Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Bill Cole via mailop]

On 28 Aug 2020, at 0:56, Chris via mailop wrote:

I'm sure that some privacy advocate could word that in a sufficiently 
bowel-loosening fashion that brings out the torches and pitchforks.


That's a very unusual storage choice for such things.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Atro Tossavainen via mailop]

> and this also no guarantee for no spam. Recently I got some spam for
> "dates18.com" sent via Casual Networks B.V (on the CSA whitelist) in
> which even the "Imprint"-URLs lead to "Congratulations, you
> confirmed your mailaddress".

Whitelisted senders send plenty of spam.

The requirements also state that the entire operation should apply for
whitelisting, which is also not happening reliably - "organisation is
member of CSA but IP is not on the CSA whitelist" happens every day.

For example, take 13.111.0.0/16. A network of /16 size has 65,536 entries,
more or less. About one third are whitelisted by the CSA in this case.
All are however owned by the same op that is required to apply for
whitelisting everything they send out of, that is to say, Salesforce
Marketing Cloud, the artist formerly known as ExactTarget.

-- 
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Renaud Allard via mailop]

On 8/28/20 9:29 AM, Florian Vierke via mailop wrote:

Hi everybody,

the requirement for having an imprint in advertising mails is not 
limited to T-Online. It’s a legal requirement and also criteria for the 
Certified Senders Alliance (CSA) which is at least relevant in Germany. 
For those not having heard of it – it’s a whitelisting project 
originally from Germany, but going more and more international. In 
Germany pretty much every ISP and ESP are participating and therefore 
sticking to the rules.




If I understand well, this is a whitelist, so mail admins can choose to 
use that whitelist to trust senders, but have no obligation whatsoever 
to _only_ accept senders on that whitelist. And, in the case of 
T-online, they seem to only accept senders on that list, which is a very 
poor idea at best. But, maybe they want to stop their mail business.




smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Hans-Martin Mosner via mailop]

Am 28.08.20 um 10:10 schrieb Bjoern Franke via mailop:
>
> and this also no guarantee for no spam. Recently I got some spam for 
> "dates18.com" sent via Casual Networks B.V (on
> the CSA whitelist) in which even the "Imprint"-URLs lead to "Congratulations, 
> you confirmed your mailaddress". 

The CSA isn't amicably nicknamed "certified spammer's alliance" without a 
reason :-)

Cheers,
Hans-Martin



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Paul Smith via mailop]

On 27/08/2020 16:53, Tim Bray via mailop wrote:


The same kind of regulations exist in the UK, but everybody forgets 
about them.    You often see business names on websites that don't 
match their legal entity; confusions between sole trader (just a 
person) and a registered company (limited, unlimited or one of the 
other types).


Just to add to the confusion, in the UK a 'sole trader' is NOT 'just a 
person'. A 'sole trader' *legal entity* is 'just a person', but a 'sole 
trader' can perfectly legitimately employ hundreds of people, and still 
be a 'sole trader', and thus not require company registration, and all 
the stuff that goes along with that. (It might be unwise because of the 
unlimited liability, but it's possible - and many 'sole traders' do 
employ 10s of people).


A sole trader or partnership can trade in a different name from the 
owners name(s), but does not need to put anything specific in an email 
footer (a limited company or LLP does). The requirement to do so is part 
of the UK Companies Act 2006, which doesn't apply to sole traders or 
normal partnerships, just as it doesn't apply to non-business emails. 
They do need to put contact details on their website, but do not need to 
put a 'registered address' or anything like that in their emails as 
people from registered companies do.


--
Paul
Paul Smith Computer Services
supp...@pscs.co.uk - 01484 855800


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Bjoern Franke via mailop]

Hi,



the requirement for having an imprint in advertising mails is not 
limited to T-Online. It’s a legal requirement and also criteria for the 
Certified Senders Alliance (CSA) which is at least relevant in Germany. 
For those not having heard of it – it’s a whitelisting project 
originally from Germany, but going more and more international. In 
Germany pretty much every ISP and ESP are participating and therefore 
sticking to the rules.


and this also no guarantee for no spam. Recently I got some spam for 
"dates18.com" sent via Casual Networks B.V (on the CSA whitelist) in 
which even the "Imprint"-URLs lead to "Congratulations, you confirmed 
your mailaddress".


