Re: ISPs blocking SMTP connections from dynamic IP address space
On Mon, Jun 07, 2004, Bill Campbell wrote: >On Mon, Jun 07, 2004, Jay Moore wrote: >>On Monday 07 June 2004 10:29 am, Bill Moran wrote: >> >>> > Just make sure they are truly dynamic ips. Many people block ips >>> > identified as "DSL" connections. Those are not necessarily dynamic ip >>> > based. >> >>The easiest way I've found to learn if your IP address is "listed", and who is >>listing it is: >> >>http://www.dnsstuff.com/ > >Telnet to port 25 of any of AOL's MX servers. You will get an >immediate rejection notice if they think you're in residential >DSL space: > mailin-01.mx.aol.com > mailin-02.mx.aol.com > mailin-03.mx.aol.com > mailin-04.mx.aol.com There is an excellent article in The Register on this very topic: http://www.theregister.co.uk/2004/06/04/trojan_spam_study/ Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``It is better to die on your feet than to live on your knees!'' -- Emiliano Zapata. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Mon, Jun 07, 2004, Jay Moore wrote: >On Monday 07 June 2004 10:29 am, Bill Moran wrote: > >> > Just make sure they are truly dynamic ips. Many people block ips >> > identified as "DSL" connections. Those are not necessarily dynamic ip >> > based. > >The easiest way I've found to learn if your IP address is "listed", and who is >listing it is: > >http://www.dnsstuff.com/ Telnet to port 25 of any of AOL's MX servers. You will get an immediate rejection notice if they think you're in residential DSL space: mailin-01.mx.aol.com mailin-02.mx.aol.com mailin-03.mx.aol.com mailin-04.mx.aol.com Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``Rightful liberty is unobstructed action according to our will within limits drawn around us by the equal rights of others. I do not add 'within the limits of the law' because law is often but the tyrant's will, and always so when it violates the rights of the individual.'' -Thomas Jefferson ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Monday 07 June 2004 10:29 am, Bill Moran wrote: > > Just make sure they are truly dynamic ips. Many people block ips > > identified as "DSL" connections. Those are not necessarily dynamic ip > > based. The easiest way I've found to learn if your IP address is "listed", and who is listing it is: http://www.dnsstuff.com/ Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Wow. Looks like all my other emails are starting to come through. I don't know why, but it seems email slowed down to snail-mail pace this weekend. Bill, if you see anything in the headers to my messages that might seem wrong, and have some idea, I'd be infinitely grateful for any pointers. To everyone else, I apologize for the barrage of emails I've sent in the last few days that is just starting to get to the FreeBSD MX systems. Lou On 06/07/04 01:18 PM, Louis LeBlanc sat at the `puter and typed: > On 06/07/04 12:36 PM, Bill Moran sat at the `puter and typed: > > Louis LeBlanc <[EMAIL PROTECTED]> wrote: > > > > > Bill Moran wrote: > > > > > > I think something has changed in this respect lately. I've sent close > > > to a dozen messages to the FreeBSD list since Saturday, and not one has > > > gotten through. > > > > > > I'm running sendmail on FreeBSD 4.10, and relaying through Verizon's > > > authenticated SMTP system. The thing is that I am also using Zoneedit > > > to convince the world that keyslapper.org is at my current IP, and this > > > is reset every time I get a new IP. This means that when a relay does a > > > lookup on the message, it sees it is a DHCP (DSL) address, and the > > > message is stopped - by the FreeBSD list server in many cases. > > > > I'm not 100% sure I understand what you're doing, but regardless, I think > > you're barking up the wrong tree. > > I sincerely hope so. If that's the case, I can probably fix it from > home. My sendmail config (on keyslapper) authenticates to > outgoing.verizon.net, and sends all mail for keyslapper.org. Since I > use mutt and keep an IMAP server on keyslapper, I often send mail from > work for my keyslapper.org accounts. That's why you saw the leblanc > system in the headers. > > > First off, the only DNS info that mx1.freebsd.org checks is the > > server it's actually talking to. In the case of this last message, > > that's mail-relay1.mirrorimage.net: > > > > Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net > > [209.58.140.11]) > > by mx1.FreeBSD.org (Postfix) with ESMTP id 3D90343D1D > > for <[EMAIL PROTECTED]>; > > Mon, 7 Jun 2004 16:01:45 + (GMT) > > (envelope-from [EMAIL PROTECTED]) > > > > Now, if you're sending this route, and having trouble getting > > messages through, then it's a config problem with the > > mirrorimage.net folks. > > > > However, if you're trying to send directly from this machine: > > > > Received: from keyslapper.org (LEBLANC [10.10.4.59]) by > > triton.int.mirrorimage.net with SMTP (Microsoft Exchange Internet Mail Service > > Version 5.5.2653.13)id MJT1GA4V; Mon, 7 Jun 2004 12:01:38 -0400 > > Yes, I mailed this from work, but I'm not sure why the headers did > this. I'm running postfix on my FreeBSD box there, and I'm still > using the default. I should set this up to relay directly through our > SMTP server. I honestly don't know why it went to keyslapper.org at > all (I mostly work with HTTP server stuff, and am woefully short on > mail protocol understanding). I sent from leblanc, my FreeBSD machine > at work, running postfix. > > > Then the problem is not that it thinks that you are a dhcp addy, but > > that your HELO/EHLO announcement is calling the server "LEBLANC", > > which isn't even a valid DNS name, and therefore fails the lookup > > check. > > I don't understand why it's doing this. Time to read some more docs. > > > > I've even sent mail from Netscape, using the Verizon SMTP relay > > > directly, and the same thing happens. Ditto from work. Just > > > because leblanc.eng.mirrorimage.net is on a private ip and doesn't > > > resolve outside doesn't mean it isn't a real legitimate system. > > > It's pretty annoying. Since Friday afternoon, all email I've sent > > > to addresses other than hotmail, my employer, and internally, have > > > been blocked somewhere. > > > > Sounds like you need to work something out. > > Hopefully your feedback here will be enough to get me in the right > direction. > > > And the fact that you're on a private IP _does_ mean that you're not > > a real mail server. Per RFC-1918, those addresses are NOT part of > > the Internet, therefore, there's no reason for any mail server to > > accept that there's a real server there. The only machine that has > > to recognize that IP is the NAT gateway that translates that IP into > > a real one. > > I think I understand this, but it implies that I might have been doing > things 'right' all along - or at least as close to that as I can > expect without getting a commercial account. > > > But, then again, from the last email you sent, this isn't your > > problem. > > Not from that point. That message was sent from Netscape using our > SMTP relay rather than the localhost postfix. This message is being > sent from my home system (keyslapper.org) which is a DSL system on a > dynamic IP. I hope you don't mind I'm copying you (nor
Re: ISPs blocking SMTP connections from dynamic IP address space
On 06/07/04 12:36 PM, Bill Moran sat at the `puter and typed: > Louis LeBlanc <[EMAIL PROTECTED]> wrote: > > > Bill Moran wrote: > > > > I think something has changed in this respect lately. I've sent close > > to a dozen messages to the FreeBSD list since Saturday, and not one has > > gotten through. > > > > I'm running sendmail on FreeBSD 4.10, and relaying through Verizon's > > authenticated SMTP system. The thing is that I am also using Zoneedit > > to convince the world that keyslapper.org is at my current IP, and this > > is reset every time I get a new IP. This means that when a relay does a > > lookup on the message, it sees it is a DHCP (DSL) address, and the > > message is stopped - by the FreeBSD list server in many cases. > > I'm not 100% sure I understand what you're doing, but regardless, I think > you're barking up the wrong tree. I sincerely hope so. If that's the case, I can probably fix it from home. My sendmail config (on keyslapper) authenticates to outgoing.verizon.net, and sends all mail for keyslapper.org. Since I use mutt and keep an IMAP server on keyslapper, I often send mail from work for my keyslapper.org accounts. That's why you saw the leblanc system in the headers. > First off, the only DNS info that mx1.freebsd.org checks is the > server it's actually talking to. In the case of this last message, > that's mail-relay1.mirrorimage.net: > > Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net > [209.58.140.11]) > by mx1.FreeBSD.org (Postfix) with ESMTP id 3D90343D1D > for <[EMAIL PROTECTED]>; > Mon, 7 Jun 2004 16:01:45 + (GMT) > (envelope-from [EMAIL PROTECTED]) > > Now, if you're sending this route, and having trouble getting > messages through, then it's a config problem with the > mirrorimage.net folks. > > However, if you're trying to send directly from this machine: > > Received: from keyslapper.org (LEBLANC [10.10.4.59]) by > triton.int.mirrorimage.net with SMTP (Microsoft Exchange Internet Mail Service > Version 5.5.2653.13)id MJT1GA4V; Mon, 7 Jun 2004 12:01:38 -0400 Yes, I mailed this from work, but I'm not sure why the headers did this. I'm running postfix on my FreeBSD box there, and I'm still using the default. I should set this up to relay directly through our SMTP server. I honestly don't know why it went to keyslapper.org at all (I mostly work with HTTP server stuff, and am woefully short on mail protocol understanding). I sent from leblanc, my FreeBSD machine at work, running postfix. > Then the problem is not that it thinks that you are a dhcp addy, but > that your HELO/EHLO announcement is calling the server "LEBLANC", > which isn't even a valid DNS name, and therefore fails the lookup > check. I don't understand why it's doing this. Time to read some more docs. > > I've even sent mail from Netscape, using the Verizon SMTP relay > > directly, and the same thing happens. Ditto from work. Just > > because leblanc.eng.mirrorimage.net is on a private ip and doesn't > > resolve outside doesn't mean it isn't a real legitimate system. > > It's pretty annoying. Since Friday afternoon, all email I've sent > > to addresses other than hotmail, my employer, and internally, have > > been blocked somewhere. > > Sounds like you need to work something out. Hopefully your feedback here will be enough to get me in the right direction. > And the fact that you're on a private IP _does_ mean that you're not > a real mail server. Per RFC-1918, those addresses are NOT part of > the Internet, therefore, there's no reason for any mail server to > accept that there's a real server there. The only machine that has > to recognize that IP is the NAT gateway that translates that IP into > a real one. I think I understand this, but it implies that I might have been doing things 'right' all along - or at least as close to that as I can expect without getting a commercial account. > But, then again, from the last email you sent, this isn't your > problem. Not from that point. That message was sent from Netscape using our SMTP relay rather than the localhost postfix. This message is being sent from my home system (keyslapper.org) which is a DSL system on a dynamic IP. I hope you don't mind I'm copying you (normally I would never do this), in case the group doesn't get it. I'm copying myself at work as well so I can look at the headers more closely. It looks like I have 2 mail problems here. One is at work: my default postfix config is not appropriate for the way I use it. The other is at home. Not entirely sure *what* the cause is there, but through the magic of ssh, the flexibility of mutt, and a little luck, this message might just provide enough info to figure it out. Thanks for the feedback. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ QOTD: Some people have
Re: ISPs blocking SMTP connections from dynamic IP address space
