Olaf's questions

If any email contains the URL lafargeholcim-foundation.org or if an email is sent using an email address from that domain, certain providers rate those mails as Spam, others not at all. It is enough if the URL appears in the body as plain text or html, even if other totally independent mail addresses are used. For some reason, it has become a spam word on one or more important lists.

What we tried:

• We checked if that domain got blacklisted somewhere - nope (tested on multiple sites - there where some false positives on the lists, but the blacklist websites themselves said the domain is clean)
• We checked for correct DNS settings (SPF, MX, PTR and so on) - looks good
• We checked domain health using mxtoolbox.com - the only error it show is dmarc - Missing or Invalid Record; however, that error is shown for many other domains to which have no problem (also, that would not explain the ranking if it just gets mentioned)
• We have used http://www.isnotspam.com/ which results in SpamAssassin 3.4.1 (2015-04-28) - Result: ham (non-spam) (02.8points, 10.0 required) but in the details shows X-Spam-Status: Yes, hits=2.8 required=-20.0 tests=BAYES_99,BAYES_999, HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.1; contradictory, but the important message is that somehow the BAYES checks fail

This is the spam check part of the header of a mail sent from [email protected] to an email address at domainfactory that does not filter mails:

X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
spamfilter20.ispgateway.de
X-Spam-Level: **********
X-Spam-Status: No, hits=10.0 required=9999.0 tests=BAYES_50,CMAE_1 autolearn=disabled version=3.3.1
X-Spam-CMAETAG: v=2.1 cv=EeZGQZWC c=1 sm=0 tr=0 p=cbSXLfNRAAAA:8
a=pGLkceISAAAA:8 a=2MiuTIsZAAAA:8 a=1XWaLZrsAAAA:8 a=7aQ_Q-yQQ-AA:10
a=83US_ujnACjsZj5jA7sA:9 a=QEXdDO2ut3YA:10 a=UED6auwn5vwA:10
a=7xph8sLR3VcA:10 a=Ky3Y0quMuIMiIHF6c5kA:9 a=jJvKbzjZ-ey99uua:21
xcat=Undefined/Undefined
X-Spam-CMAECATEGORY: 0
X-Spam-CMAESUBCATEGORY: 0
X-Spam-CMAESCORE: 100

Although in this example it says "X-Spam-Status: No", the level is too high to let it go through.

Again: we can understand that some senders are blacklisted. But just mentioning the URL in plain or html text increases the spam rank so much that those mails, no matter where they come from, get filtered out (depending, of course, on what kind of check the mail provider does, if they use SpamAssassin or not).

The header above is from domainfactory, a usually quite reliable German provider. Similar delivery failures have been reported from greenmail.ch, hispeed.ch and others. As opposed to Gmail which shows no spam ranking.

The company is a perfectly legitimate non-profit foundation. They have sent out a newsletter to around 25.000 (voluntary, no spamming involved) recipients in December using Amazon SES. DNS setting are on Amazon Route 53, and Google Business accounts handle the mailboxes.

Over the last 8 years or so, many newsletters have been sent without any issues. The bulk SMTP provider has changed from critsend to Amazon SES recently, though.

Also, they have changed their domain recently and added envelopes to outgoing mails that changed the old domain to the new one - might that have aroused suspicion?

We have googled all day, and we still have no clue how to find out why and where that happened and how to handle that issue. Who adds a spam word to (maybe) SpamAssassin, why, and how can we get rid of it?

When testing the SOA setting for example-domain.org on http://mxtoolbox.com/, it says that

SOA Serial Number Format is Invalid

The entry is

ns-885.awsdns-46.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

That, however, is exactly what Amazon suggest in their Route 53 documentation on http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html

mxtoolbox issues a warning - why? They also consider the missing DMARC settings as an error.

Please bear with me - I am not a sysadmin. Any hint that uses a language that a developer can understand is greatly appreciated.

We have a Windows 2008 R2 server with IIS 7.5 and a lot of customer websites. Being no sys-admin but a developer, I hate to touch that wonderfully running system.

