I've personally seen them blackhole a customer ip and never contact them. The excuse was that, normally, their customers can't get the mail because it's a mailserver that gets blacklisted. I'm not sure that it's an excuse. I don't even mind that they blackholed a security problem. It's the lack of contact in association with the action that I consider bad customer service. Eric Krichbaum, Chief Engineer Citynet -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick W.Gilmore Sent: Monday, April 19, 2004 12:26 PM To: nanog@merit.edu Cc: Patrick W.Gilmore Subject: Re: Anyone from AT&T here? (AT&T bogus DNSBL answers) On Apr 19, 2004, at 11:54 AM, Michael.Dillon@radianz.com wrote:
"I finally talked to someone who knows what the problem is. Your sbl sites have been blocked by the standard DNS forwarders supplied by ATT. This is due to the workload being generated on them from mailservers."
Duh! This is really dumb.
It's not dumb at all.
Yes, it is. It is not only dumb, it is a disservice to their customers. AT&T is intentionally distributing known bad information. Worse, they hid this fact from their customer. When customers called the AT&T support line to find out what happened, they were told nothing was wrong and it must be on the customer side. My understanding is this was an intentional lie. Lying to your customers is a Bad Thing [tm], IMHO. Perhaps it was just a bunch of front line people who did not know / understand, but considering that they made a change which they knew - they *KNEW* - would break things, they should have made damned sure each and every front line person was prepared for the customer calls. They did not, so they are at best guilty of pathetically poor customer service, and possibly guilty of outright lying to their customers. If I paid AT&T for name service (even as part of a larger package of offerings - e.g. transit), I would be *VERY* upset.
DNSBLs are using the DNS to do general purpose database lookups instead of using a generic database lookup protocol like LDAP. It's not surprising that this sort of ugly hack has unintended side effects. After all, people who build DNS infrastructure intend it to be used to for generic DNS translations, not generic database lookups.
A DNS query is a database lookup. It is probably the most widely distributed, robust database ever designed an implemented. But it is a database, and the DNSBL queries are well formed DNS queries. The only difference between a DNSBL query and a normal host lookup is the source zone file and rate. I wonder if Google gets too many DNS hits if AT&T will decide to filter that zone?
Funny thing is that most mailer software that uses DNSBLs also supports LDAP database lookups so there is really no good reason why DNSBLs exist in the first place.
Have the mailers always supported LDAP? Do all firewalls which work as MTAs in many 1000s of corporations allow LDAP queries by default? Perhaps the creators and maintainers of the DNSBLs like to use DNS and do not like LDAP? There are many, many possible "good reasons" for the DNSBLs to exist.
IMHO, the DNSBL experiment has proved the usefulness of having a variety of blacklist/whitelist/greylist databases for mail servers to query. It's high time that folks shift these databases onto a protocol that does not interfere with the Internet's critical DNS systems and I believe that LDAP is that protocol.
That is possible, and much more reasonable than claiming that they have no good reason to exist in the first place. If you believe this so fervently, perhaps you should put in effort to make it happen, instead of discarding out of hand the effort, time, and money the current maintainers have donated out to make the community better. -- TTFN, patrick