On Mon, Jun 07, 2004, Lucas Holt wrote: > > >Just make sure they are truly dynamic ips. Many people block ips identified >as "DSL" connections. Those are not necessarily dynamic ip based Some of the largest ISPs in the country, including AOL, are blocking what they consider ``residential dsl'' in an attempt to stem the flood of spam and worms that are propagated through owned Microsoft Windows machines on broadband connections. The majority of spam today is sent through zombified Windows boxes that either are open proxies or have spammer software installed on them that ``calls home'' to the spammer's servers to get spam and lists of addresses to deliver. Several months ago I installed a Linux server at one of our customer sites running postfix on a QWest dynamic DSL line, and found that AOL was blocking their SMTP connection with an immediate message saying that they refused connections from ``residential'' DSL connections, and disconnecting immediately without presenting an SMTP header. I redirected all the traffic to AOL through one of our mail servers here using the postfix ``transport'' mechanism, and had the customer order the smallest fixed IP block that QWest offered. As soon as that block was working, their server could connect to AOL's servers without a problem, leading me to believe that AOL and QWest are co-operating to distinguish between the dynamic and fixed IP blocks. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Memoirs -- Bill Clinton is getting $12 million for his memoirs, and his wife Hillary got $8 million for hers. That's $20 million for memories from two people who for eight years repeatedly testified they couldn't remember anything. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Louis LeBlanc <[EMAIL PROTECTED]> wrote: > Bill Moran wrote: > > "Lucas Holt" <[EMAIL PROTECTED]> wrote: > > > >>Just make sure they are truly dynamic ips. Many people block ips identified > >>as "DSL" connections. Those are not necessarily dynamic ip based. > > > > > > It's wonderful that most ISPs haven't figured out how to play nicely with the > > rest of the world. I only block when I can verify that it IS a dhcp addy. > > There are also blocklists that specifically list verified dynamic IPs. > > > > It would be nice if all ISPs could agree on a convention that could be used to > > identify these machines. Such as using .dhcp. so it > > could be easily filtered. > > I think something has changed in this respect lately. I've sent close > to a dozen messages to the FreeBSD list since Saturday, and not one has > gotten through. > > I'm running sendmail on FreeBSD 4.10, and relaying through Verizon's > authenticated SMTP system. The thing is that I am also using Zoneedit > to convince the world that keyslapper.org is at my current IP, and this > is reset every time I get a new IP. This means that when a relay does a > lookup on the message, it sees it is a DHCP (DSL) address, and the > message is stopped - by the FreeBSD list server in many cases. I'm not 100% sure I understand what you're doing, but regardless, I think you're barking up the wrong tree. First off, the only DNS info that mx1.freebsd.org checks is the server it's actually talking to. In the case of this last message, that's mail-relay1.mirrorimage.net: Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D90343D1D for <[EMAIL PROTECTED]>; Mon, 7 Jun 2004 16:01:45 + (GMT) (envelope-from [EMAIL PROTECTED]) Now, if you're sending this route, and having trouble getting messages through, then it's a config problem with the mirrorimage.net folks. However, if you're trying to send directly from this machine: Received: from keyslapper.org (LEBLANC [10.10.4.59]) by triton.int.mirrorimage.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)id MJT1GA4V; Mon, 7 Jun 2004 12:01:38 -0400 Then the problem is not that it thinks that you are a dhcp addy, but that your HELO/EHLO announcement is calling the server "LEBLANC", which isn't even a valid DNS name, and therefore fails the lookup check. > I've even sent mail from Netscape, using the Verizon SMTP relay > directly, and the same thing happens. Ditto from work. Just because > leblanc.eng.mirrorimage.net is on a private ip and doesn't resolve > outside doesn't mean it isn't a real legitimate system. It's pretty > annoying. Since Friday afternoon, all email I've sent to addresses > other than hotmail, my employer, and internally, have been blocked > somewhere. Sounds like you need to work something out. And the fact that you're on a private IP _does_ mean that you're not a real mail server. Per RFC-1918, those addresses are NOT part of the Internet, therefore, there's no reason for any mail server to accept that there's a real server there. The only machine that has to recognize that IP is the NAT gateway that translates that IP into a real one. But, then again, from the last email you sent, this isn't your problem. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Bill Moran wrote: "Lucas Holt" <[EMAIL PROTECTED]> wrote: Just make sure they are truly dynamic ips. Many people block ips identified as "DSL" connections. Those are not necessarily dynamic ip based. It's wonderful that most ISPs haven't figured out how to play nicely with the rest of the world. I only block when I can verify that it IS a dhcp addy. There are also blocklists that specifically list verified dynamic IPs. It would be nice if all ISPs could agree on a convention that could be used to identify these machines. Such as using .dhcp. so it could be easily filtered. I think something has changed in this respect lately. I've sent close to a dozen messages to the FreeBSD list since Saturday, and not one has gotten through. I'm running sendmail on FreeBSD 4.10, and relaying through Verizon's authenticated SMTP system. The thing is that I am also using Zoneedit to convince the world that keyslapper.org is at my current IP, and this is reset every time I get a new IP. This means that when a relay does a lookup on the message, it sees it is a DHCP (DSL) address, and the message is stopped - by the FreeBSD list server in many cases. I've even sent mail from Netscape, using the Verizon SMTP relay directly, and the same thing happens. Ditto from work. Just because leblanc.eng.mirrorimage.net is on a private ip and doesn't resolve outside doesn't mean it isn't a real legitimate system. It's pretty annoying. Since Friday afternoon, all email I've sent to addresses other than hotmail, my employer, and internally, have been blocked somewhere. If this email makes it to the list, it will be the first in awhile. Lou ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
"Lucas Holt" <[EMAIL PROTECTED]> wrote: > Just make sure they are truly dynamic ips. Many people block ips identified > as "DSL" connections. Those are not necessarily dynamic ip based. It's wonderful that most ISPs haven't figured out how to play nicely with the rest of the world. I only block when I can verify that it IS a dhcp addy. There are also blocklists that specifically list verified dynamic IPs. It would be nice if all ISPs could agree on a convention that could be used to identify these machines. Such as using .dhcp. so it could be easily filtered. > My mail > server runs on a business package dsl with 5 static ips. Not everyone can > afford T1/T3 connections. As for getting a "real mail server", that would > involve colo or getting a T1. Negative. If you have a static IP and are running a real MTA, you have a _real_ mail server. When I refer to servers that are NOT real mail servers, I mean mail software running on a dhcp IP (thus I can't set a policy for it based on its behaviour, because it moves around) or software such as mail-bomb software, spam bots, or malware. What you should do to get it noticed as such is get a PTR record that matches your forward DNS name. Sometimes this can be tough, as consumer-level DSL providers that provide DSL to businesses as well often don't _really_ understand how this works, or why it's even necessary. Just persist and it'll get handled. Complain that you're having trouble sending mail because their DNS is poorly set up and continue to push and they'll finally come around. Every time I've done this, it's been resolved eventually. Heck, you might even find that they'll be able to do it easily. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ISPs blocking SMTP connections from dynamic IP address space
Just make sure they are truly dynamic ips. Many people block ips identified as "DSL" connections. Those are not necessarily dynamic ip based. My mail server runs on a business package dsl with 5 static ips. Not everyone can afford T1/T3 connections. As for getting a "real mail server", that would involve colo or getting a T1. My dsl package is only ~$50 a month. Much cheaper than colo and I can get physical access to the box whenever I want. SBC allocates separate class C's for dedicated customers. I'm sure its possible to distingish the two. As for the 550: Spammer message, that is definetely on the other end. Some anti-spam add-ons for mail servers automatically reject mail like this. In addition, admins often block specific domains or ip addresses manually in their config files. I have about 15 ips and domains in my sendmail config file because of repeat offenders who send spam or viruses. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Sun, 6 Jun 2004 14:17:12 +0100, Lenny Thompson <[EMAIL PROTECTED]> wrote: Hi Nicole I wonder if you can help me. I saw your message on the Net regarding ISPs Blocking SMTP connections from dynamic IP address space. I have a problem now that didn't exist 6 months where my mail gets returned when emailing a specific address, the error is 550: SPAMMER and all my ISP will say it's the remote end that's blocking. Is this what your talking about, and if yes how can I check who's doing what? Thanks Lenny Hello Lenny! Many mail servers are configured filtering mailers with IP addresses listed in some DNS based blacklists. Course many spammers doing their black works on dinamic IP spools (listed in DSBL I think), many of mailservices using this blacklist. Try to findout your IP there: http://www.declude.com/JunkMail/Support/ip4r.htm There you can read about antispam technology. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
"Lenny Thompson" <[EMAIL PROTECTED]> wrote: > Hi Nicole > > I wonder if you can help me. I saw your message on the Net regarding ISPs > Blocking SMTP connections from dynamic IP address space. I have a problem now > that didn't exist 6 months where my mail gets returned when emailing a > specific address, the error is 550: SPAMMER and all my ISP will say it's > the remote end that's blocking. Is this what your talking about, and if yes > how can I check who's doing what? No, it's not what they were talking about. If your ISP were blocking, you wouldn't get any response whatsoever. The fact that the attempt is being rejected with that message means it is, indeed, the remote end. Send your mail through your ISPs relay. If you have problems with your ISPs relay, get a better ISP. I do this on my mail server, and a lot of other people refuse mail from dynamic ips ... this is an attempt to stop the _hundreds_ of spams I was getting each day. Run a real mail server, use your ISP's relay or accept that people are going to block you. Peroid. The internet is not a friendly place. I block dynamic IPs for the same reason I lock my doors at night, because if I don't people abuse my kindness. The fact that it also keeps out friendly people sometimes is something I don't like, but have to live with. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, 7 Aug 2003, Roger 'Rocky' Vetterberg wrote: > Its still not a reason for allowing relay from dynamic addresses. > All ISP's, or atleast all serious ISP's, provide their customer with a > relaying mailserver. Its a simple task to configure your mailserver to > use your ISP's smtp as smarthost and relay all outgoing email trough > them. I know, I use this setup myself, since just like you I cant afford > "real" connections everywhere but have to rely on cheap DSL or cable. Bullshit. My ISP's lack of ability to deliver mail reliably is what made me start my own mail service in the first place. Nor do I particularly want to hand them my mail so they can riffle through it at their leisure rather than having to scan for it on the wire in realtime. > Today its far to easy to get your email out on the 'net. Even the "high > school dropouts" as you call the spammers can buy a cheap DSL > connection, setup a mailserver and spam like crazy untill the ISP gets > enough complaints to cut them off. When that happens, they get a new > connection and start all over. > > As long as we rely on the old and very outdated SMTP protocoll that > powers the net today, precautions will have to be taken very soon, or > email will be useless in a few years. Fine. Then replace it, or require authentication at receiving points, or some other solution that directly addresses the problem. Wholesale blocking of types of transport is a crappy solution. It's unfair, liable to huge amounts of false positives, and leads directly to the kind of centralized, locked down Internet that will spell its demise. KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