However, I'd like to update the IIS plugin URL Rewrite to version 2.0 via Web Platform Installer.

I do not want to do anything that might compromise the server, hence the question: can I expect it to work with at least a 99% chance? I did not find any bug reports or reviews on the web, so I'd like to hear an expert on that.

An educated guess will do.

Out of convenience, I have set the firewall rules of one of our customers' Windows 2008 R2 server so that it is open for all incoming traffic, all port and all programs, but the scope settings limit it to one specific remote IP address - ours. The reason is that we access the database and other programs remotely.

Question: is such a setting risky? Should I put effort into establishing separate rules for specific ports and programs in addition to our fixed IP address?

As a developer, I find it hard to estimate the danger of IP spoofing and whatever other hacking techniques there may be that can take advantage of that setup.

We are using an external commercial smtp server for our newsletters (sending them through .NET components), and they offer two smtp URLs - smtp.critsend.com and fast.critsend.com -, and the second one is reserved for sending singular emails, the first one for bulk.

Using nslookup shows that both resolve to the same 4 IP addresses (fast.critsend.com being an Alias).

Question: (how) is it possible for the smtp relay to distinguish between different names? Is there something in the headers that can be compared to host headers in http protocol (I didn't find any intelligible information for a non-sysadmins)?

The reason I'm asking is because we would like to use one of the IPs in our newsletter script (which works) rather than a name (in order to save DNS requests), and we are wondering about potential problems.

We are renting a Windows 2008 Hyper-V Webserver from a hosting company, from there we are sending mails using critsend, and all of a sudden, after working fine for a long time, smtp.critsend.com, the SMTP server we are using, cannot be resolved to an IP any more.

Other domains work well, and I couldn't find other examples for unresolvable domains.

The DNS servers used are 195.234.228.93 and .92.

I resolved smtp.critsend.com locally and added it to hosts, and the it worked - but it still worries me. Any ideas? Anything I can check to clarify the matter?

When connecting to a Windows Server (2003 or 2008) desktop through RDP from a local Windows (7 or XP) PC with networks shares enabled (usually, the local C: disk will be shared with the remote server), is there a real chance that a virus infects the remote server?

Of course, we protect our local PCs as good as we can, so I'd just like to know if it makes sense to have a policy to restrict file transmissions to FTP or WebDAV and prohibit shares.

I believe a question like this should have been asked before, but I couldn't really find anything.

Is there an event that is triggered when a Windows 7 computer has been restarted after being put into hibernate which I can use to run a program - very much the same way the task scheduler would to, just not time based in this case, but event based?

It'd be easy to accomplish after system start, but I haven't found anything similar for a "return from rest mode" scenario.

I need to start an exe in order to send an email notification every time this happens.

Is there a way to find out the date and time when certain known files have been deleted (by RDP access) on a Windows 2008 R2 Webserver? They have not been moved to the bin.

As far as I know there are no logs (or are there?). The only thing I can think of is an undelete tool that checkes the system. There isn't really a need to recover the files, we just need to know when it happened (and subsequently who did it). If this is a recommended way - can you recommend a possibly free, safe undelete tool?

Or is there another way?

One way to verify sites when using Googles webmaster tools is to add a TXT entry to the nameserver, using the hostname and adding the provided text.

Accidentally (because I simply didn't know) I added two TXT entries, one with 'www' and one without, just to make sure Google would accept the code (because in the webmaster tools the site was entered with 'www').

What happened was: after the DNS entries had spread, the sites were not available anymore when using the hostname with 'www'. EDIT: No particular error message, just "Server not found".

Why? It was probably naive to think that the TXT entry format is somewhat arbitrary, but can someone explain to a shocked developer (=non-administrator) why a TXT record can influence something that should be handled by A records so destructively?

EDIT: Here is the example (but of course it is no longer online). The site is hosted at domainfactory, a shared hoster where one can edit the DNS settings (or have domainfactory manage them - in that case, the 'Ziel' column shows their name; usually it is no problem to mix entries):

It is exactly the last entry that made the site unavailable.

However, telling me that this should not happen is also a good answer - I can ask the hosting provider then.

