Internet and e-mail policy and practice
including Notes on Internet E-mail


2007
Months
Feb

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


05 Feb 2007

Postini sends out Paypal phishes Email

Yes, that's what I said. And if you don't believe me, here it is, exactly as received except for snipping out a few locally added headers that identify the address they sent it to, an often scraped address that gets a mountain of spam.

If you look at the received headers, it came from exprod6ob55.obsmtp.com (64.18.1.190). The domain obsmtp.com is Postini, and 64.18.1.190 is in netblock 64.18.0.0/20 which is assigned to Postini. There is no question it came directly from them.

The source 66.123.63.227 is a Pacbell DSL line assigned to a patent law firm, presumably a Postini customer, that appears to have a zombie problem. But I am mostly wondering how a company which, the last I heard, claims to do spam filtering, sends out phishes so obvious that when I run them through spamassassin they score 17.0.

Return-Path: <admin@paypal.com>
Received: (qmail 16875 invoked from network); 5 Feb 2007 16:10:40 -0000
Received: from exprod6ob55.obsmtp.com (64.18.1.190)
  by mail2.iecc.com with SMTP; 5 Feb 2007 16:10:39 -0000
Received: from source ([66.123.63.227]) by exprod6ob55.postini.com
    ([64.18.5.12]) with SMTP;
    Mon, 05 Feb 2007 08:10:36 PST
Received: from User ([216.211.25.83]) by ntfs1.domain1.local with Microsoft
    SMTPSVC(6.0.3790.1830);
     Mon, 5 Feb 2007 08:09:30 -0800
From: "PayPal" <admin@paypal.com>
Subject: Please Verify Your Account !
Date: Mon, 5 Feb 2007 11:09:30 -0500
MIME-Version: 1.0
Content-Type: text/html;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <NTFS15euwdUTaGmvSVM000023f0@ntfs1.domain1.local>
X-OriginalArrivalTime: 05 Feb 2007 16:09:31.0112 (UTC)
    FILETIME=[04D48680:01C74940]
Original-sender: admin@paypal.com
 
<IMG src="https://www.paypal.com/en_US/i/logo/paypal_logo.gif"
border=0></A>  <TABLE cellSpacing=0 cellPadding=0 width=600 align=center
border=0>
<TBODY>
<TR>
<TD colSpan=3><IMG height=2 src="pp.files/pixel.gif"
width=2></TD></TR></TBODY></TABLE>
<P><FONT size=2><FONT face=Verdana>Dear valued <STRONG><STRONG><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana">PayPal<SUP>®</SUP></SPAN></STRONG> </STRONG>member</FONT>
: <BR></FONT><BR></P>
<P><FONT face=Verdana size=2>It has come to our attention that your <SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> account information
needs to be <BR>updated as part of our continuing commitment to protect your
account and to <BR>reduce the instance of fraud on our website. </FONT><FONT
face=Verdana size=2><FONT face=Verdana size=2> If you could please take 5-10
minutes <BR>out of your </FONT><FONT face=Verdana size=2>online </FONT><FONT
face=Verdana size=2>experience and update your personal records you will not
run into <BR>any future </FONT><FONT face=Verdana size=2>problems with the
online service.
</FONT></P>
<P><FONT face=Verdana size=2>However, failure to update your records will
result in account suspension. <BR>Please update your records on or
before <FONT color=red><STRONG>December 15,
2007</STRONG>.</FONT> <BR><BR>Once you have updated your account records,
your <SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> session will not
be <BR>interrupted and will continue as normal. </FONT></P>
<P><FONT face=Verdana size=2>To update your <SPAN style="FONT-SIZE: 10pt;
COLOR: black; FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> records click on the
following link: <BR></FONT><br><a target="_parent"
href="http://216.169.155.89/~bosco/start.html" target=_self><FONT
face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=_login-run</FONT></A>
 
