Len Conrad wrote:
It's obvious from above that verizon does not block outbound port 25
from their "pool" networks, which are badly infected with spam bots.
And their "static" nets are not totally clean.
So while hassling all of us with their weird mail policies, they also
allow their infected pool $subscribers to hassle our MXs
(subscriber-direct-to-MX abuse).
No doubt about that. We get thousands of Verizon zombies connecting to
us every day. SenderBase.org shows 25,300 zombies active in the last 30
days that start with "pool" and end with verizon.net.
Regarding Sender Address Validation in general. I believe this is
effectively the equivalent of Challenge/Response-lite. I already
receive about 100,000 bounces to bad addresses per day that are
backscatter from systems that accept messages without validating the
recipient or who have broken forwarding. If everyone was to start to
use SAV, could you imagine how many connections my system would be
receiving each day from all the forging and dictionary attacks that go
on? My guess is that this would increase my connection traffic by at
least 10 times. If such a thing isn't appropriate for everyone to use,
why should it be appropriate for anyone at all?
My mail servers are not there for Verizon to block their spam with, nor
anyone else that wants to use SAV.
Yesterday we were connected to 898 times by Verizon to validate
addresses, and 697 of those connections were for addresses that don't
exist. To make matters worse, when they get a 550 for a bad address
using a null sender, they RSET and try again using a named Mail From, so
they actually tried bad addresses 1,394 times in just one day. Who has
a right to pound a server with 1,394 bad addresses a day?
In looking at some newsgroups, I found that in at least November and
December, they were sometimes connecting from IP's that had no reverse
DNS entry. While that doesn't cause us issues, that results in some
rejections of their probes by many gateways. I also found this list of
instructions from their support:
1.) Please ensure that your server is accepting mail from
206.46.252.0/24.
2.) Please ensure that your server accepts a Null Mail From: command
e.g. Mail From:<>.
*3.) Please ensure your mail server responds to the SMTP commands
within 30 seconds.*
4.) Please ensure the from address used is a valid email address
that is accepted by the MX server for that domain.
5.) Please ensure you have a proper MX record.
The RFC suggests that 3 minutes is reasonable, and to go all the way
down to 30 seconds is really pushing it in a world where there is both
tarpitting and many servers with performance issues due to spam.
They are doing RSET's and then using a unique address because of looping
issues. For instance, if you send from a server protected by SAV to
another server protected by SAV, it is possible that your servers will
both demand the other verify their own address. It appears that to get
around this issue, they are using special addresses in addition to the
initial null sender. I'm not sure that everyone has a capability to do
such a thing though.
After all is said and done, and if you fail their SAV, you reach some
sort of limit with them and they blacklist your domain automatically.
Since these posts get archived and are google-able, please allow me to
suggest that people not use Verizon for their E-mail needs whenever
possible because it is likely that their sender verification mechanism
will cause delivery issues, and because they are inappropriately using
the resources of others.
Matt