Forgive me if I'm not familiar with nslookup, but I did one lookup with and one without www on one of the domains that still don't work, and this is the result:

C:\>nslookup www.foo.de
Server:  dns2.colt1.inetserver.de
Address:  195.234.228.93

Name:    www.foo.de

And the second one:

C:>nslookup foo.de
Server:  dns2.colt1.inetserver.de
Address:  195.234.228.93

Nicht autorisierende Antwort:
Name:    foo.de
Address:  81.20.84.178

The difference is that the request without 'www' showed a 'Nicht autorisierende Antwort:' (probably 'non-authorizing answer') but the correct IP.

As a small software development company, we run a few Windows production webservers and manually install Microsoft updates and security patches. Most of the time, a restart is required.

After the updates are installed and the server asks for a restart, is the server during the time between this message and the restart somehow more vulnerable, or is it perfectly in order to delay the restart (and the security level remains the same as before)?

There is a Win 2008 server with a few website, and sometimes an image conversion website consumes huge amounts of RAM. Is it generally safe (though not a good idea) to just kill that w3wp process (IIS Worker Process) in the Windows Task Manager or will it affect other w3wp processes (there is a separate Application Pool for each web)?

If the options in the mailman admin interface are set to "try to avoid duplicates" and every members is also set to "no duplicates", what are possible reasons if one of the subscribers receives each and every message twice?

Is it safe to say that it can't have anything to do with the list?

An existing MS Access 2003 project frontend with a MS Sql Server 2005 backend needs to be accessed from different locations (not just one LAN anymore). Instead of implementing a VPN, we are thinking about moving the SQL Server as well as the MS Access project to a Windows 2008 terminal-server (hosting outsourced).

Will it be possible for 20 users to access this server by RDP an run their individual instancea of MS Access without interference with the other users' instances? Would that be a good solution?

We are renting a Windows root server at Serverloft. Recently, when the server restarted after installing regular Microsoft updates, it restarted properly, but couldn't be accessed anymore, and a Linux server was answering instead!

After convincing the hotline that this was not our mistake (which took some time), they found out that some other server in the same subnet somehow (they didn't explain how) "stole" the public IP of our server (or rather "took precedence").

They disconnected the "thief", and for a short period of time we could see our server again. Then, without restart, it happened again! After another hour or so our server was back.

Question: does this make sense (we are simple developers who don't really know)? And is it possible to prevent such a scenario? Or can anyone in a typical hosting environment simply "steal" another IP, provided s/he knows how to do this?

We are developers (meaning: not sysadmins who know what they do), and we use a Windows Virtual Server as a staging server.

Setting up FTP accounts on IIS 7.5, while possible, is not as simple and straightforward as using Filezilla Server (and it has ugly user names), so we'd like to know:

Is there any reason we should not use Filezilla Server instead of the build-in FTP server on a not-so-critical staging server?

Would it be safe enough for a production server as well?

We are using Omnifind on Windows 2008 Server for site search, and after one website has migrated to another server - same domain, another IP (DNS update has been more than 24 hours ago, Omnifind server knows new IP) -, Omnifind keeps searching the old IP, meaning it has cached the name resolution somewhere.

But where?

Omnifind uses Apache Lucene technology, so maybe someone has an idea about that one which might serve as a hint?

Restarting the service or the server doesn't change that behaviour.

Sorry if the question has been answered or is asked in a wrong way - I am developer, no sys- or database admin.

Problem: An SQL Server 2005 Express mdf file (size 370 MB) didn't change it's file date for two month (even after server reboot) while the ldf file has grown to 56 GB.

The database is running on a Windows 2003 Webedition Server.

It is an important customer, I don't want to risk anything (so I haven't tried the option "Shrink" in Management Studio for fear of losing data or a long downtime.

We are trying to set up a new Server and are trying to restore the latest .bak file, but it sticks at "Executing 90%" for some time now.

What can be done? 1. Wait much longer 2. Try to shrink original database will website is running 3. Anything else

Any help is greatly appreciated.

Thanks, Olaf