There are valid servers on DSL ips... I occasionally do IT work for a small business. They are running their web, dns, and email from a static IP DSL account through SBC. They bought a business package for this purpose. They do not spam anyone. You guys need to rethink this thing. Reverse DNS checks are ok, but ip blocking for legitimate servers is silly. What if I blocked your mail servers and you wanted to do business with me? Most of the spam I see is coming from Asia, not US DSL/Cable users. As for all those worms, they could be stopped if enough people complained to Microsoft. People just accept that crappy software.. if any other vendor were to release it they would be out of business. I don't read email from my Wintel box for just that reason. On Wednesday, August 6, 2003, at 02:47 PM, Doug Poland wrote: On Wed, Aug 06, 2003 at 11:41:56AM -0700, Nicole wrote: Yes I too have resorted to blocking Ip's with no reverse DNS and its amazing how many big companies can fall into this. As to the Dynamic Space, I also block DSL/dynamicly assigned Ip's as I fall aware of them. (See Example below) Since some Isp's are smart enough to identify their dynamicly allocated space it makes it easy. So far it is extreemly rare for someone to be sending mail directly from these DSL/dynamic spaces that anyone wanted to recieve. except those of us running FreeBSD SMTP servers from broadband connections with valid reverse DNS -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Lucas Holt [EMAIL PROTECTED] FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein (1879-1955) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On 08 Aug Mykroft Holmes IV wrote: > Just because you have a highspeed connection with a stable or static > IP doesn't mean it's not dynamic. Dynamic simply means assigned by > DHCP or RADIUS (For dialup and some DSL). If you're in this space you > should be relaying through your ISP's mailserver. 90% of people in > this space are precluded from running server daemons by their AUP > anyways. A *typical* American way of thinking. Hey guys, you're not gods. The world is larger than just the US. Al lot of ISP's in Holland allow to run servers on their dynamic space (IF you config them right, that is) It's just fucking wrong to cut these people off running decent servers, just because they can't (or are not willing) to affort a T1. It's an easy statement to say you "should relay through your ISP mailserver" just because that is true in the States. Again: the world is larger than that. Don't exclude yourself pretending you control all. > Never read a header? Most of that so called 'Hotmail' or 'AOL' spam > doesn't come from either, it either comes from overseas or that > 'Dynamic' space you're defending Fake hotmail adresses are easely blocked. See what I mean. They come "from overseas.." Jesus, as if all bad things come from everyplace on earth except the states. > If you've got a business connection and a 'Dynamic' IP, complain to > your ISP. Blocking 'Dynamic' space and thus the multitude of idiots > with exploited windoze boxes on their cable/DSL connection is quite > effective, probably more than using spews (Which is notorious for > blocking non-offenders) Ever wondered how many of these folks run linux or FreeBSD servers on this so called 'dynamic space' You bloat about exploited windows machines and 'forget' about the rest of us running decent servers. I don't know many people running a windows mailserver; I DO know quite some folks running a *BSD (unix/linux) one. > You don't have as much control as you think, this is just adding one > extra hop into the usual 2-3 hops that your mail is going to take > anyways. If you can't live with that, get a T1. Wrong attitude, dude. > Get another ISP then. This one too. > I suggest you rethink your position. Wake up, get a life outside the states. -- dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.8 ++ Debian GNU/Linux (Woody) + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilya ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Why don't people talk about software developers? Someone is writing the software for spammers. Lets go after them. Think about it; spammers have an average education level of high school dropout. Mainstream media has done stories about this. Bottom line, spammers are too stupid to write spamming programs. Blocking legitimate administrators of domains because they are too poor to go with Verio is crap.Everyone was small once. By your policy, ISPs couldn't start. My former employer, USOL.com, started on an 128k ISDN line in 1996. Using DSL now is no different than that. You bigger guys just want money from us. Any business that wants to run windows servers for example must pay double for renting a server or they can pay full colo prices plus buy the windows licensing. Even using freebsd is cheaper on DSL. For example, I pay 100 bucks a month to rent a FreeBSD server with a 1.2 gig celeron, 256 mb ram, and a 20 gig hdd. I get 100 gig of transfer a month. (my server is in California)To colo a server in Michigan costs 150 dollars on average for a 128 k package. A dedicated DSL package with 384 downstream, 128k upstream with 5 static ips from SBC costs around 70 dollars a month. Thats why people use DSL to hosts sites. Its slow, but cost effective for small businesses. On Thursday, August 7, 2003, at 10:00 AM, Doug Poland wrote: On Thu, Aug 07, 2003 at 03:27:15PM +0200, Roger 'Rocky' Vetterberg wrote: Doug Poland wrote: Within the last two months both AOL and Time Warner Road Runner have implemented port 25 blocks from hosts with IP addresses in the "dynamic address space". Time Warner claims other major ISPs are/will be implementing the same policy. A little help here? Sorry, but I cant help you here, I fully agree with AOL and the big guys. We have to take some serious action against spam, I hate spam as much as the next guy. But piss a lot of people off, but as they say: you cant make an omelett without breaking some eggs. I say block the dynamic address space, This is where I disagree. What is the "dynamic address space" anyway? DSL, dial-up, and cable modem providers IP ranges? This separates the world into the "haves" and "havenots" based on static($$$) vs. dynamic IP range. So the big ISPs get to say, "We will not accept a connection from a host, on port 25, unless the IP originates from an IP range we have decided is acceptable." What happens when the ISPs decide, "We will not accept a connection from a host unless the MTA is on the approved list, i.e., Microsoft Exchange" block everything that lacks proper reverse dns I have proper reverse DNS. I don't get to connect because of this "dynamic IP range" issue. If one has proper reverse dns, should one be blocked because the host IP comes from a "dynamic address space"? Why? -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Lucas Holt [EMAIL PROTECTED] FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein (1879-1955) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
The problem with running an MTA on a "dynamic IP" is even a little more difficult than just dealing with the dnsbls. A while back on the exim users list: http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030623/055733.html and http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030630/055875.html was a discussion about how technically, the HELO address, forward dns and reverse dns should all match according to the smtp rfc. I'm not advocating one way or the other, but it brings up a good point - that the best way to run an MTA on a dsl or cable line is to either reflect off your ISP's mail server (unpopular as per the discussion so far) or to reflect off of some other 'legitimate' mail server, which is what I do. I'm fortunate enough to have a box on a colo network, so I'm able to control the server that my mail gets reflected off of, but I don't think that's the case for many people. What may be an option is to look for some form of ISP who provides that services and gives some control and visibility into the email flow. I'm not sure that that exists, but it can't be an expensive service to run (I see a business opportunity :) I think it really stinks that it has come to the point that people & companies have to take such steps to block "dynamic IP's", but I can see both sides of the arguement. Jerry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ISPs blocking SMTP connections from dynamic IP address space
Either 1) ask your isp to set it up as they probably control reverse dns for your IP-address block (all they will need is IP and fully qualified hostname) (a whois on your IP will probably tell you who controls it or which database to look in to find out.) or 2) If you have been delegated control of reverse dns for your IP range, set up the relevant PTR records, if your running a DNS server and have this then you probably know how to do this already. Ironicly this probably wont get to the list because my companys ISP is being very slow at delegating reverse DNS for our range to us, so we currently have no reverse DNS. Vince > -Original Message- > From: Bruce Pea [mailto:[EMAIL PROTECTED] > Sent: 07 August 2003 13:50 > To: [EMAIL PROTECTED] > Subject: Re: ISPs blocking SMTP connections from dynamic IP address > space > > > > Since we began blocking servers with no reverse DNS we've > been amazed at > how many mail servers are setup with no reverse DNS. We've > had several > instances where we've been asked by the party being blocked > how to fix > the problem. Since I'm not a DNS expert all I've been able to > tell them > is to fix their DNS entry so they show up when we do an > nslookup on them, > which isn't very helpful but is about all I know to say. > > It would be very useful if someone could explain or give > instructions on > how to fix this problem so we all could pass the info along > to people who > need to straighten out their DNS. > > Does anyone have a document explaining such things handy they could > share?? > > bp > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
> We started blocking on no rDNS several months ago, and it's been extremely > effective with low false positive problems. I heard that AOL started > refusing connections with no rDNS about a month ago which makes it easier > to justify our policies to the clueless. Yah - I waited for a month or so after AOL started - figuring they get so much email that valid but badly done sites would have gotten with the program by now. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