Regards
Bjoern

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Florian Vierke via mailop]

PS: I have to correct myself – T-Online is not (yet?) participating in the CSA, 
but the remaining information is still true 

The list of participants can be checked here: 
https://certified-senders.org/participants/

Sorry for the confusion.

[signature_1395543467]<http://www.mapp.com/>
Florian Vierke | Senior Manager, Deliverability Services
t: +49 89 12009765
e: florian.vie...@mapp.com<mailto:florian.vie...@mapp.com>

Von: mailop  Im Auftrag von Florian Vierke via mailop
Gesendet: Freitag, 28. August 2020 09:29
An: Mailop Mailinglist (mailop@mailop.org) 
Betreff: Re: [mailop] Deutsche Telekom rejects connections because of missing 
"provider identification"

This email has reached Mapp via an external source

Hi everybody,

the requirement for having an imprint in advertising mails is not limited to 
T-Online. It’s a legal requirement and also criteria for the Certified Senders 
Alliance (CSA) which is at least relevant in Germany. For those not having 
heard of it – it’s a whitelisting project originally from Germany, but going 
more and more international. In Germany pretty much every ISP and ESP are 
participating and therefore sticking to the rules.

The rules 
(https://certified-senders.org/wp-content/uploads/2017/07/CSA_Admission_Criteria.pdf)
 explicitly require imprints and (you know Germans  also define how exactly 
this have to look like):

[cid:image003.png@01D67D20.AAF9EE60]

CSA is actively checking if participants follow the rules, otherwise senders 
get excluded from the Whitelist.

And to close the circle – T-Online is members of the CSA as well, so they don’t 
necessarily have to check everything themselves – they can also rely on the CSA 
whitelist.

Cheers,


[signature_1395543467]<http://www.mapp.com/>
Florian Vierke | Senior Manager, Deliverability Services
t: +49 89 12009765
e: florian.vie...@mapp.com<mailto:florian.vie...@mapp.com>

Von: mailop mailto:mailop-boun...@mailop.org>> Im 
Auftrag von Hans-Martin Mosner via mailop
Gesendet: Freitag, 28. August 2020 08:51
An: mailop@mailop.org<mailto:mailop@mailop.org>
Betreff: Re: [mailop] Deutsche Telekom rejects connections because of missing 
"provider identification"

This email has reached Mapp via an external source

Am 26.08.20 um 19:36 schrieb flo via mailop:

Hi there



Have any of you had any bad experiences with Deutsche Telekom lately?

They put one of my servers on their blacklist after an IP change with

the reason that I have to provide an imprint on that machine.

Have I missed something? Is this how it is done now?

Without wanting to defend DT and the details of their policy, I do see 
understandable reasons for this policy, and I'm applying a somewhat similar 
strategy with pretty good success. Note that the presumed goal is to defend 
against spam, not to bother innocent senders, but in border cases that still 
happens (just as it happens with other mechanisms such as SPF etc.)

A significant percentage of spam that still gets through after blocking dynamic 
IP addresses and known spam sending networks comes from

  *   anonymous domains
  *   hacked mail accounts or servers
  *   misconfigured servers (web sites sending replies to mail-addresses 
entered via web forms)

The second and third variant can only be handled on a case-by-case basis, I 
typically inform the admins through spamcop (of course that only works if they 
have a working abuse contact) and block the source because the sad experience 
is that admins of an already badly managed service likely don't react to abuse 
reports either.

The first variant is more or less what you have. With the (IMHO stupid) 
decision to handle whois data as GDPR protected spammers have pumped up the 
volume of spam sent through domains whose registries hide whois data because 
that allows them to register their domains with fake information (the 
registries and registrars don't check, they happily take the fees and don't 
care otherwise). The net effect is that anonymous domain registration together 
with hosting with a "we don't care" hoster is a pretty good predictor for 
spamminess.

