Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff
Just for your amusement, here is my latest exchange with Comcast (read the Comcast email first, then my response). ** Dear Mr. Jones, It does not surprise me that refuse to provide any further help. Your previous emails displayed a dismissive and confrontational attitude with a lack of any real interest in finding an answer. Your responses included technical errors, contradictory statements, and failed to address some of my key questions. As near as I can tell, you are claiming that Comcast cannot be responsible by simple proclamation. Unfortunately, the evidence continues to indicate that Comcast is in same way responsible. The volume of erroneous emails has decreased, so perhaps this was a temporary result of your recent change in DNS systems that is slowly improving – one can only hope. In the meanwhile, I would like a referral to someone else at Comcast who has both technical knowledge and some skill at customer relations. Perhaps you or one of the others CC’d on this email can provide that referral. Sincerely, Ben From: Jones, Spencer Sent: Wednesday, November 28, 2012 8:10 AM As I stated before good luck. I can help you no more. Spencer Jones Engineer II Enterprise Technical Support 7150 S. Fulton St, Centennial, CO 80112 -Original Message- From: Sanford Whiteman Sent: Tuesday, November 27, 2012 6:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff > Actually, you did catch something. The section that starts with > "Authority". In his email he says "Answer ns0.xname.org" which I > take to mean that he is getting that authorotative response from > nso0.xname.org and not ns1.xname.org as you assume below. It means "ns0.xname.org" is part of the answer(s) to the question he asked, i.e. the A record for ns0.xname.org. Doesn't mean that is/is not the server queried. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff
I should add that the number of erroneous emails sent to the old mail server has decreased. From Thursday through Saturday it went down to zero and I was hoping the problem had gone away. Then it started up again on Sunday, but at lower volume than before. Interestingly, most of the emails now received at the old server are spam. In the last three days, I've only received one email personally that was real mail and that went to the old server. By comparison, a week ago I had to check my account on the old server every hour. Ben -Original Message- From: Sanford Whiteman Sent: Tuesday, November 27, 2012 6:09 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff > Actually, you did catch something. The section that starts with > "Authority". In his email he says "Answer ns0.xname.org" which I > take to mean that he is getting that authorotative response from > nso0.xname.org and not ns1.xname.org as you assume below. It means "ns0.xname.org" is part of the answer(s) to the question he asked, i.e. the A record for ns0.xname.org. Doesn't mean that is/is not the server queried. -- S. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Joe Jobs
Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the "FROM" field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Joe Jobs
Hi Dave, A firm SPF policy generally does help, but it depends on the receiving servers implementing SPF in order to block messages that violate your SPF policy. Aside from that and filtering that blocks any original included message content, there's nothing I know of that can stop bounces and responses that come from clean systems, unless you want to start writing filters specific to this customer that detect typical bounce messages. Darin. -Original Message- From: Dave Beckstrom Sent: Wednesday, November 28, 2012 3:16 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Joe Jobs Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the "FROM" field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff
> I should add that the number of erroneous emails sent to the old mail server > has decreased. From Thursday through Saturday it went down to zero and I > was hoping the problem had gone away. Then it started up again on Sunday, > but at lower volume than before. Interestingly, most of the emails now > received at the old server are spam. In the last three days, I've only > received one email personally that was real mail and that went to the old > server. By comparison, a week ago I had to check my account on the old > server every hour. B/c we don't know if you accidentally had very long TTL on that bad nameserver (since the RR no longer exists at any of your authorities and we can't "wayback" it), it could be that that was the underlying problem. Nevertheless, the bizarre thinking of the Comcast person did not help matters. -- S. Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: sa...@cypressintegrated.com SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Fw: Deciphering Comcast reply on weird DNS stuff
Ben, Thanks for running your questions by me. Feel free to forward this message to your Comcast rep. Even if he is unwilling to help you further, there is information below that will help him be more accurate in future cases, since he currently lacks sufficient understanding of DNS. Mr. Jones is seemingly unaware of the difference between a delegated subdomain and a hostname. This gap in understanding does call the other conclusions into question, and I would not consider his to be an expert-level response. NOTE: I don't know if Comcast is or is not ultimately at fault for your mail delivery problems, but I would advise you to look for more expert testimony. It's perfectly normal for a hostname to be both the label and the value of an MX record (i.e. to "be its own MX"). In fact, the RFC-specified behavior of SMTP is to connect to the hostname to deliver mail to user@hostname in the absence of an MX record. All you are doing by adding IN MX is specifying that which would already be assumed (and also taking advantage of the MX algorithm). So normal is this configuration that I was able to quickly dig these examples from large, reputable domains: mail.beta.army.mil IN MX 10 mail.beta.army.mil ajax1.rutgers.edu IN MX 10 ajax1.rutgers.edu web.mail.vt.edu IN MX 0 web.mail.vt.edu webmail.uic.edu IN MX 0 webmail.uic.edu mail.messaging.microsoft.com IN MX 10 mail.messaging.microsoft.com webmail.villanova.edu IN MX 0 webmail.villanova.edu smtp01in.umuc.edu IN MX 0 smtp01in.umuc.edu mta4.wiscmail.wisc.edu IN MX 0 mta4.wiscmail.wisc.edu mail.dotster.com IN MX 0 mail.dotster.com Good luck with your continued troubleshooting! -- Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.