[Declude.Virus] Covad has a problem with our RBL
I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Covad has a problem with our RBL
Correction: We're not connecting to the RBL 12000 times an hour - we're connecting to Covad's nameservers 12000 times an hour. Kevin Rogers wrote: I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Covad has a problem with our RBL
There could be many RBL's in your config (we have about 100 in ours...which we probably need to prune since many don't add any real value), each of which would require a DNS hit for each message. Best just to set up your own DNS server and be done with it. Darin. - Original Message - From: Kevin Rogers [EMAIL PROTECTED] To: Declude.Virus@declude.com Sent: Thursday, March 31, 2005 5:03 PM Subject: [Declude.Virus] Covad has a problem with our RBL I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Covad has a problem with our RBL
Kevin, you're probably using your ISP's DNS servers to do the RBL lookups for you. Either your operating system is configured with Covad's DNS servers, or you have your own DNS server configured to do DNS forwarding. What you want to do is run your own DNS server, and NOT have it configured for DNS forwarding. In this way, you won't abuse Covad's name servers. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, March 31, 2005 2:03 PM To: Declude.Virus@declude.com Subject: [Declude.Virus] Covad has a problem with our RBL I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Covad has a problem with our RBL
Kevin, This is normal. Many providers don't appreciate their DNS servers being used for RBL lookups. What you need to do is set up a DNS server on your IMail server and point IMail to query that server instead of the one operated by Covad. The performance of your machine will also likely improve. If you are hosted on a Windows Server box, the DNS service just simply needs to be added in Add/Remove Windows Components and then configured to listen on an IP address bound to that box (can be the same as other things like IMail if you wish). It will work as a DNS caching server without additional configuration, and it will not use Covad's server for lookups unless you configure it to forward requests to their server (which you don't want to do). Setting up a DNS server is really your only legitimate option here. Matt Kevin Rogers wrote: I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Covad has a problem with our RBL
... and, Kevin, you should get back to Covad and tell them that you will remediate the problem. This will let them know that you play nice, and stop them from taking actions against your traffic! Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, March 31, 2005 2:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Covad has a problem with our RBL Yes, its very possible. 10 RBLS x 1200 emails in an hour is easily 12K hits. The 10 RBLS is also conservative. I am sure they will end up doing what ATT does and just blackhole queries to certain RBL's. I would look at setting up a local DNS server. Darrell Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Kevin Rogers writes: I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Covad has a problem with our RBL
Hi: I am sure they will end up doing what ATT does and just blackhole queries to certain RBL's. And rightfully so - ISP are offering domain name resolution service to their customers. However, RBLs don't really qualify as domain name resolution, even though they use the public DNS to store and propagate the information. As you say - it's absolutely necessary (and proper) to run your own DNS to avoid trouble with upstream providers. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Thursday, March 31, 2005 05:19 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Covad has a problem with our RBL Yes, its very possible. 10 RBLS x 1200 emails in an hour is easily 12K hits. The 10 RBLS is also conservative. I am sure they will end up doing what ATT does and just blackhole queries to certain RBL's. I would look at setting up a local DNS server. Darrell --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Covad has a problem with our RBL
You probably want to take this in baby steps. Let's start with - are you sure that you're not already running a DNS server on your mailserver? Then you can go on with using Add/Remove to add the DNS server. To avoid any issue with your mailserver needing DNS records at all, just change your Declude configuration to use the new DNS server. In section 6.4 of the Declude.JunkMail manual you will see the DNS command to put in your global.cfg to use the local DNS service, e.g. DNS 127.0.0.1 by doing that, only Declude changes. Your IMail will continue to perform DNS as it was, which Covad will not complain about, and you won't accidentally change something delicate. Andrew 8) p.s. There is no corresponding setting in your Declude.Virus config file, but no worry, at worst it will make one DNS query per viral message detected, if you're using the AUTOFORGE ON feature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Rogers Sent: Thursday, March 31, 2005 2:42 PM To: Declude.Virus@declude.com Subject: Re: [Declude.Virus] Covad has a problem with our RBL Thanks for the response guys. You're talking to a newb, so bear with me. In order to setup my own DNS server on the same box as Imail, I need to: 1. Add that service in the Add/Remove Windows components (running W2K Server). 2. In Imail's SMTP service area of IAdmin.exe, change the Domain Name Server address field to the local IP address of the newly created DNS service. Do I need to change any MX or A records? Where is this newly created DNS server looking up the DNS records? (Dumb question, I know, but hey.) What are some of the things I need to worry about when doing this? Kevin Rogers wrote: I received the following email today from Covad - our access provider. It looks like they have a problem with Declude checking inbound emails against a realtime blackhole list. (The problem could also be several emails we've received lately with hundreds of recipients, many of which were invalid - so it could be the NDR problem mentioned). Does anyone know if Declude, setup normally without much modification, is using more than 1 RBL, or, irregardless of how many it uses, would it be checking the RBL 12000 times an hour for a mail server that delivers about 6000 messages a day? Or do you think this most likely has to do with the too-many-invalid-recipients problem? Thanks. Kevin MESSAGE FOLLOWS --- Dear Covad Customer, Our records indicate that your computer has made 12497 requests during the hour we monitored it which accounted for 5.13% of the total traffic to the Covad nameservers in your region. The high volume of requests made by your computer to our nameservers causes a degradation of service for other Covad customers. The IP address implicated is: XX.XXX.XXX.XXX Possible causes for this excessive activity includes, but not limited to the following reasons: -Virus infected computer(s) sending infected emails which causes Covad servers to receive MX queries for every infected message. -Computer hosting an open proxy or relay that is being abused by a spammer. Each outbound email will generate a DNS request. -Mail server configured to check every inbound email on a realtime blackhole list (RBL). This could oppose a problem if there are more than two lists being queried. -Mail server configured to send a non delivery receipt (NDR) for every email received at an invalid email address. NDR messages cause Covad servers to receive DNS requests as well as generate unnecessary traffic on a customer's network. NDR messages is also a way for spammers to confirm valid email addresses which could cause mail servers to receive even more spammed emails. --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses.] --- [This E-mail was scanned for viruses.] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.Virus.The archives can be found at http://www.mail-archive.com.