<P><FONT face=Verdana size=2></FONT> </P>
<P><FONT face=Verdana size=2>Thank You.  <BR><SPAN style="FONT-SIZE: 10pt;
COLOR: black; FONT-FAMILY: Verdana"><STRONG>PayPal<SUP>® </SUP><SPAN
style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Verdana">UPDATE
</SPAN></STRONG><SPAN style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY:
Verdana"><STRONG>TEAM</STRONG></SPAN></SPAN>      </P>
<P><FONT face=Verdana size=2>Accounts Management As outlined in our User
Agreement, <SPAN style="FONT-SIZE: 10pt COLOR: black FONT-FAMILY:
Verdana"><STRONG>PayPal<SUP>®</SUP></STRONG></SPAN> will <BR>periodically
send you information about site changes and enhancements. </FONT></P>
<P><FONT face=Verdana size=2>Visit our Privacy Policy </FONT><FONT
face=Verdana size=2>and User Agreement if you have any
questions. <BR></FONT><a target="_parent"
href="http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-
outside"><FONT face=Verdana
size=2>http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy
-outside</FONT></A></P>
<P> </P></FORM></FONT></FONT>

posted at: 23:24 :: permanent link to this entry :: 19 comments
posted at: 23:24 ::
permanent link to this entry :: 19 comments

comments...        (Jump to the end to add your own comment)


All email service providers will at some point in time have an outbound spam problem or two. It's just a fact of life. Same as for ISPs.

Whether it scored 17 on SpamAssassin or not is utterly irrelevant - it only matters whether it hits on the rules that provider has for detecting outbound spam (which this obviously didn't). I don't know whether Postini has any such rules, but I know we do, and I've heard the "But it scored X on SpamAssassin!" complaint before, and it really irks me. Are mail providers measured in quality by whether they run SpamAssassin on outbound mail or not?

(by Matt Sergeant 05 Feb 2007 15:15)


Not just scoring 17
My point about scoring 17 wasn't that I expect them to run spamassassin, it's that this is an egregious phish that any competent filter should have caught. Remember, Postini doesn't claim to be an ESP, they say they do e-mail security and management.

(by John L 05 Feb 2007 16:12)


Former Postinian
I am a former Postini employee, and I am here to defend them.

You're correct that this spam traversed the Postini network, but it did *not* originate there. Take a look at the first Received header:

Received: from User ([216.211.25.83]) by ntfs1.domain1.local with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Feb 2007 08:09:30 -0800

The message originated at [216.211.25.83], which appears to be a broadband IP:

[paul@taz ~]$ host 216.211.25.83 83.25.211.216.in-addr.arpa domain name pointer host-216-211-25-83.tbaytel.net.

The next Received header, which is the one added by the Postini system when the mail went through them, shows that they got it from a different machine:

Received: from source ([66.123.63.227]) by exprod6ob55.postini.com ([64.18.5.12]) with SMTP; Mon, 05 Feb 2007 08:10:36 PST

The IP that connected to Postini was [66.123.63.227], which also appears to be a broadband IP:

[paul@taz ~]$ host 66.123.63.227 227.63.123.66.in-addr.arpa domain name pointer adsl-66-123-63-227.dsl.lsan03.pacbell.net.

Ostensibly, this is one of Postini's customers, and the originating machine has a spambot on it. Postini handles inbound mail filtering for all customers, and for those that pay for it, outbound filtering as well. Outbound filtering does not mean blocking outbound spam; it means applying corporate policy, such as appending compliance footers and enforcing attachment and content rules.

Although outbound spam is not blocked, it is identified and recorded, and customers exhibiting repeated incidents like this are contacted and worked with to resolve the issue. Postini is a responsible netizen.

In the future, I would suggest that rather than jumping to conclusions, you contact the company directly with concerns such as this. They have an abuse reporting form on their site, and if you provide information such as this, they will be happy to provide the exact same explanation I have given. Attacking them without proper knowledge of what they do and how they do it is irresponsible.

(by Paul Brown 06 Feb 2007 13:49)


Postini really does send phishes?
Let me get this straight. You say "outbound spam is not blocked", Postini the spam filtering company lets their customers send spam and phishes unimpeded, give or take some gobbledygook about compliance which is irrelevant to me and to my users. Why exactly would anyone want to accept mail from a sender with that policy?

As far as contacting Postini, I sent off my usual spam report to the address they registered with abuse.net, and I got the usual response, which is nothing.

