At least one major South African portal/Internet service provider (ISP) has mistakenly identified e-mails from a popular Linux-based mail server as spam, causing what industry insiders estimate to be widespread disruption and non-delivery.
M-Web dropped unconfirmed numbers of e-mails last week, sent via ISPs using the open source Exim mail platform, as its own content filtering tools mistakenly identified the mails as spam.
M-Web will not part with any numbers, nor has it been established whether the iafrica.com domain, also under its control, has been affected. Tiscali World Online denies having dropped any mails.
However, Barry Gill, an Internet service provider, says he knows of "at least eight first- and second-tier ISPs that use Exim", many with exiscan, a content filtering tool used which was the reason the mails were mistaken for spam.
"Apparently there is a large wave of spam being sent out internationally with forged exiscan X-Scanner: headers, and this could be part of the cause of the problem."
Gill says he saw significant disruptions. He estimates that thousands of his users were unable to send e-mails to M-Web and other portals that had implemented a virus- and content-filtering system from Trend Micro.
This ISP contacted the M-Web support team and the issue was resolved fairly quickly, although Ferdie van Deventer, M-Web high-level support manager, was not able to state how long it took to correct matters.
Mervyn Coopen, operations director at SecureData, the South African representative of Trend Micro, says the problem was immediately seen to and sorted out. He says ISPs are free to set their own filtering rules, and that the error was corrected simply by turning off the filtering parameters at the sites in question.
Gill says he appreciates that it was neither the fault of M-Web nor the Trend Micro product nor its product deployments at the sites. Instead, he says settings at the heart of such automated filtering systems clearly still needed manual intervention and overseeing.
The technology
The mail server in focus is Exim, a Linux/FreeBSD mail server which has the option to use an anti-virus and spam filter called exiscan.
This scanner adds a line to an e-mail message header that lets other content filtering systems know it has been scanned and also applies a weighting system to the message to let other mail content filtering systems know what exiscan thought the probability is of that message being spam.
M-Web`s mail servers (and those of iafrica.com and World Online) are protected by Trend Micro content and virus scanning systems. The Trend system uses a Trend-specific "heuristic weighting" system to decide what mail is spam and what isn`t. It also contacts an automatic update server belonging to Trend, and this server performs daily updates of rules by which weighting arguments are established.
"During the affected time," says Gill, "any mail tagged with the exiscan identifier in the message header was filtered out of M-Web and other portal servers, and dropped as spam.
"Since Exim is an open source product, as is exiscan, there are a fair number of Exim installations in SA, most likely to be running something like exiscan.
"The problem here is that senders think their mail has been sent successfully and recipients never receive the mail, so there are bound to be a few eruptions over who sent what and 'why haven`t you responded` scenarios over the next week or so."
Tom Kistner (tom@duncanthrax.net), an exiscan developer, said: "Someone is currently sending a very big wave of spam that includes bogus X-Scanner: headers with exiscan`s signature."
The bogus headers look like this: "X-Scanner: : exiscan for exim4 (http://duncanthrax.net/exiscan/) *N5k6ECBnWGKt12NarMPIfkmU*
"Note the double colon and the fake crypted message ID (there should be three asterix characters in there).
"They can fine-tune their checks to look for the double colon, then everything should be OK."
Share