In the last episode (Aug 06), Bill Campbell said: > On Wed, Aug 06, 2003 at 11:19:57AM -0500, Doug Poland wrote: > >Within the last two months both AOL and Time Warner Road Runner have > >implemented port 25 blocks from hosts with IP addresses in the > >"dynamic address space". Time Warner claims other major ISPs > >are/will be implementing the same policy. > > > >Is anyone else uneasy with this trend? Maybe it's just me and I > >don't like being discriminated against because I don't have the > >money to own static IP addresses. One would think groups of > >responsible and technically competent users would be organizing > >against this trend and attempting to make their voice heard. > > For every *bsd/Linux/Unix user who has enough clue to run servers > properly, there are thousands of clueless folks who connect their > Microsoft Windows viruses directly to the Internet where they're > subject to abuse from the outside world. Right; I've blocked most broadband domains and bouce an awful lot of spam. In the last 12 hours, I've blocked 121 spams this way (about 10% of the total blocked spam). I don't block by IP range, just domain; emails from people that have set up forward and reverse DNS pointing to their own domain pass right through. Whenever a customer complains, I point them to their ISP's help pages. For example, business RoadRunner users should be relaying their outgoing emails through smtp.biz.rr.com, according to http://www.help.rr.com/getpage.asp?/faqs/e_biz_emailserveraddysbc.html. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Mykroft Holmes IV wrote: These Residential/Dynamic blocks are usually reversed. And they cause the vast majority of problems that originate in North America. Frankly, alot of people simply blacklist 24.* for this reason. If your provider's mail servers suck, and they have blocks tagged as Dynamic, and you have no other options, it's time to make a deal with someone to relay your mail for you. I've been trying to stay out of this as it has little relation to FreeBSD anymore, but blocking 24/8 is simply a bad idea. It's cable modem space, not dynamic space. There are a lot of static cable modems that are used at businesses. I've been working on the design of a server based categorization filter to be used with IMAP as a local delivery agent on a UNIX system. The idea is to use something like the Baysean filter to guess which of your email folders mail goes in to. If one of them is Junk mail, there's your spam filter. It would also filter all emails from [EMAIL PROTECTED] in to the same folder I've put all the other emails from the list. I'm looking in to which slgorithm to use at this point, as there are several that do the same as the Baysean approach and some are supposedly better at it. This filter has the advantage of being server based, but user tunable. It will require considerable resources to run as it will require knowing the statistics of all your email that you've ever received (at least since you started using it), so either it requires that you save all your email or it stores token values (and values for strings of tokens) in a database. There's even going to be a way to age values so that as spam evolves it keeps up with it. -- Michael Conlen ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Wed, Aug 06, 2003 at 11:41:56AM -0700, Nicole wrote: > > Yes I too have resorted to blocking Ip's with no reverse DNS and > its amazing how many big companies can fall into this. > > As to the Dynamic Space, I also block DSL/dynamicly assigned Ip's > as I fall aware of them. (See Example below) Since some Isp's are > smart enough to identify their dynamicly allocated space it makes > it easy. So far it is extreemly rare for someone to be sending > mail directly from these DSL/dynamic spaces that anyone wanted to > recieve. > except those of us running FreeBSD SMTP servers from broadband connections with valid reverse DNS -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On 06 Aug Lucas Holt wrote: > You guys need to rethink this thing. Reverse DNS checks are ok, but > ip blocking for legitimate servers is silly. I quote this again! It is _so_ true! Armoring our mailboxes/servers by blocking others just because they make use of dsl or broadband cable is just stupid. You don't force such servers to not serve mail (relay at their isp). Why should you deny people to run their own _complete_ mailserver? I myself sometimes block an ISP, because they do not take care of spammers the way they should (temporarely). People can come at my door too to deliver some mail they want me to have. Not only the mailman may do so at my house. Surely that means that if you want, you can drop me some spam at home, but I refuse to armor my mailbox w/ a lot of wood and nails ;-)) You can also overreact, and that's not OK. -- dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 4.8 ++ Debian GNU/Linux (Woody) + Nai tiruvantel ar vayuvantel i Valar tielyanna nu vilya ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On 06-Aug-03 Unnamed Administration sources reported Doug Poland said : > On Wed, Aug 06, 2003 at 11:41:56AM -0700, Nicole wrote: >> >> Yes I too have resorted to blocking Ip's with no reverse DNS and >> its amazing how many big companies can fall into this. >> >> As to the Dynamic Space, I also block DSL/dynamicly assigned Ip's >> as I fall aware of them. (See Example below) Since some Isp's are >> smart enough to identify their dynamicly allocated space it makes >> it easy. So far it is extreemly rare for someone to be sending >> mail directly from these DSL/dynamic spaces that anyone wanted to >> recieve. >> > except those of us running FreeBSD SMTP servers from broadband > connections with valid reverse DNS > Those who do so should be doing one of the following. a) Since you must be using dedicated IP space, have proper DNS setup. Pacbell for example will change your reverse DNS for free to match the forward name you assign to your server. (thus solving two problems at once) b) Set your server to relay mail via your IP providors server or some other server. Nicole > -- > Regards, > Doug |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page "Witchcraft is in essence the worship of the powers of this world, beautiful and terrible, but all in a circle under the turning sky that is the One." -C.A. Burland, "Echoes of Magic" "Connecting with energy is something humans have to be open to and talking about and expecting, otherwise the whole human race can go back to pretending that life is about power over others and exploiting the planet. If we go back to doing this, then we won't survive." -James Redfield, "The Celestine Prophecy" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Wed, Aug 06, 2003 at 11:19:57AM -0500, Doug Poland wrote: > Within the last two months both AOL and Time Warner Road Runner have implemented > port 25 > blocks from hosts with IP addresses in the "dynamic address space". Time Warner > claims > other major ISPs are/will be implementing the same policy. I've read through this thread with some interest but I couldn't find anywhere any qualification of this 'dynamic address space' you say AOL et al are blocking - do you have a source for this claim? Actually I think there was one reply that mentioned a lot of netblocks that were being included. If it's the case that those netblocks are admin'd by companies that do not (pro)actively attempt to block spam then I agree they should be blocked. Presumably the larger companies you mention have researched the amount of spam trapped at their mail gateways over time and are sick at the fact the numbers haven't dropped over time despite complaints to the spammer's admin contacts. > I support several smaller organizations computer infrastructures. The server > backbone > in all these orgs is FreeBSD and they all have SMTP servers with IP addresses in the > "dynamic" space. More of our outgoing mail is starting to bounce as these ISPs bring > these new policies online. AOL et al's policy is probably intended to put pressure on those netblock's admins to put more effort into stopping spam. > Is anyone else uneasy with this trend? Maybe it's just me and I don't like being > discriminated against because I don't have the money to own static IP addresses. One > would think groups of responsible and technically competent users would be organizing > against this trend and attempting to make their voice heard. I don't think I am uneasy about this - but then again I'm not on a blacklisted netblock!. Having said this though, if I found my bandwidth provider was on a blacklist and had no intention of attempting to get off it I'd probably move straight away anyway. -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Wed, Aug 06, 2003 at 11:37:21AM -0500, Bruce Pea wrote: >--On Wednesday, August 06, 2003 12:33 PM -0400 Steve Hovey ><[EMAIL PROTECTED]> wrote: >> >> Unfortunately, dynamic usually means not a business - which often means >> spam - and we are all losing hair over the war on spam. >> >> I now block ip's with no reverse dns > >We are doing this as well. We get a fair number of complaints from people >who's mail doesn't get delivered but we tell them to fix their DNS so we >know someone isn't trying to spoof us. So far, 23 out of 25 organizations >complaining have fixed their DNS. We started blocking on no rDNS several months ago, and it's been extremely effective with low false positive problems. I heard that AOL started refusing connections with no rDNS about a month ago which makes it easier to justify our policies to the clueless. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Instead of giving money to found colleges to promote learning, why don't they pass a constitutional amendment prohibiting anybody from learning anything? If it works as good as the Prohibition one did, why, in five years we would have the smartest race of people on earth. -- The Best of Will Rogers ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 03:27:15PM +0200, Roger 'Rocky' Vetterberg wrote: > Doug Poland wrote: > > >Within the last two months both AOL and Time Warner Road Runner > >have implemented port 25 blocks from hosts with IP addresses in the > >"dynamic address space". Time Warner claims other major ISPs > >are/will be implementing the same policy. > > > > > >A little help here? > > > > > Sorry, but I cant help you here, I fully agree with AOL and the big > guys. We have to take some serious action against spam, > I hate spam as much as the next guy. But > piss a lot of people off, but as they say: you cant make an omelett > without breaking some eggs. I say block the dynamic address space, > This is where I disagree. What is the "dynamic address space" anyway? DSL, dial-up, and cable modem providers IP ranges? This separates the world into the "haves" and "havenots" based on static($$$) vs. dynamic IP range. So the big ISPs get to say, "We will not accept a connection from a host, on port 25, unless the IP originates from an IP range we have decided is acceptable." What happens when the ISPs decide, "We will not accept a connection from a host unless the MTA is on the approved list, i.e., Microsoft Exchange" > block everything that lacks proper reverse dns > I have proper reverse DNS. I don't get to connect because of this "dynamic IP range" issue. If one has proper reverse dns, should one be blocked because the host IP comes from a "dynamic address space"? Why? -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 12:34:45PM -0400, Lucas Holt wrote: > > > I do understand the counter argument about blocking ips.. but i think > thats frustration talking. Even if ip blocking is an improvement, it > won't stop spam. > Agreed, does anyone know why requiring reverse DNS isn't "good enough"? I've asked both AOL and Time Warner but have received no response. -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