Checking for an imprint is a strategy that works in Germany for many cases due 
to the legal requirement to have an imprint on web sites intended for the 
general public. I don't know how DT checks that, they probably use automated 
tools plus some human augmentation. In any case, this would enable them to 
whitelist a good percentage of domains that would otherwise be considered 
anonymous.

I have to deal with much lower volumes of mail, so I have decided to 
"permanently greylist" domains of this kind and to add exemptions after a short 
manual check whether the domain can be assumed to be legit. In addition, all of 
our rejection messages contain a link to a web page where we can be contacted 
in case of an erroneous block (false positives happen with every spam blocking 
policy). I do not put any demands 

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Florian Vierke via mailop]

Hi everybody,

the requirement for having an imprint in advertising mails is not limited to 
T-Online. It’s a legal requirement and also criteria for the Certified Senders 
Alliance (CSA) which is at least relevant in Germany. For those not having 
heard of it – it’s a whitelisting project originally from Germany, but going 
more and more international. In Germany pretty much every ISP and ESP are 
participating and therefore sticking to the rules.

The rules 
(https://certified-senders.org/wp-content/uploads/2017/07/CSA_Admission_Criteria.pdf)
 explicitly require imprints and (you know Germans  also define how exactly 
this have to look like):

[cid:image003.png@01D67D1D.B5F6C3E0]

CSA is actively checking if participants follow the rules, otherwise senders 
get excluded from the Whitelist.

And to close the circle – T-Online is members of the CSA as well, so they don’t 
necessarily have to check everything themselves – they can also rely on the CSA 
whitelist.

Cheers,


[signature_1395543467]<http://www.mapp.com/>
Florian Vierke | Senior Manager, Deliverability Services
t: +49 89 12009765
e: florian.vie...@mapp.com<mailto:florian.vie...@mapp.com>

Von: mailop  Im Auftrag von Hans-Martin Mosner via 
mailop
Gesendet: Freitag, 28. August 2020 08:51
An: mailop@mailop.org
Betreff: Re: [mailop] Deutsche Telekom rejects connections because of missing 
"provider identification"

This email has reached Mapp via an external source

Am 26.08.20 um 19:36 schrieb flo via mailop:

Hi there



Have any of you had any bad experiences with Deutsche Telekom lately?

They put one of my servers on their blacklist after an IP change with

the reason that I have to provide an imprint on that machine.

Have I missed something? Is this how it is done now?

Without wanting to defend DT and the details of their policy, I do see 
understandable reasons for this policy, and I'm applying a somewhat similar 
strategy with pretty good success. Note that the presumed goal is to defend 
against spam, not to bother innocent senders, but in border cases that still 
happens (just as it happens with other mechanisms such as SPF etc.)

A significant percentage of spam that still gets through after blocking dynamic 
IP addresses and known spam sending networks comes from

  *   anonymous domains
  *   hacked mail accounts or servers
  *   misconfigured servers (web sites sending replies to mail-addresses 
entered via web forms)

The second and third variant can only be handled on a case-by-case basis, I 
typically inform the admins through spamcop (of course that only works if they 
have a working abuse contact) and block the source because the sad experience 
is that admins of an already badly managed service likely don't react to abuse 
reports either.

The first variant is more or less what you have. With the (IMHO stupid) 
decision to handle whois data as GDPR protected spammers have pumped up the 
volume of spam sent through domains whose registries hide whois data because 
that allows them to register their domains with fake information (the 
registries and registrars don't check, they happily take the fees and don't 
care otherwise). The net effect is that anonymous domain registration together 
with hosting with a "we don't care" hoster is a pretty good predictor for 
spamminess.

Checking for an imprint is a strategy that works in Germany for many cases due 
to the legal requirement to have an imprint on web sites intended for the 
general public. I don't know how DT checks that, they probably use automated 
tools plus some human augmentation. In any case, this would enable them to 
whitelist a good percentage of domains that would otherwise be considered 
anonymous.

