It’s a new year, do you know what your filters are doing?

Yesterday the NJABL domain expired. The list was disabled back in 2013 but the domain continued to be maintained as a live domain. With the expiration, it was picked up by domain squatters and is now listing everything. Steve wrote about how and why expired blocklist domains list the world last year.

The short version is, that when domain squatters grab a domain they put in a DNS entry that responds to every single query. Blocklists work by responding to DNS queries for listed domain. Put those two things together and a domain squatter grabbing a blocklist domain means, effectively, everything is listed.

The squatting happened sometime yesterday. A few people mentioned they were seeing some failures mentioning the list yesterday. One of them commented here.

Replying to an almost 6 year old post might not have many eyes see this, but I’ve just had a weird thing happen and it might help someone. Somewhere over the last 2 days, some people have been getting rejection messages from my Exchange 2010/SBS 2011 server and they finally called me to let me know. I had a few block lists, including dnsbl.njabl.org configured in the Hub Transport/Anti-Spam section from years ago when I set the server up. I disabled NJABL first up, and it all started working again. It had been blocking from people’s work domains to me, as well as hotmail and yahoo emails. All good now.

This is as good a time as any to review your current filter setup. Are all the external filters meeting your needs? Are they still actively maintained? Those of you managing spam assassin, have you upgraded to the recent ruleset, yet? Should you? When was the last time your AV was updated?

While you’re thinking about it, drop a task in your task manager to remind you to check the filters again in 12 months.

These tasks are tedious and easy to drop to the bottom of any todo list. But regular review of filtering is important to maintain the effectiveness of the filters. For instance, anyone running NJABL has been querying a dead list for more than 5 years now. Wasted electrons, electricity and CPU cycles. Maybe it doesn’t seem like much in the grand scheme of things, but it is inefficient and wasteful.

Start the new year off right. Go review your filters. I’m even going to go check my personal filters to see if there are things I can add or remove to make my own mail better.

Related Posts

Who are mimecast?

Mimecast is a filter primarily used by businesses. They’re fairly widely used. In some of the data analysis I’ve done for clients, they’re a top 10 or top 20 filter.
Earlier today someone asked on Facebook if mimecast may be blocking emails based on the TLD. The short answer is it’s unlikely. I’ve not seen huge issues with them blocking based on TLD of the domain. They’re generally more selective than that.

The good news is mimecast is really pretty good about giving you explanations for why they’re blocking. They’ll even tell you if it’s mimecast related or if it’s a specific user / user-company block.
Some example rejection messages from a recent dive into some bounce logs.

Read More

What's up with microsoft?

A c/p from an email I sent to a mailing list.
I think we’re seeing a new normal, or are still on the pathway to a new normal. Here’s my theory.
1) Hotmail made a lot of underlying code changes, learning from 2 decades of spam filtering. They had a chance to write a new codebase and they took it.
2) The changes had some interesting effects that they couldn’t test for and didn’t expect. They spent a month or two shaking out the effects and learning how to really use the new code.
3) They spent a month or two monitoring. Just watching. How are their users reacting? How are senders reacting? How are the systems handling everything?
3a) They also snagged test data along the way and started learning how their new code base worked and what it can do.
4) As they learned more about the code base they realized they can do different and much more sophisticated filtering.
5) The differences mean that some mail that was previously OK and making it to the inbox isn’t any longer.
5a) From Microsoft’s perspective, this is a feature not a bug. Some mail that was making it to the inbox previously isn’t mail MS thinks users want in their inbox. So they’re filtering it to bulk. I’ll also step out on a limb and say that most of the recipients aren’t noticing or caring about the missing mail, so MS sees no reason to make changes to the filters.
6) Expect at least another few rounds of tweak and monitor before things settle into something that changes more gradually.
Overall, I think delivery at Microsoft really is more difficult and given some of the statements coming out of MS (and some of the pointed silence) I don’t think they’re unhappy with this.

Read More

Thoughts on policy

A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.

Read More