dick hoogendijk wrote: On 08 Aug Mykroft Holmes IV wrote: Just because you have a highspeed connection with a stable or static IP doesn't mean it's not dynamic. Dynamic simply means assigned by DHCP or RADIUS (For dialup and some DSL). If you're in this space you should be relaying through your ISP's mailserver. 90% of people in this space are precluded from running server daemons by their AUP anyways. A *typical* American way of thinking. Hey guys, you're not gods. The world is larger than just the US. Al lot of ISP's in Holland allow to run servers on their dynamic space (IF you config them right, that is) I'm not American. Funny That. Just because you can run servers on IP space tagged dynamic doesn't mean you should (And anyways, this only affects outgoing SMTP servers.) It's just fucking wrong to cut these people off running decent servers, just because they can't (or are not willing) to affort a T1. Get DSL on non-Dynamic space. It's available, in fact that's what I'm on myself. From an ISP with major operations in Holland (Our European NOC is in Amsterdam) It's an easy statement to say you "should relay through your ISP mailserver" just because that is true in the States. Again: the world is larger than that. Don't exclude yourself pretending you control all. Never read a header? Most of that so called 'Hotmail' or 'AOL' spam doesn't come from either, it either comes from overseas or that 'Dynamic' space you're defending Fake hotmail adresses are easely blocked. See what I mean. They come "from overseas.." Jesus, as if all bad things come from everyplace on earth except the states. Well, considering that Hotmail is an American based service, and the vast majority of faked Hotmail headers seem to come out of either dynamic space or Russian, Korean or Chinese space. Once again, read what I said. Faked Hotmail or AOL spam usually either comes from Dynamic IP space, or from foreign (Russian, Korean, Chinese) space. And since both are american-based services, this is a valid origination. If you've got a business connection and a 'Dynamic' IP, complain to your ISP. Blocking 'Dynamic' space and thus the multitude of idiots with exploited windoze boxes on their cable/DSL connection is quite effective, probably more than using spews (Which is notorious for blocking non-offenders) Ever wondered how many of these folks run linux or FreeBSD servers on this so called 'dynamic space' You bloat about exploited windows machines and 'forget' about the rest of us running decent servers. I don't know many people running a windows mailserver; I DO know quite some folks running a *BSD (unix/linux) one. Problem is that there is a hundred exploited windows boxes for each person with clue (And those boxes are usually not intended as mail servers). And the world isn't exactly lacking in exploited unix installs. You don't have as much control as you think, this is just adding one extra hop into the usual 2-3 hops that your mail is going to take anyways. If you can't live with that, get a T1. Wrong attitude, dude. No. You want to do things right, get the right gear. Get another ISP then. This one too. Nope. I suggest you rethink your position. Wake up, get a life outside the states. Been living outside the states all my life. Just because I don't buy your cop-out doesn't make me a big bad american. Funny how you are so eager to blame my position on my nationality, while I never indicated anything about it. Once again, why don't you look in the mirror. Seems you're the person being bigoted about nationality. Adam. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Doug Poland wrote: Hello, This isn't so much a FreeBSD topic but a comment and a request for resources. As a long time FreeBSD admin/user I know this is a large, diverse, and eloquent community of technical users. I hope someone can point me to a resource or group of users that address this policy. Within the last two months both AOL and Time Warner Road Runner have implemented port 25 blocks from hosts with IP addresses in the "dynamic address space". Time Warner claims other major ISPs are/will be implementing the same policy. I support several smaller organizations computer infrastructures. The server backbone in all these orgs is FreeBSD and they all have SMTP servers with IP addresses in the "dynamic" space. More of our outgoing mail is starting to bounce as these ISPs bring these new policies online. Is anyone else uneasy with this trend? Maybe it's just me and I don't like being discriminated against because I don't have the money to own static IP addresses. One would think groups of responsible and technically competent users would be organizing against this trend and attempting to make their voice heard. A little help here? Sorry, but I cant help you here, I fully agree with AOL and the big guys. We have to take some serious action against spam, and it will piss a lot of people off, but as they say: you cant make an omelett without breaking some eggs. I say block the dynamic address space, block everything that lacks proper reverse dns, and blacklist ISP's that doesnt care enough to hunt down and cut off the spammers among their users. If you ask me spamming should be punished with huge fines, so huge the people responsible for spamming could never again afford even a throw away dialup account. Maybe a few years in a federal prison wouldnt hurt either...or rather, I hope it would hurt...for them. -- R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Fri, 8 Aug 2003, Roger 'Rocky' Vetterberg wrote: > >Bullshit. My ISP's lack of ability to deliver mail reliably is what made > >me start my own mail service in the first place. Nor do I particularly > >want to hand them my mail so they can riffle through it at their leisure > >rather than having to scan for it on the wire in realtime. > > > If youre ISP is unable to deliver mail reliably then you should switch > to another ISP immediatly, imho. The problem is that your "MHO" is being set up as a mandatory decree by blocking legitimate mail. > There are way to many ISP's out there that doesnt have a clue what they > are doing, and the only reason they still exist is that people keep > using them. > Im not saying you should go with one of the big ones, I hate AOL and MSN > just as much as any other guy, but there are plenty of ISP's out there > that Im sure know what they are doing and really care about customer > service. My ISP (pacbell/SBC) has sterling circuit uptime and bandwidth. Their services side totally sucks. Why should I have to use their services to get Internet access? And your statement that there are "plenty of ISP's out there" is simply wrong. There are typically three or four (large) DSL providers - if they can wrest service order fulfillment from the RBOC, and two or three cable offerings in the major markets, fewer in the smaller ones. > And if you dont want people to read your mail, you should use PGP or > something similar, even if you run your own mailserver. That's totally correct and totally unresponsive to my statement. > >Fine. Then replace it, or require authentication at receiving points, or > >some other solution that directly addresses the problem. Wholesale > >blocking of types of transport is a crappy solution. It's unfair, liable > >to huge amounts of false positives, and leads directly to the kind of > >centralized, locked down Internet that will spell its demise. > > > Thats easier said then done. You do realize what a monumental task it > would be to replace SMTP, dont you? Yes. Almost as monumental as authenticating routing updates, which the tier 1 providers better get off their asses and start performing, too. > But hey, if you have a plug n' play solution that will just drop in and > replace SMTP without breaking anything, Im all for it! Another bogus argument. I pointed out that you are breaking major parts of Internet connectivity, and what the correct engineering approach would be. That doesn't commit me to having to come up with a drop-in implementation before you stop breaking things. > I do not agree on your opinion that taking some needed actions will lock > down the internet and kill it. I think its completely the other way > around. If we dont do something about spam now, noone will want to be on > the internet in a few years time. Email will be impossible to use due to > the signal to noise ratio, www will be cluttered with popups, banners > and ad's for porn site, and every single file will contian a trojan or worm. Conversely, if people can't count on legitimate email to get where it's going, they will stop using it. And that will happen MUCH quicker than stopping using it because of spam. > I cant believe I sound like some domesday prophet, Im actually known > among those who know me as a fanatic advocate of a free internet, but as > I see it the internet is slowly selfdestructing. Its no longer a > creation of research and educational needs, its being used for pure > profit and the dream of making fast and easy money. And I dont like that. And facilitating the centralization of control into a few corporate conglomerates impedes that how? KeS ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 11:23:53AM -0500, Doug Poland wrote: > On Thu, Aug 07, 2003 at 04:14:28PM +0100, Jez Hancock wrote: > > Actually I think there was one reply that mentioned a lot of > > netblocks that were being included. If it's the case that those > > netblocks are admin'd by companies that do not (pro)actively attempt > > to block spam then I agree they should be blocked. Presumably the > > larger companies you mention have researched the amount of spam > > trapped at their mail gateways over time and are sick at the fact > > the numbers haven't dropped over time despite complaints to the > > spammer's admin contacts. > > > To quote Time Warner: > > "As part of this continuing effort, Road Runner, along with a > significant number of other providers, has implemented incoming port > 25 blocks of dynamically assigned IP address space, including dialup, > DSL, and Cable modem IP addresses. The reason for this is because of > the widespread number of high speed subscribers who we have found are > infected with trojans such as Jeem, or have open proxy or SMTP > applications which allow third parties to hijack them." > > > > > > Is anyone else uneasy with this trend? Maybe it's just me and I > > > don't like being discriminated against because I don't have the > > > money to own static IP addresses. One would think groups of > > > responsible and technically competent users would be organizing > > > against this trend and attempting to make their voice heard. > > I don't think I am uneasy about this - but then again I'm not on a > > blacklisted netblock!. Having said this though, if I found my > > bandwidth provider was on a blacklist and had no intention of > > attempting to get off it I'd probably move straight away anyway. -- > > > Not everyone has multiple broadband providers to choose from. Fair enough and I can understand your annoyance in that case. What do your providers have to say about all this? As a customer I would be very angry about it and can't imagine I'd be alone since the blocks mentioned are quite vast. -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 04:14:28PM +0100, Jez Hancock wrote: > On Wed, Aug 06, 2003 at 11:19:57AM -0500, Doug Poland wrote: > > Within the last two months both AOL and Time Warner Road Runner > > have implemented port 25 blocks from hosts with IP addresses in > > the "dynamic address space". Time Warner claims other major ISPs > > are/will be implementing the same policy. > I've read through this thread with some interest but I couldn't find > anywhere any qualification of this 'dynamic address space' you say > AOL et al are blocking - do you have a source for this claim? > - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 554- (RTR:BB) The IP address you are using to connect to AOL is a dynamic) - Transcript of session follows - ... while talking to mailin-04.mx.aol.com.: <<< 554- (RTR:BB) The IP address you are using to connect to AOL is a dynamic <<< 554- (residential) IP address. AOL will not accept future e-mail transactions <<< 554- from this IP address until your ISP removes this IP address from its list <<< 554- of dynamic (residential) IP addresses. For additional information, <<< 554 please visit http://postmaster.info.aol.com. ... while talking to mailin-01.mx.aol.com.: >>> QUIT - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 550 5.7.1 Mail Refused - rr.com_Dynamic_Range - See http://security.rr.com/dynamic.htm) - Transcript of session follows - ... while talking to kcmx02.mgw.rr.com.: >>> MAIL From:<[EMAIL PROTECTED]> <<< 550 5.7.1 Mail Refused - rr.com_Dynamic_Range - See http://security.rr.com/dynamic.htm 554 5.0.0 Service unavailable > > Actually I think there was one reply that mentioned a lot of > netblocks that were being included. If it's the case that those > netblocks are admin'd by companies that do not (pro)actively attempt > to block spam then I agree they should be blocked. Presumably the > larger