I have to deal with much lower volumes of mail, so I have decided to 
"permanently greylist" domains of this kind and to add exemptions after a short 
manual check whether the domain can be assumed to be legit. In addition, all of 
our rejection messages contain a link to a web page where we can be contacted 
in case of an erroneous block (false positives happen with every spam blocking 
policy). I do not put any demands on blocked senders except to contact us, so 
the simple act of using the web form is enough to be unblocked. Of course, a 
sufficiently motivated spammer might try that as well, might get a free pass 
for a day, and be added to the "never unblock these crooks" list quickly.
Cheers,
Hans-Martin
Mapp Digital Germany GmbH with registered offices at Dachauer, Str. 63, 80335 
München.
Registered with the District Court München HRB 226181
Managing Directors: Frasier, Christopher & Warren, Steve
This e-mail is from Mapp Digital and its international legal entities and may 
contain information that is confidential or proprietary.
If you are not the intended recipient, do not read, copy or distribute the 
e-mail or any attachments. Instead, please notify the sender and delete the 
e-mail and any atta

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Hans-Martin Mosner via mailop]

Am 26.08.20 um 19:36 schrieb flo via mailop:
> Hi there
>
> Have any of you had any bad experiences with Deutsche Telekom lately?
> They put one of my servers on their blacklist after an IP change with
> the reason that I have to provide an imprint on that machine.
> Have I missed something? Is this how it is done now?

Without wanting to defend DT and the details of their policy, I do see 
understandable reasons for this policy, and I'm
applying a somewhat similar strategy with pretty good success. Note that the 
presumed goal is to defend against spam,
not to bother innocent senders, but in border cases that still happens (just as 
it happens with other mechanisms such as
SPF etc.)

A significant percentage of spam that still gets through after blocking dynamic 
IP addresses and known spam sending
networks comes from

  * anonymous domains
  * hacked mail accounts or servers
  * misconfigured servers (web sites sending replies to mail-addresses entered 
via web forms)

The second and third variant can only be handled on a case-by-case basis, I 
typically inform the admins through spamcop
(of course that only works if they have a working abuse contact) and block the 
source because the sad experience is that
admins of an already badly managed service likely don't react to abuse reports 
either.

The first variant is more or less what you have. With the (IMHO stupid) 
decision to handle whois data as GDPR protected
spammers have pumped up the volume of spam sent through domains whose 
registries hide whois data because that allows
them to register their domains with fake information (the registries and 
registrars don't check, they happily take the
fees and don't care otherwise). The net effect is that anonymous domain 
registration together with hosting with a "we
don't care" hoster is a pretty good predictor for spamminess.

Checking for an imprint is a strategy that works in Germany for many cases due 
to the legal requirement to have an
imprint on web sites intended for the general public. I don't know how DT 
checks that, they probably use automated tools
plus some human augmentation. In any case, this would enable them to whitelist 
a good percentage of domains that would
otherwise be considered anonymous.

I have to deal with much lower volumes of mail, so I have decided to 
"permanently greylist" domains of this kind and to
add exemptions after a short manual check whether the domain can be assumed to 
be legit. In addition, all of our
rejection messages contain a link to a web page where we can be contacted in 
case of an erroneous block (false positives
happen with every spam blocking policy). I do not put any demands on blocked 
senders except to contact us, so the simple
act of using the web form is enough to be unblocked. Of course, a sufficiently 
motivated spammer might try that as well,
might get a free pass for a day, and be added to the "never unblock these 
crooks" list quickly.

Cheers,
Hans-Martin
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Chris via mailop]

On 2020-08-26 13:36, flo via mailop wrote:

Hi there

Have any of you had any bad experiences with Deutsche Telekom lately?
They put one of my servers on their blacklist after an IP change with
the reason that I have to provide an imprint on that machine.
Have I missed something? Is this how it is done now?
I have been running mail servers for years, both professionally and in
my private life, never had problems of this kind before.
I prefer not to put my private address unprotected on the internet.


You could make nasty remarks about them forcing you to 
self-violate GDPR just to email to their customers.


