filtered or blocked by recipient domains. I expect this trend to continue throughout 2008. Recipient domains are rolling out new technology to measure complaints, evaluate reputation and monitor unwanted email in ways that tease out the bad actors from the good. This means more bad and borderline email will be blocked. Over the short term, I expect to see more good email blocked, too, but expect this will resolve itself by Q2/Q3.
Sender Improvements. As the ISPs get better at filtering, I expect that many borderline senders will discover they cannot continue to have sloppy subscription practices and still get their mail delivered. Improved authentication and better filtering let ISPs pin-point blocks. Instead of having to block by IP or by domain, they can block only some mail from a domain, or only some mail from an IP. There are a number of senders who are sending mail that users do not want mixed with mail that recipients do want. Right now, if there is more mail that recipients want in that mix, then ISPs let the mail through. This will not continue to happen through 2008. Senders will need to send mail users actively want in order to see good delivery.
Less is more. A lot of other email bloggers have talked about this, and I will echo their predictions. Less email is more. Send relevant mail that your customers want. Target, target, target. Good mailers will not send offers to their entire database, instead they will send mail to a select portion of their database.
Feedback loops. Use of feedback loops by recipient domains will continue to grow.
Mobile email. More recipients will be receiving email on mobile devices.
Suggestions for 2008

Read More