companies you mention have researched the amount of spam > trapped at their mail gateways over time and are sick at the fact > the numbers haven't dropped over time despite complaints to the > spammer's admin contacts. > To quote Time Warner: "As part of this continuing effort, Road Runner, along with a significant number of other providers, has implemented incoming port 25 blocks of dynamically assigned IP address space, including dialup, DSL, and Cable modem IP addresses. The reason for this is because of the widespread number of high speed subscribers who we have found are infected with trojans such as Jeem, or have open proxy or SMTP applications which allow third parties to hijack them." > > > Is anyone else uneasy with this trend? Maybe it's just me and I > > don't like being discriminated against because I don't have the > > money to own static IP addresses. One would think groups of > > responsible and technically competent users would be organizing > > against this trend and attempting to make their voice heard. > I don't think I am uneasy about this - but then again I'm not on a > blacklisted netblock!. Having said this though, if I found my > bandwidth provider was on a blacklist and had no intention of > attempting to get off it I'd probably move straight away anyway. -- > Not everyone has multiple broadband providers to choose from. -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Since we began blocking servers with no reverse DNS we've been amazed at how many mail servers are setup with no reverse DNS. We've had several instances where we've been asked by the party being blocked how to fix the problem. Since I'm not a DNS expert all I've been able to tell them is to fix their DNS entry so they show up when we do an nslookup on them, which isn't very helpful but is about all I know to say. It would be very useful if someone could explain or give instructions on how to fix this problem so we all could pass the info along to people who need to straighten out their DNS. Does anyone have a document explaining such things handy they could share?? bp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
- Original Message - From: "Lucas Holt" <[EMAIL PROTECTED]> To: "Doug Poland" <[EMAIL PROTECTED]> Cc: "Nicole" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, August 06, 2003 10:24 PM Subject: Re: ISPs blocking SMTP connections from dynamic IP address space > You guys need to rethink this thing. Reverse DNS checks are ok, but > ip blocking for legitimate servers is silly. I agree. You guys really need to rethink this. My turn to vent. :) For starters, what is "dynamic IP address space" anyway? You would think dialup-accounts or, at the very least, accounts that get their IP address assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic IP address space" basically seems to mean: everyone who is not a major ISP. There are many things wrong with that simplistic reasoning. For one, just because whois.arin.net says a netblock is a "dynamic" address pool, does not mean IP addresses assigned to customers are, de facto, dynamic. In fact, especially with high-speed DSL accounts, ere the opposite is true: people get assigned what to them, and to the world at large, for all purposes and intent, is a static IP address. In exchange for money, their ISP has grants them the exclusive use of a fixed IP address. They register domain names on that IP address, and continue to use that one, unchanging IP address for all interactions with the world. Literally thousands of legitimate servers across the world run on such a (set of) static IP address(es), regardless of what their netblock, high up in the ARIN, or kindred, hierarchy is marked down as. When you force all people to use their ISP's smtp server(s), you funnel, as it were, a great number of clients through a single pinhole. Should that one pinhole become blacklisted/blocked, then suddenly thousands of people, en masse, can no longer send mail. Is that likely to occur? Yes. Because spam will also be sent through that same pinhole. AOL will likely cancel the account of the spammer; but spam will nonetheless have been sent through that one pinhole. And then what? Then you are faced with an uncomfortable choice: either I block the AOL smtp servers altogether, or I let them through entirely. What you have lost then, in effect, is the ability to discriminate. So, what then? You will whitelist the AOL smtp servers? That would be stupid. :) Because if there is only one pinhole, whitelisting that one pinhole is tantamount to giving all spammers a huge "passpartout". And since, by your own act of narrow-sightedness, you have chosen to only deal with that one pinhole, you can no longer tell chaff from grain. Way to go, Einstein! Perhaps the greatest fallacy of em all: the ludicrous assumption that large ISP's do not spam. :) The largest sources of spam, their hypocrisy despite, are precisely those big ISP's, like AOL and hotmail, to whom you can write until you see blue in the face, but who do not give a damn, because they are big and know it. Do not be lazy; because you are. :) I know, I have been tempted too, many times, to just block hotmail altogether, and so reduce 70% of all spam. Yet, that would be laziness, really. Taking the easy route, like blocking all what you think is "dynamic" address space, is really just laziness on your part. It is you saying: "I can no longer be bothered to figure out who is legit and who is not, so I will just block everything." That is bad administration. Crying, "But SOMETHING needs to be done about spam, therefore I am right," is not a valid argument either. :) Sure, SOMETHING needs to be done about spam. But blocking thousands of legitimate servers across the world, just because you are lazy, is not the solution. Be meticulous in who you block, and be specific. Simply configuring your mail server to use your ISP's smtp as smarthost, and relay all outgoing email trough them, is not as transparent and benign a solution as suggested. You lose control over the way mail is being delivered/bounced, for instance. All of a sudden your clients get bounce-messages from the postmaster of your ISP, instead of from you directly -- with all the ensuing confusion to boot. Can the freebsd.org people look me in the eye, and really say they would not mind having AOL deliver their mail for them, as smarthost? Honestly, nobody likes to be "in ward" like that. It is as if your ISP would tell you, one day, that you can no longer provide an IHAVE newsfeed, but have to use their news server's POST command. Yeah, right. :) I have yet to encounter an administrator who would not mind yielding to such condescension. The main purpose of a mail exchanger is to exchange mail. :) Perhaps the focus on spam has caused it, but many people look on this backwards: as the administrator of your mail facility, your primary task is NOT to block illegitimate mail, but
Re: ISPs blocking SMTP connections from dynamic IP address space
--On Wednesday, August 06, 2003 12:33 PM -0400 Steve Hovey <[EMAIL PROTECTED]> wrote: Unfortunately, dynamic usually means not a business - which often means spam - and we are all losing hair over the war on spam. I now block ip's with no reverse dns We are doing this as well. We get a fair number of complaints from people who's mail doesn't get delivered but we tell them to fix their DNS so we know someone isn't trying to spoof us. So far, 23 out of 25 organizations complaining have fixed their DNS. bp ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Yes I too have resorted to blocking Ip's with no reverse DNS and its amazing how many big companies can fall into this. As to the Dynamic Space, I also block DSL/dynamicly assigned Ip's as I fall aware of them. (See Example below) Since some Isp's are smart enough to identify their dynamicly allocated space it makes it easy. So far it is extreemly rare for someone to be sending mail directly from these DSL/dynamic spaces that anyone wanted to recieve. # DSL Space cust.uslec.net 550 NO Mail Accepted From DSL (SPAMMER) ogw.rr.com 550 NO Mail Accepted From DSL (SPAMMER) cable.ntl.com 550 NO Mail Accepted From DSL (SPAMMER) dsl-verizon.net 550 NO Mail Accepted From DSL (SPAMMER) da103-t5dial.ccglobalnet.com550 NO Mail Accepted From DSL (SPAMMER) dsl.austtx.swbell.net 550 NO Mail Accepted From DSL (SPAMMER) cm.vtr.net 550 NO Mail Accepted From DSL (SPAMMER) pc-62-30-34-178-pr.blueyonder.co.uk 550 NO Mail Accepted From DSL (SPAMMER) dsl.snfc21.pacbell.net 550 NO Mail Accepted From DSL (SPAMMER) dsl.sntc01.pacbell.net 550 NO Mail Accepted From DSL (SPAMMER) dsl.lsan03.pacbell.net 550 NO Mail Accepted From DSL (SPAMMER) da.uu.net 550 NO Mail Accepted From DSL (SPAMMER) client.attbi.com550 NO Mail Accepted From DSL (SPAMMER) ... Nicole On 06-Aug-03 Unnamed Administration sources reported Bruce Pea said : > --On Wednesday, August 06, 2003 12:33 PM -0400 Steve Hovey > <[EMAIL PROTECTED]> wrote: > >> >> Unfortunately, dynamic usually means not a business - which often means >> spam - and we are all losing hair over the war on spam. >> >> I now block ip's with no reverse dns > > > We are doing this as well. We get a fair number of complaints from people > who's mail doesn't get delivered but we tell them to fix their DNS so we > know someone isn't trying to spoof us. So far, 23 out of 25 organizations > complaining have fixed their DNS. > > bp > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page "Witchcraft is in essence the worship of the powers of this world, beautiful and terrible, but all in a circle under the turning sky that is the One." -C.A. Burland, "Echoes of Magic" "Connecting with energy is something humans have to be open to and talking about and expecting, otherwise the whole human race can go back to pretending that life is about power over others and exploiting the planet. If we go back to doing this, then we won't survive." -James Redfield, "The Celestine Prophecy" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Doug Poland wrote: On Thu, Aug 07, 2003 at 12:34:45PM -0400, Lucas Holt wrote: I do understand the counter argument about blocking ips.. but i think thats frustration talking. Even if ip blocking is an improvement, it won't stop spam. Agreed, does anyone know why requiring reverse DNS isn't "good enough"? I've asked both AOL and Time Warner but have received no response. These Residential/Dynamic blocks are usually reversed. And they cause the vast majority of problems that originate in North America. Frankly, alot of people simply blacklist 24.