I'm sure that some privacy advocate could word that in a sufficiently 
bowel-loosening fashion that brings out the torches and pitchforks.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Graeme Fowler via mailop]

On 27 Aug 2020, at 16:53, Tim Bray via mailop  wrote:
> Why t-mobile want to white list, I don't know.  But you can be sure they 
> don't get random spam from random compromised home broadband or cloud servers.

...until someone registers an IP with them, then $time passes and they 
terminate service or relocate to another provider and that IP address gets 
recycled onto a different, less technically able customer who's just been given 
a free pass into Deutche Telekom's mail system.

Or, nothiswouldneverhappenwouldit, a spammer/scammer sets up a perfectly 
legitimate company with a registered office and everything, gets allowed in, 
and then changes modus operandi. Rinse, repeat.

As many parties have said, the approach taken here simply doesn't scale in so 
many ways.

Graeme
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Tim Bray via mailop]

On 27/08/2020 10:30, G. Miliotis via mailop wrote:
Not everyone is a business with already-public information. I run my 
own server and host some domains on that. What assurances do I have 
that my personal information is protected by T-Mobile / DT after I 
send it to them? Why should I be forced to make this information 
public on a website? What's the point if I can just take it down the 
next day? 


They know your email address. :)

It's a cultural and legal German thing.  It is quite common when doing 
business to want to know exactly who or what kind of company you are 
dealing with.  And everybody has an imprint or impressum section on 
their website


They also have multiple company registries and different types of 
company.   And they like compliance.


The same kind of regulations exist in the UK, but everybody forgets 
about them.    You often see business names on websites that don't match 
their legal entity; confusions between sole trader (just a person) and a 
registered company (limited, unlimited or one of the other types).


uk regs:  https://www.bromley.gov.uk/leaflet/204102/4/675/d

"Companies must disclose the following particulars on their business 
letters, order forms and websites"



Why t-mobile want to white list, I don't know.  But you can be sure they 
don't get random spam from random compromised home broadband or cloud 
servers.



--
Tim Bray
Huddersfield, GB
t...@kooky.org


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Ángel via mailop]

On 2020-08-27 at 12:22 +0200, Jaroslaw Rafa via mailop wrote:
> This is so absurd that it's even hard to find words to describe it.
> 
> And it should be - in my opinion - a reason for everyone to block all
> e-mails FROM t-online.de in return.
> Maybe such an Internet-wide block will force them to change their
> absurd policy.

Just block them with the message: "Wrong address or misconfigured
system. Your sender address is unable to receive mail."


 From your point of view, it's exactly what's happening. And for the
poor t-online client, it doesn't make sense that he's not able to send
an email to someone just because t-online doesn't know the company
address of their recipient (not that it should be their business,
either).

Regards

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Paul Smith via mailop]

On 27/08/2020 12:39, Jaroslaw Rafa via mailop wrote:

It's rather strange that you are comparing this to SPF.
1) SPF has no "default deny" policy; if a domain has no SPF record at all,
then mail is (or at least should be) accepted by default.


No, but it's possible for a receiver to have a policy to not accept mail 
from an unknown server that doesn't match the sending domain's SPF 
record (and that such a record has to exist). If you're going to have 
the sending server have to have some form of 'authorisation', then 
requiring SPF would be better than requiring an one-off ad-hoc 
authorisation method.



2) as the original poster mentioned, once you have authorized your server
with them, you can send mail *with any sender domain*. It does not compare
to SPF in any way.


I missed that. I thought they had to say 'this mail server can send from 
this domain'. If the server can send from *any* domain, then it's a 
useless policy, as well as being unscalable.



--
Paul
Paul Smith Computer Services
supp...@pscs.co.uk - 01484 855800


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Jaroslaw Rafa via mailop]

Dnia 27.08.2020 o godz. 12:06:29 Paul Smith via mailop pisze:
> >>So if you got some cloud vm with a new IP address, which never before
> >>sent mail to a @t-online.de address, mails will be rejected.
> >>You need to write their postmasters so it gets added to their
> >>whitelist. And for this process you need to have a small web page with
> >>your personal address listed if your server is run privately.
> >This is so absurd that it's even hard to find words to describe it.
> 
> It's the sort of thing that you'd think maybe someone should make a
> standardised way to authorise servers to send email from a domain.
> Maybe they could call it something fancy like 'Sender Policy
> Framework' or something?..