(by John L 06 Feb 2007 14:53)



No, Postini does not really send phishes. You are completely ignoring the facts because they don't support your preconceived ideas and judgments.

Irrelevant? No, as a matter of fact, it *is* relevant, if you're actually interested in reaching a resolution to this issue. Of course, I can see that you're not interested in reaching a resolution at all -- all you're interested in is bashing Postini.

And like I said, they do take steps to work with their customers when things like this happen. Once again, a fact that you have chosen to completely ignore.

You expect everyone to play by your rules, which is unreasonable. Postini is a business, and they are in business to make money. They don't have the time or the resources to respond to every pinhead on the face of the planet with a chip on their shoulder. As a good netizen, they respond to all abuse and sender complaints, but you will need to follow the established process to contact them. Do you have any idea how many emails they receive to the abuse address? Thousands. Every single day. And you expect them to respond to every single email? That's completely unrealistic.

Firing off an email and ignoring the autoresponse which tells you what to do to proceed with registering your complaint and then complaining in public about how they don't respond only exposes your bias. Do you really expect people to take you seriously when you act this way? If the roles were reversed, would *you*?

Thomas Paine once said that arguing with a person who has abandoned reason is like giving medicine to the dead. I know exactly how he felt.

(by Paul Brown 06 Feb 2007 17:51)


Sir, please step away from the kool-aid
My goodness, I certainly seem to have found a sore point. Who'd have thought that I was so out of line thinking that a spam filtering company would actually, you know, filter spam?

With respect to autoresponses, there wasn't any. (Yes, I checked the logs.) On the other hand, I know providers much, much larger than Postini that not only accept abuse reports by e-mail, they actually triage and deal with them. If Postini is unable to deal with merely thousands of messages a day to their postmaster, that's really breathtaking. I have no objection to Postini making money, but if they can't figure out how to run a competent mail system and pay for it, that's their problem, not mine.

(by John L 06 Feb 2007 18:21)


Talk to Postini?
Have they gotten any easier to talk to?

I had a hard enough time in the 2000-2002 time frame when I tried to talk to them as a CUSTOMER.

All of the non-customers I know that have tried to address deliverability issues with Postini have had no luck contacting the company because they don't want to be bothered with deliverability.

I work for a competitor now, and inflexibility in managing email deliverability is one of my big selling points of our service over Postini's service. Our philosophy is that people need email, and we had damned sure better ensure it gets delivered. And yes, we whitelist and do other things as necessary because deliverability is of the utmost importance to us. This stands in stark contrast to companies like Postini -- and probably others, but I have prior experience with Postini as a customer -- where they're too big to care.

(by Steve Sobol 06 Feb 2007 19:12)


Competence is what competence does
My rules are "Don't send me spam." I expect everybody to play by them.

Those who fail to play by them can find themselves blocked.

I don't care about what they claim to do with their customers (anything I can't observe is merely a claim), I care about how effective it is. If I get spam, then it isn't effective enough. Nor do I care what hoops they want me to jump through to get their attention. Sending a single complaint message for a spam is the most warning that the spam-emitter deserves.

(by Seth Breidbart 06 Feb 2007 19:18)


It's different when you're an end-user
Seth, I'm not sure whether or not your reply was to my comments. I will point out that a company filtering their own spam has a completely different set of performance goals than one that charges for spam filtering like Postini or like us. At that point, you have a certain set of responsibilities.

Incidentally, "inflexibility in managing email deliverability" should have read "Postini's inflexibility in managing email deliverability".

(by Steve Sobol 06 Feb 2007 20:15)



Sounds like the same old new Internet era to me. Postini clearly has a right to make a profit by sending spam to you on behalf of their customers. Postini doesn't owe you the time of day, even though you've done the hard work of identifying where the spam came from, and sent them an alert, which reasonable service providers consider to be a free favor that abuse reporters are doing for them. This is the new era of Screw You, We're In It For The Money, and To Hell With Being a Good Neighbor.

Dry up, Levine, you great prune. Your spam problem is your own, and how dare you expect Postini to do your spam filtering for free. But I'm sure they'd be happy to sell you their spam filtering service for a reasonable fee ...