* for this reason. If your provider's mail servers suck, and they have blocks tagged as Dynamic, and you have no other options, it's time to make a deal with someone to relay your mail for you. Adam ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Kevin Stevens wrote: On Thu, 7 Aug 2003, Roger 'Rocky' Vetterberg wrote: Its still not a reason for allowing relay from dynamic addresses. All ISP's, or atleast all serious ISP's, provide their customer with a relaying mailserver. Its a simple task to configure your mailserver to use your ISP's smtp as smarthost and relay all outgoing email trough them. I know, I use this setup myself, since just like you I cant afford "real" connections everywhere but have to rely on cheap DSL or cable. Bullshit. My ISP's lack of ability to deliver mail reliably is what made me start my own mail service in the first place. Nor do I particularly want to hand them my mail so they can riffle through it at their leisure rather than having to scan for it on the wire in realtime. If youre ISP is unable to deliver mail reliably then you should switch to another ISP immediatly, imho. There are way to many ISP's out there that doesnt have a clue what they are doing, and the only reason they still exist is that people keep using them. Im not saying you should go with one of the big ones, I hate AOL and MSN just as much as any other guy, but there are plenty of ISP's out there that Im sure know what they are doing and really care about customer service. And if you dont want people to read your mail, you should use PGP or something similar, even if you run your own mailserver. Today its far to easy to get your email out on the 'net. Even the "high school dropouts" as you call the spammers can buy a cheap DSL connection, setup a mailserver and spam like crazy untill the ISP gets enough complaints to cut them off. When that happens, they get a new connection and start all over. As long as we rely on the old and very outdated SMTP protocoll that powers the net today, precautions will have to be taken very soon, or email will be useless in a few years. Fine. Then replace it, or require authentication at receiving points, or some other solution that directly addresses the problem. Wholesale blocking of types of transport is a crappy solution. It's unfair, liable to huge amounts of false positives, and leads directly to the kind of centralized, locked down Internet that will spell its demise. KeS Thats easier said then done. You do realize what a monumental task it would be to replace SMTP, dont you? But hey, if you have a plug n' play solution that will just drop in and replace SMTP without breaking anything, Im all for it! I do not agree on your opinion that taking some needed actions will lock down the internet and kill it. I think its completely the other way around. If we dont do something about spam now, noone will want to be on the internet in a few years time. Email will be impossible to use due to the signal to noise ratio, www will be cluttered with popups, banners and ad's for porn site, and every single file will contian a trojan or worm. I cant believe I sound like some domesday prophet, Im actually known among those who know me as a fanatic advocate of a free internet, but as I see it the internet is slowly selfdestructing. Its no longer a creation of research and educational needs, its being used for pure profit and the dream of making fast and easy money. And I dont like that. -- R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Interspersed Mark wrote: - Original Message - From: "Lucas Holt" <[EMAIL PROTECTED]> To: "Doug Poland" <[EMAIL PROTECTED]> Cc: "Nicole" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, August 06, 2003 10:24 PM Subject: Re: ISPs blocking SMTP connections from dynamic IP address space You guys need to rethink this thing. Reverse DNS checks are ok, but ip blocking for legitimate servers is silly. I agree. You guys really need to rethink this. My turn to vent. :) For starters, what is "dynamic IP address space" anyway? You would think dialup-accounts or, at the very least, accounts that get their IP address assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic IP address space" basically seems to mean: everyone who is not a major ISP. There are many things wrong with that simplistic reasoning. Dynamic IP space is netblocks which the ISP controlling them has marked as part of it's dynamic IP pool. In fact 90% of Dynamic space is major ISP's(Dialup blocks, DSL and cable modems). Very few small ISP's tag their DHCP pools as dynamic. For one, just because whois.arin.net says a netblock is a "dynamic" address pool, does not mean IP addresses assigned to customers are, de facto, dynamic. In fact, especially with high-speed DSL accounts, ere the opposite is true: people get assigned what to them, and to the world at large, for all purposes and intent, is a static IP address. In exchange for money, their ISP has grants them the exclusive use of a fixed IP address. They register domain names on that IP address, and continue to use that one, unchanging IP address for all interactions with the world. Literally thousands of legitimate servers across the world run on such a (set of) static IP address(es), regardless of what their netblock, high up in the ARIN, or kindred, hierarchy is marked down as. Just because you have a highspeed connection with a stable or static IP doesn't mean it's not dynamic. Dynamic simply means assigned by DHCP or RADIUS (For dialup and some DSL). If you're in this space you should be relaying through your ISP's mailserver. 90% of people in this space are precluded from running server daemons by their AUP anyways. When you force all people to use their ISP's smtp server(s), you funnel, as it were, a great number of clients through a single pinhole. Should that one pinhole become blacklisted/blocked, then suddenly thousands of people, en masse, can no longer send mail. Is that likely to occur? Yes. Because spam will also be sent through that same pinhole. AOL will likely cancel the account of the spammer; but spam will nonetheless have been sent through that one pinhole. And then what? Then you are faced with an uncomfortable choice: either I block the AOL smtp servers altogether, or I let them through entirely. What you have lost then, in effect, is the ability to discriminate. So, what then? You will whitelist the AOL smtp servers? That would be stupid. :) Because if there is only one pinhole, whitelisting that one pinhole is tantamount to giving all spammers a huge "passpartout". And since, by your own act of narrow-sightedness, you have chosen to only deal with that one pinhole, you can no longer tell chaff from grain. Way to go, Einstein! Never read a header? Most of that so called 'Hotmail' or 'AOL' spam doesn't come from either, it either comes from overseas or that 'Dynamic' space you're defending (How much spam comes from IP's that reverse to UUNET RAS Servers? A damned lot, although not usually from actuall UUNET customers, but rather a 3rd party customer on a free or one-shot account). Blackholing AOL or Hotmail isn't going to appreciably affect your receipt of spam, since so little spam actually originates there. Perhaps the greatest fallacy of em all: the ludicrous assumption that large ISP's do not spam. :) The largest sources of spam, their hypocrisy despite, are precisely those big ISP's, like AOL and hotmail, to whom you can write until you see blue in the face, but who do not give a damn, because they are big and know it. The Dynamic space we're talking usually comes from Big ISP's. Small ISP's don't tag space as dynamic. Do not be lazy; because you are. :) I know, I have been tempted too, many times, to just block hotmail altogether, and so reduce 70% of all spam. Yet, that would be laziness, really. No, it simply won't work. Maybe it would have in 1998, but Hotmail doesn't originate much spam anymore, even if the header is forged to indicate it came from hotmail. Taking the easy route, like blocking all what you think is "dynamic" address space, is really just laziness on your part. It is you saying: "I can no longer be bothered to figure out who is legit and who is not,
Re: ISPs blocking SMTP connections from dynamic IP address space
I think we need software that blocks spam out of the box. Server Side: I've found that most of my time is spent installing addons for sendmail to do virus scanning and spam prevention. Why don't mail servers have spam assassin, black lists, etc. enabled and installed with a base set of rules to prevent spam? Every release of the software would also need to include new rules, but your ip list solution needs updating all the time too. Client Side: email clients all need spam and virus filters. Many have them now, but there should be a central filter database for clients too. I wouldn't get these stupid worms all the time if they were deleted.. most of them have the same subject.. simple pattern matching. I often find myself creating filters to delete them myself.I switched to apple mail from Netscape 7 to get spam filtering in january client side. I do understand the counter argument about blocking ips.. but i think thats frustration talking. Even if ip blocking is an improvement, it won't stop spam. Today its far to easy to get your email out on the 'net. Even the "high school dropouts" as you call the spammers can buy a cheap DSL connection, setup a mailserver and spam like crazy untill the ISP gets enough complaints to cut them off. When that happens, they get a new connection and start all over. As long as we rely on the old and very outdated SMTP protocoll that powers the net today, precautions will have to be taken very soon, or email will be useless in a few years. -- R Lucas Holt [EMAIL PROTECTED] FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein (1879-1955) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On 8/6/03 9:19 AM, "Doug Poland" <[EMAIL PROTECTED]> wrote: > Hello, > > This isn't so much a FreeBSD topic but a comment and a request for resources. > As a long > time FreeBSD admin/user I know this is a large, diverse, and eloquent > community of > technical users. I hope someone can point me to a resource or group of users > that > address this policy. > > Within the last two months both AOL and Time Warner Road Runner have > implemented port 25 > blocks from hosts with IP addresses in the "dynamic address space". Time > Warner claims > other major ISPs are/will be implementing the same policy. > > I support several smaller organizations computer infrastructures. The server > backbone > in all these orgs is FreeBSD and they all have SMTP servers with IP addresses > in the > "dynamic" space. More of our outgoing mail is starting to bounce as these > ISPs bring > these new policies online. > > Is anyone else uneasy with this trend? Maybe it's just me and I don't like > being > discriminated against because I don't have the money to own static IP > addresses. One > would think groups of responsible and technically competent users would be > organizing > against this trend and attempting to make their voice heard. > > A little help here? What is the "dynamic address space"? Do you mean RFC 1918 space such as 10.0.0.0/8? Or, are you referring to addresses in what is commonly referred to as "the swamp," comprised of pre-CIDR allocations of addresses? Mike -- Michael K. Smith NoaNet 206.219.7116 (work) 206.579.8360 (cell) [EMAIL PROTECTED]http://www.noanet.net ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 12:34:45PM -0400, Lucas Holt wrote: > > > > I think we need software that blocks spam out of the box. > > Server Side: > I've found that most of my time is spent installing addons for sendmail > to do virus scanning and spam prevention. Why don't mail servers have > spam assassin, black lists, etc. enabled and installed with a base set > of rules to prevent spam? Every release of the software would also > need to include new rules, but your ip list solution needs updating all > the time too. Exim with exiscan enabled allows you to reject mail considered spam based on the results of an SA scan. The hard part is maintaining a decent blacklist locally if you can't afford the overhead of using online RBL blacklist servers on a heavily used mail server I would imagine. Another issue with this is what you tell your clients. I recently had a client who I recommended to a certain ISP who received an email from that ISP which was nothing short of scare-mongering. The email was written by the CEO of the ISP, who it appears hadn't a clue about exactly how the software blocked spam or perhaps wasn't that good at articulating in layman's terms exactly how spam was to be blocked. As a result a number of the ISP's clients were instantly worried that anything containing swear words or 'make money' or whatever in the subject would be blocked, which wouldn't be the case (one would hope!). I think a nice alternative is to set a number of different filtering rules on the MTA so that spam that scores very highly (say over 15 on the SA scale) is rejected outright, whereas spam that scores relatively highly on the SA scale has it's subject modified to indicate that the content is possibly spam. Again though this could be seen as unwanted intrusion by some customers... -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Thu, Aug 07, 2003 at 07:49:44AM -0500, Bruce Pea wrote:
>
> Since we began blocking servers with no reverse DNS we've been amazed at
> how many mail servers are setup with no reverse DNS. We've had several
> instances where we've been asked by the party being blocked how to fix
> the problem. Since I'm not a DNS expert all I've been able to tell them
> is to fix their DNS entry so they show up when we do an nslookup on them,
> which isn't very helpful but is about all I know to say.