It's rather strange that you are comparing this to SPF.
1) SPF has no "default deny" policy; if a domain has no SPF record at all,
then mail is (or at least should be) accepted by default.
2) as the original poster mentioned, once you have authorized your server
with them, you can send mail *with any sender domain*. It does not compare
to SPF in any way.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Paul Smith via mailop]

On 27/08/2020 11:22, Jaroslaw Rafa via mailop wrote:



So if you got some cloud vm with a new IP address, which never before
sent mail to a @t-online.de address, mails will be rejected.
You need to write their postmasters so it gets added to their
whitelist. And for this process you need to have a small web page with
your personal address listed if your server is run privately.

This is so absurd that it's even hard to find words to describe it.


It's the sort of thing that you'd think maybe someone should make a 
standardised way to authorise servers to send email from a domain. Maybe 
they could call it something fancy like 'Sender Policy Framework' or 
something?..



--
Paul
Paul Smith Computer Services
supp...@pscs.co.uk - 01484 855800


--


Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53

Sign up for news & updates at http://www.pscs.co.uk/go/subscribe

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Jaroslaw Rafa via mailop]

Dnia 27.08.2020 o godz. 09:21:20 Felix Zielcke via mailop pisze:
> Deutsche Telekom uses a whitelist which IPs can send mails to @t-
> online.de accounts. They block every IP by default.
> 
> So if you got some cloud vm with a new IP address, which never before
> sent mail to a @t-online.de address, mails will be rejected.
> You need to write their postmasters so it gets added to their
> whitelist. And for this process you need to have a small web page with
> your personal address listed if your server is run privately.

This is so absurd that it's even hard to find words to describe it.

And it should be - in my opinion - a reason for everyone to block all
e-mails FROM t-online.de in return.
Maybe such an Internet-wide block will force them to change their absurd
policy.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[G. Miliotis via mailop]

On 26/8/2020 20:36, flo via mailop wrote:

I prefer not to put my private address unprotected on the internet.


Well duh.

Not everyone is a business with already-public information. I run my own 
server and host some domains on that. What assurances do I have that my 
personal information is protected by T-Mobile / DT after I send it to 
them? Why should I be forced to make this information public on a 
website? What's the point if I can just take it down the next day?


When I had a whois record for my IP range with information and it was 
public, I was not happy but at least it made some sense. Now that WHOIS 
is considered a privacy leak, DT's scheme makes even less sense.


My guess is they're just throwing cheap labor at a problem instead of 
actually thinking it through. I guess an army of interns is better on 
the finances than actual spam fighting experts and scalable infrastructure.


Also, this is another walled garden and I can't believe their business 
customers (if the same method is used on them) would stay with them long.


--GM


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Johann Klasek via mailop]

On Thu, Aug 27, 2020 at 09:21:20AM +0200, Felix Zielcke via mailop wrote:
[..]
> Deutsche Telekom uses a whitelist which IPs can send mails to @t-
> online.de accounts. They block every IP by default.
> 
> So if you got some cloud vm with a new IP address, which never before
> sent mail to a @t-online.de address, mails will be rejected.
> You need to write their postmasters so it gets added to their
> whitelist. And for this process you need to have a small web page with
> your personal address listed if your server is run privately.

Awesome, how many personell do they engage with this process? Will such a
scheme ever scale? This looks like a method out of dispair...

Thinking of if every other recipient around the internet is going to
force sender to register this way... every postmaster group would drown
by such a task.

Johann


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Jörg Backschues via mailop]

Am 27.08.2020 um 08:37 schrieb Tom Ivar Helbekkmo via mailop:


T-Online (or Deutsche Telekom) require that somewhere on your domain is
your address visible. Even if you don't have a web page at all. And
just use the domain for sending mails.