(by Joe G 06 Feb 2007 20:18)



This is incredible. None of this is based on any truth whatsoever. Judgments from out-of-the-ordinary personal experiences, preconceived notions of how things *ought* to be done, "my way or the highway" mentality, sure. But reasonableness? Not a chance.

I was the senior technical support engineer in charge of outbound, so I think I have a pretty good idea of what I'm talking about. But around here, it seems that I can tell you all that the sky is blue and be called a Kool-Aid drinker. Whatever. Enjoy your membership in the mutual admiration society you all seem to be members of.

Clowns to the left of me, Jokers to the right, here I am, Stuck in the middle with you...

(by Paul Brown 06 Feb 2007 22:26)


Kool-Aid indeed.
There's no excuse for any mail server to be passing this crap. The only explanation is that it is being managed incompetently. Postini knows they don't provide service to Paypal. They should know that Paypal is a major phish target worthy or specific special treatment: they shouldn't be accepting mail from their customers claiming to be from a paypal.com address or a few dozen other such heavy phish targets. That they do so indicates that they don't know what they are doing in running a mail system.

The idea that any mail server can be an innocent transparent conduit is about a decade obsolete. Postini is responsible for the mail they transport as much as anyone operating a mail server is. If they have anything of value to sell as an outbound path it is deliverability, and that has to be based in part on earning a reputation for not sending spam. Postini fails to earn that reputation, in part by not doing the *easy* things to educe the spam their servers send.

(by Bill Cole 07 Feb 2007 01:28)



Let's get a few things straight.

1. I never said that it is okay for this to pass through the Postini system. I merely explained why it does. If anyone is interested in understanding that, great. If not, I pity you.

2. Yes, I defend the company. I am grateful to it for feeding my children for the past few years. That makes me a Kool-Aid drinker. Mmmmmmm-kay.

3. Like I said -- twice now, both times ignored -- they are doing something about this. As a matter of fact, while I was there, I was nearly singlehandedly responsible for raising this as an issue and getting every technical department involved in working on a solution. This also includes, by the way, improving deliverability.

4. Why is it assumed that because this issue exists, it means that Postini as a whole is full of a bunch of idiots who don't know how to run a mail system? The truth -- if anyone is interested in it -- is that Postini has some of the most talented operations and network people around. The problem is not them; it is business decisions made by senior management that have nothing to do with them or their technical capability. Neither I nor they have any control over those decisions or any real insight into why they make them (and since I disagree with them, I won't try to defend them). We all just have to live with them and do the best we can within the parameters they set.

I don't disagree with any of you as a point of fact and philosophy. I simply take exception to the methods I'm seeing used here.

(by Paul Brown 07 Feb 2007 02:14)



Steve, I wasn't directly addressing your comments.

I have an intellectual interest in how others do inbound filtering. Maybe there are ideas I can use. Maybe it's interesting discussing techniques.

If I were considering hiring an outsourced filterer, I'd definitely be interested in how they worked.

I have an actual interest in what others emit in my direction, because that directly affects me. That's what is being discussed here.

I have only an intellectual interest in how somebody's outbound filtering works; I have an actual interest in whether it works.

(by Seth Breidbart 07 Feb 2007 11:32)


Let's get a few things straight, yes, indeed.
I'm going to take a wild stab and generalize by saying "we" here, as I suspect that the other posters will agree with the general nature of this reply. I apologize in advance for anyone who doesn't. :-)

1) We don't care /why/ crap passes through the Postini system. Postini postures itself as an e-mail security and management company. Blocking by sender domain is a feature that was added to MTA's years ago, and any vaguely competent mail administrator can figure out how to use the feature to stop PayPal phishing with an "@paypal.com" domain in the From: line. You may construe this as an explanation of why this sort of thing shouldn't be passing through Postini's systems. If you cannot comprehend that trivially blockable obvious phish food should be caught by a firm that portrays itself as competent at e-mail security, and that the failure to do so is highly ironic, I'll gladly send you a buck to go buy yourself a clue at K-Mart.

2) We don't care that they fed your children for the past few years. Many spammers have families too. It does not make me more sympathetic towards their spam. Feeding your family is not an excuse. I feed my family without generating thousands of abuse complaints a day.

3) "Doing something" about this would be "accepting abuse complaints graciously and gratefully." Your own messages say that those who submit abuse complaints have to "register" their complaint, and that you feel it is unreasonable to expect Postini to have to reply to the thousands of abuse complaints they receive daily. Perhaps if Postini directly accepted and acted on more of these complaints, and followed through by implementing trivial and obvious filtering such as forbidding paypal.com in the sender address, there would be a reduction in volume of complaints. Those who complain to you are doing you a favor. Making them jump through hoops is unreasonable. Failing to respond to them is unfriendly.

3a) It is disappointing that you were nearly singlehandedly responsible for raising this as an issue. It suggests to the outsider looking in that nobody else there cares that much about it.

4) As with any business, your reputation is yours to shine - or to smear. If you configure your mail systems to relay obvious phishes, that suggests "idiots, incompetents, or they just don't care." I'm under no obligation to go and call Postini and interview your operations and networking people to determine that they are in fact talented but restrained by senior management. To expect us to even care why Postini is exhibiting stupidity is naive.

Several of the people you are talking to here, myself included, are well into (at least) our third decade of administering public messaging systems. We're not likely to accept the "but it's a good company, it is just the senior management" line of defense.

We have preconceived notions of how things should be done, because we, as a community, have defined them. We recognize that users who submit abuse complaints are doing us a favor, and do not expect them to jump through lots of hoops. We recognize that when a trivially correctable issue is pointed out, that we have a responsibility to the community to do so.

You may need to take a bit of a step back and realize that if your company's management sucks, then the view from abroad is likely to be that your company sucks. It is not necessarily a reflection on you or whatever contributions you have made to your company. This is occasionally difficult for engineers (or other employees) to understand and accept. We do not see your contributions. We cannot determine that you have some talented staff. A chain is as strong as its weakest link. If you were a strong link, we thank you. We do not hold you personally responsible for Postini's actions in any case.

(by Joe G 07 Feb 2007 12:11)



Uncle.

(by Paul Brown 07 Feb 2007 18:24)



I'm certain that Postini has the technology to stop that mail.

Obviously it's a question of policy. Why doesn't Postini force outbound mail scanning upon its customers? Is it because they're afraid customers will say "What, you're going to force me to pay you to scan my outbound mail when I may not want that? I'm not going to buy, then!" Is that a valid fear?

RE: abuse complaints, perhaps the idea is sound but the implementation could be better. I suppose the idea is to build a mechanism that prevents flooding the abuse reports box. Perhaps the mechanism could be redesigned so that it's still trivial for humans to report spam (don't make it hard for somebody to do you a favour) yet difficult for spammers, DoS'ers and enemies to attack.

(by NormMonkey 16 Feb 2007 10:48)



Paul said>3. Like I said -- twice now, both times ignored -- they are doing something about this.

I don't get it. You said you've left the company. So whatever it is they're doing about 'this' clearly isn't working, and needs to change. I was offered the deliverability job at major ESP recently. I didn't take it because I wasn't to be granted the policy or the authority needed to do the job. If I'd taken it, I'd be 'doing something' about the company's outbound spam problem, but it wouldn't be 'doing something effective'. Whatever the 'something' that postini is doing about outbound spam, it's pretty clear that it's ineffective. What can you tell us about what postini is doing in that regard? Is it doing sophisticated outbound filtering? Is a human looking at the filtered-out email flow and addressing the problem it is a symptom of?

(by Matthew Elvey 16 Feb 2007 16:55)


You Know It's Broken When..
The standard and most often heard customer complaint is that they can't get through the company's defences to register a complaint or suggestion. It's the mark of a bad company.

On a side note, I'm amazed at the amount of hostility in these comments. Hostility is just noise, and it means the signal to noise ratio is non-optimal.

(by artson 17 Feb 2007 08:58)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Remembering JD Falk - 10 years later
220 days ago

A keen grasp of the obvious
New Hope for the Dead
462 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.