>
> It would be very useful if someone could explain or give instructions on
> how to fix this problem so we all could pass the info along to people who
> need to straighten out their DNS.
Hmmm... Setting up an inverse domain for a /24 or other subnet
delegated at an octet bounduary is hardly more difficult than setting
up a forward domain. Any text on DNS will explain how PTR records
work -- for instance the Linux DNS HOWTO available at
http://www.tldp.org/HOWTO/DNS-HOWTO.html and many other places --
Google for translations into other languages. Then there's the BIND
documentation at
http://www.nominum.com/content/documents/bind9arm.pdf, their FAQ at
http://www.isc.org/products/BIND/FAQ.html. The "DNS and BIND"
O'Reilly book is good value in this respect as well.
However, in summary: supposing you want to set up the inverse domain,
mapping IP addresses from 12.34.56.0/24 to host names, then you'll need the
56.34.12.in-addr.arpa.
domain delegated to you by your ISP. In your zone file you'ld have
something like:
;; $ORIGIN 56.34.12.in-addr.arpa.
$TTL3600
@ IN SOA ns0.example.com. hostmaster.example.com. (
2003080700 ; Serial
10800 ; Refresh (3H)
3600 ; Retry (1H)
604800 ; Expire (1W)
43200 ); Minimum (12H)
NS ns0.example.com.
NS ns1.example.com.
;
0PTR net.example.com
1PTR server-a.example.com.
2PTR server-b.example.com.
[...]
255 PTR broadcast.example.com.
and the corresponding entry in named.conf on the primary server would
be something like:
zone "56.34.12.in-addr.arpa" {
type master;
file "p/56.34.12.in-addr.arpa";
allow-query {
any;
};
allow-transfer {
secondaries;
};
};
> Does anyone have a document explaining such things handy they could
> share??
What is generally missing is a good explanation of how to do RFC 2317
style delegation for subnets not on octet bounduaries. In this CIDR
world we live in at the moment, that is more likely than not to be the
case. Even worse, many ISP are either unable or unwilling to provide
CIDR style delegation, in which case your correspondents will have to
get the ISP to indsert their data into the appropriate zone file.
If the ISP does do CIDR-style zone delegation, then there are 3
possible styles you could encounter.
i) Automatically -- the ISP generates the PTR RRs automatically from
the A records you create in your forward Zone files. This isn't
really a CIDR style delegation at all, but it has the same effect from
the customer's PoV.
ii) Delegation of individual addresses -- this will only happen for
the smallest subnets. Suppose you've been allocated 12.34.56.76/30
which gives you 2 usable IP numbers together with the network and
broadcast addresses. Then the ISP could simply put:
76 NS ns0.example.com
NS ns1.example.com
77 NS ns0.example.com
NS ns1.example.com
78 NS ns0.example.com
NS ns1.example.com
79 NS ns0.example.com
NS ns1.example.com
into the 56.34.12.in-addr.arpa. zone file as above, which delegates
each address separately to the example.com servers. You will have to
have a *separate* zone file (and corresponding entry in named.conf)
for each address containing RRs for just the '@' entry. eg for
12.34.56.78:
;; $ORIGIN 78.56.34.12.in-addr.arpa.
$TTL3600
@ IN SOA ns0.example.com. hostmaster.example.com. (
2003080700 ; Serial
10800 ; Refresh (3H)
3600 ; Retry (1H)
604800 ; Expire (1W)
43200 ); Minimum (12H)
NS ns0.example.com.
NS ns1.example.com.
PTR server-b.example.com.
;
This very rapidly becomes unwieldy for anything except the smallest
network blocks, and it's not that common.
iii) Reverse delegation by CNAME records -- this is as described in
RFC 2317. Suppose you have been delegated the 12.34.56.64/28 block,
giving you 14 usable addresses together with the network and broadcast
addresses.
In this case the ISP will set up a range of CNAME records in the
Re: ISPs blocking SMTP connections from dynamic IP address space
Lucas Holt wrote: Why don't people talk about software developers? Someone is writing the software for spammers. Lets go after them. Think about it; spammers have an average education level of high school dropout. Mainstream media has done stories about this. Bottom line, spammers are too stupid to write spamming programs. Blocking legitimate administrators of domains because they are too poor to go with Verio is crap.Everyone was small once. By your policy, ISPs couldn't start. My former employer, USOL.com, started on an 128k ISDN line in 1996. Using DSL now is no different than that. You bigger guys just want money from us. Any business that wants to run windows servers for example must pay double for renting a server or they can pay full colo prices plus buy the windows licensing. Even using freebsd is cheaper on DSL. For example, I pay 100 bucks a month to rent a FreeBSD server with a 1.2 gig celeron, 256 mb ram, and a 20 gig hdd. I get 100 gig of transfer a month. (my server is in California)To colo a server in Michigan costs 150 dollars on average for a 128 k package. A dedicated DSL package with 384 downstream, 128k upstream with 5 static ips from SBC costs around 70 dollars a month. Thats why people use DSL to hosts sites. Its slow, but cost effective for small businesses. Its still not a reason for allowing relay from dynamic addresses. All ISP's, or atleast all serious ISP's, provide their customer with a relaying mailserver. Its a simple task to configure your mailserver to use your ISP's smtp as smarthost and relay all outgoing email trough them. I know, I use this setup myself, since just like you I cant afford "real" connections everywhere but have to rely on cheap DSL or cable. Today its far to easy to get your email out on the 'net. Even the "high school dropouts" as you call the spammers can buy a cheap DSL connection, setup a mailserver and spam like crazy untill the ISP gets enough complaints to cut them off. When that happens, they get a new connection and start all over. As long as we rely on the old and very outdated SMTP protocoll that powers the net today, precautions will have to be taken very soon, or email will be useless in a few years. -- R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
(quoted text below reformatted to cure severe long/short-itis). On Wed, Aug 06, 2003 at 11:19:57AM -0500, Doug Poland wrote: >Hello, >This isn't so much a FreeBSD topic but a comment and a request for >resources. As a long time FreeBSD admin/user I know this is a large, >diverse, and eloquent community of technical users. I hope someone can >point me to a resource or group of users that address this policy. >Within the last two months both AOL and Time Warner Road Runner have >implemented port 25 blocks from hosts with IP addresses in the "dynamic >address space". Time Warner claims other major ISPs are/will be >implementing the same policy. This ``dynamic address space'' is generally devoted to dialup connections, and DHCP assigned IPs for broadband customers, most of whom are restricted by their contracts from running any servers. Their customers are supposed to send all outgoing mail out through their provider's mail servers. >Is anyone else uneasy with this trend? Maybe it's just me and I don't like >being discriminated against because I don't have the money to own static IP >addresses. One would think groups of responsible and technically competent >users would be organizing against this trend and attempting to make their >voice heard. For every *bsd/Linux/Unix user who has enough clue to run servers properly, there are thousands of clueless folks who connect their Microsoft Windows viruses directly to the Internet where they're subject to abuse from the outside world. It wouldn't be so bad if all the abusers could do is steal data or corrupt the end-user's machines, and couldn't use them as launch points for further abuse. When the ``Code Red'' and ``Nimda'' worms were at their height, most of the traffic in our Apache logs originated came the major U.S. cable provider's networks. This prompted several of the cable providers to start blocking port 80 to their customer's systems which cut this source of traffic down significantly. Our solution for our customers who're running on dynamic broadband connections is to set up their mail to use uucp over TCP with domains that MX through our servers here. I've never had any problems with cable or DSL providers blocking the uucp ports. A secondary benefit is that the customer's e-mail addresses haven't changed in the @HOME->ATTBI->COMCAST transitions over the last year or so. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ ``When dealing with any spammer, one must always keep in mind that you are dealing with someone who makes their living through forgery, fraud, theft, subterfuge and obfuscation. Stated simply, spammers lie.'' David Ritz <[EMAIL PROTECTED]> ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
On Wed, Aug 06, 2003 at 11:37:21AM -0500, Bruce Pea wrote: > --On Wednesday, August 06, 2003 12:33 PM -0400 Steve Hovey > > > >I now block ip's with no reverse dns > > We are doing this as well. We get a fair number of complaints from people > who's mail doesn't get delivered but we tell them to fix their DNS so we > know someone isn't trying to spoof us. So far, 23 out of 25 organizations > complaining have fixed their DNS. > This isn't a reverse DNS issue. This is the connecting host with an IP address in a range ISP's have decided is "dynamically assigned". This IP address range is then blocked from connecting on port 25. I believe the FreeBSD mail servers use reverse DNS to help control spam and I'm OK with that. I have resolvable DNSs but am being blocked because my IP is in Roadrunners 24. network. -- Regards, Doug ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ISPs blocking SMTP connections from dynamic IP address space
Unfortunately, dynamic usually means not a business - which often means spam - and we are all losing hair over the war on spam. I now block ip's with no reverse dns On Wed, 6 Aug 2003, Doug Poland wrote: > Hello, > > This isn't so much a FreeBSD topic but a comment and a request for resources. As a > long > time FreeBSD admin/user I know this is a large, diverse, and eloquent community of > technical users. I hope someone can point me to a resource or group of users that > address this policy. > > Within the last two months both AOL and Time Warner Road Runner have implemented > port 25 > blocks from hosts with IP addresses in the "dynamic address space". Time Warner > claims > other major ISPs are/will be implementing the same policy. > > I support several smaller organizations computer infrastructures. The server > backbone > in all these orgs is FreeBSD and they all have SMTP servers with IP addresses in the > "dynamic" space. More of our outgoing mail is starting to bounce as these ISPs bring > these new policies online. > > Is anyone else uneasy with this trend? Maybe it's just me and I don't like being > discriminated against because I don't have the money to own static IP addresses. One > would think groups of responsible and technically competent users would be organizing > against this trend and attempting to make their voice heard. > > A little help here? > > -- > Regards, > Doug > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