If only there were some standardized mechanism for this information...
Someone should make one, I think.  We could call it "whois".  :)


My experience with Deutsche Telekom: I've created a web page like 
 with detailed information about the 
mail service. That has always been accepted in the past by T-Online.


--
Regards
Jörg

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Felix Zielcke via mailop]

Am Donnerstag, den 27.08.2020, 09:21 +0200 schrieb Felix Zielcke via
mailop:
> Am Donnerstag, den 27.08.2020, 09:02 +0200 schrieb Renaud Allard via
> mailop:
> > Does this mean that if you send a mail for "u...@domain.com" from
> > the 
> > server "mail.example.com" with a correct FCrDNS, it will be denied 
> > because domains don't match?
> > If yes, this is the most stupid idea ever, as this cannot work for 
> > shared mail hosting. Or maybe they have done exceptions for things
> > like 
> > o365 or gmail servers.
> 
> No.
> Deutsche Telekom uses a whitelist which IPs can send mails to @t-
> online.de accounts. They block every IP by default.
> 
> So if you got some cloud vm with a new IP address, which never before
> sent mail to a @t-online.de address, mails will be rejected.
> You need to write their postmasters so it gets added to their
> whitelist. And for this process you need to have a small web page
> with
> your personal address listed if your server is run privately.
> 
> 

To make it a bit more clear:

The domain of the PTR of your MTA sending IP counts.
Not the one in the From Header of your emails.
If you got once your sending IP whitelisted, it doestn't matter how
many domains you run on it. And if they have a web page or not.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Felix Zielcke via mailop]

Am Donnerstag, den 27.08.2020, 09:02 +0200 schrieb Renaud Allard via
mailop:
> 
> On 8/27/20 8:24 AM, Felix Zielcke via mailop wrote:
> > Am Mittwoch, den 26.08.2020, 21:06 +0200 schrieb ml+mailop--- via
> > mailop:
> > > > But it was enough to have the imprint visible for them just for
> > > > the
> > > 
> > > Sorry for a stupid question: What is "the imprint"?
> > > Does that mean you have to operate a web server with an
> > > "Impressum"
> > > (I guess that's the German word?) if you want to send mail?
> > > 
> > 
> > Yes I mean the german word "Impressum"
> > 
> > T-Online (or Deutsche Telekom) require that somewhere on your
> > domain is
> > your address visible. Even if you don't have a web page at all. And
> > just use the domain for sending mails.
> > 
> > 
> 
> Does this mean that if you send a mail for "u...@domain.com" from
> the 
> server "mail.example.com" with a correct FCrDNS, it will be denied 
> because domains don't match?
> If yes, this is the most stupid idea ever, as this cannot work for 
> shared mail hosting. Or maybe they have done exceptions for things
> like 
> o365 or gmail servers.

No.
Deutsche Telekom uses a whitelist which IPs can send mails to @t-
online.de accounts. They block every IP by default.

So if you got some cloud vm with a new IP address, which never before
sent mail to a @t-online.de address, mails will be rejected.
You need to write their postmasters so it gets added to their
whitelist. And for this process you need to have a small web page with
your personal address listed if your server is run privately.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Renaud Allard via mailop]

On 8/27/20 8:24 AM, Felix Zielcke via mailop wrote:

Am Mittwoch, den 26.08.2020, 21:06 +0200 schrieb ml+mailop--- via
mailop:

But it was enough to have the imprint visible for them just for the


Sorry for a stupid question: What is "the imprint"?
Does that mean you have to operate a web server with an "Impressum"
(I guess that's the German word?) if you want to send mail?



Yes I mean the german word "Impressum"

T-Online (or Deutsche Telekom) require that somewhere on your domain is
your address visible. Even if you don't have a web page at all. And
just use the domain for sending mails.




Does this mean that if you send a mail for "u...@domain.com" from the 
server "mail.example.com" with a correct FCrDNS, it will be denied 
because domains don't match?
If yes, this is the most stupid idea ever, as this cannot work for 
shared mail hosting. Or maybe they have done exceptions for things like 
o365 or gmail servers.




smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Tom Ivar Helbekkmo via mailop]

Felix Zielcke via mailop  writes:

> T-Online (or Deutsche Telekom) require that somewhere on your domain is
> your address visible. Even if you don't have a web page at all. And
> just use the domain for sending mails.

If only there were some standardized mechanism for this information...
Someone should make one, I think.  We could call it "whois".  :)

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Felix Zielcke via mailop]

Am Mittwoch, den 26.08.2020, 21:06 +0200 schrieb ml+mailop--- via
mailop:
> > But it was enough to have the imprint visible for them just for the
> 
> Sorry for a stupid question: What is "the imprint"?
> Does that mean you have to operate a web server with an "Impressum"
> (I guess that's the German word?) if you want to send mail?
> 

Yes I mean the german word "Impressum"

T-Online (or Deutsche Telekom) require that somewhere on your domain is
your address visible. Even if you don't have a web page at all. And
just use the domain for sending mails.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Chris via mailop]

On 2020-08-26 15:50, ml+mailop--- via mailop wrote:

On Wed, Aug 26, 2020, Michael Peddemors via mailop wrote:


There SHOULD be a URL associated with the domain ('mydomain.com') in the PTR..


Ah, the stuff you suggested on ietf-smtp and which got "rejected" by
pretty one every one who replied?


Having a standards group reject it isn't the same thing as best 
practices, and having a web site associated with your domain is 
considered "best" in many (at least informal) BCPs.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[ml+mailop--- via mailop]

On Wed, Aug 26, 2020, Michael Peddemors via mailop wrote:

> There SHOULD be a URL associated with the domain ('mydomain.com') in the PTR..

Ah, the stuff you suggested on ietf-smtp and which got "rejected" by
pretty one every one who replied?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Jaroslaw Rafa via mailop]

Dnia 26.08.2020 o godz. 12:29:38 Michael Peddemors via mailop pisze:
> There SHOULD be a URL associated with the domain ('mydomain.com') in
> the PTR.. And that URL should reflect the organization that is
> responsible for activity related to that domain..

No, it is a nonsense requirement.
Mail is mail, web is web. Two COMPLETELY DIFFERENT SERVICES.
Period.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Michael Peddemors via mailop]

More and more companies are requiring transparency.

mail.mydomain.com

There SHOULD be a URL associated with the domain ('mydomain.com') in the 
PTR.. And that URL should reflect the organization that is responsible 
for activity related to that domain.. I will have to dig up that M3AAWG 
Nest Practices document, but it is also enshrined in many Anti-Spam 
legislation recommendations as well..


I remember years back when involved in the Canadian task force, that was 
also a recommendation..


On 2020-08-26 12:06 p.m., ml+mailop--- via mailop wrote:

But it was enough to have the imprint visible for them just for the


Sorry for a stupid question: What is "the imprint"?
Does that mean you have to operate a web server with an "Impressum"
(I guess that's the German word?) if you want to send mail?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop





--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[ml+mailop--- via mailop]

> But it was enough to have the imprint visible for them just for the

Sorry for a stupid question: What is "the imprint"?
Does that mean you have to operate a web server with an "Impressum"
(I guess that's the German word?) if you want to send mail?

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Deutsche Telekom rejects connections because of missing "provider identification"

[Felix Zielcke via mailop]

Am Mittwoch, den 26.08.2020, 19:36 +0200 schrieb flo via mailop:
> Hi there
> 
> Have any of you had any bad experiences with Deutsche Telekom lately?
> They put one of my servers on their blacklist after an IP change with
> the reason that I have to provide an imprint on that machine.
> Have I missed something? Is this how it is done now?
> I have been running mail servers for years, both professionally and
> in
> my private life, never had problems of this kind before.
> I prefer not to put my private address unprotected on the internet.
> 
> Flo
> 

Hi Flo,

that's how it works now, if you want to send mails to them. I had that
problem too, when my server IP changed.
But it was enough to have the imprint visible for them just for the
short time until they approved it. And then I directly removed it
again.

Felix


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop