RE: FW: The worst abuse e-mail ever, sverige.net
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Mikael Abrahamsson Sent: Tuesday, September 21, 2004 1:01 PM
As I said, this is DSL, which to me implies always on. Each DSLAM port only allows one IP address, this is set statically. The customer has a static IP address assigned to him/her, which never changes over time. No DHCP, nothing dynamic what so ever. If you want to make yourself unreachable to one of our customers you blacklist their IP which is always the same. Simple.
We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs. However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP. As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist. -Sean Sean P. Crandall VP Engineering Operations MegaPath Networks Inc. 6691 Owens Drive Pleasanton, CA 94588 (925) 201-2530 (office) (925) 201-2550 (fax)
on Tue, Sep 21, 2004 at 02:04:18PM -0700, Sean Crandall wrote:
We configure our DSL customers the same way you do. Static PVC, Static IP. Each user has a static IP and in 99% of the cases, we do not assign any dynamic IPs.
However, I would say that it is safe to say that the majority of the ILECs here in the US provide DSL service where the IP is dynamic. Most of the time, it doesn't change, but it is very possible that the next time that the user logs in (most are also using PPPoE for the connection setup) that the DHCP server might give them another IP.
As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist.
Why do you assume that an IP being static, but having generic rDNS showing it to be a DSL line, automatically makes it worthy of relaying or sending mail? I certainly don't make that assumption - rather the opposite, given my experience of the past three years. In my view of the universe, IPs with generically named rDNS should never emit mail except by way of a suitably configured MTA, which ought to have non-generic rDNS, preferably of the sort 'mail.$domain' where abuse@$domain is a live account manned by an abuse desk, rather than a generic '1-2-3-4.assignmenttype.technologytype.bigisp.example.net', where complaints to abuse@example.net may or may not make any difference. In the past 60 days, we've refused mail from ip-69-33-132-156.nyc.megapath.net (claimed to be 'hal.org', and sender was a yahoo.com account) and ip-66-80-96-99.aus.megapath.net (claimed to be 'asu.edu', and sender was an asu.edu account) and ip-66-80-90-195.iad.megapath.net (claimed to be 'ccs1.clinicofcosmeticsurgery.com', sent to an inactive account) and ip-66-80-206-37.lax.megapath.net (claimed to be 'mail.totexusa.com', sent to my account - I don't know anyone at 'totexusa.com'; both messages were backscatter from a joe job) Were we wrong to do so? I don't think so. Static or dynamic, makes little difference. Today's email services require more than the current status quo. And I haven't seen any reason to adjust my policy. I'm left with the overall impression from many on this thread that in the view of many ISPs, DNSBLs have removed the ISP's burden of policing their own networks. And that's a shame. Steve PS: this message certified "ad hominem free" :/ -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
I cannot agree to the "block port 25" line of action. I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. I know enough about this business to not trust my ISP with anything more than moving packets to and from my server (and even that is streching it ;-). I don't want to pay for their lousy mail service, I can do it better myself. And you don't want to let me? Now, *why* should *I* be punished because the rest of my neighbours have chosen to jump into the commercial bed of an operating system that is a walking invitation to cracking? The Internet is designed to be end-to-end. I know of ISPs that try to filter out IP telephony to force the users to use and pay for the ISP's VOIP service. Is that OK? No, I thought not. But remember - when VOIP gets deployed really wide and far (like e-mail today), you'll start to receive a lot more abusive phone calls. Why? This all boils down to cost and cost model. In the real world, the sender pays for the (paper) mail message. In the electronic world, the bigger cost is carried by the recipient. This model will break in the future. It's too d---ned cheap to send out spam, and it'll be too d---ned cheap to sell your stuff over VOIP in the future. We could fight all this, but it takes manpower and competence, and manpower and competence cost real money - money that the customer is not willing to spend ... yet. This is a market problem. It will eventually sort itself out, but stopping serious and sesnsible people from using the Internet as it is designed, is not the right way to do it. If the Internet is going to survive - the cost model has to change. Or, there's another future, where the Internet as we know it, is just a packet transport system, on which we build our own (several) virtual networks which are only reachable by the community (-ies) that we choose. Configuration nightmare. But someone will make money by providing software tools to help us make our worlds as complex as possible (see "NAT" in your dictionary ...) (Hmm. Maybe I should start a BGP feed that blacklists all ISPs that block port 25? Hmm. Hmm. Any takers? :-) Cheers, /Liman #---------------------------------------------------------------------- # There are 10 kinds of people in the world. Those who understand # binary numbers, and those who don't. #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@autonomica.se # Senior Systems Specialist ! HTTP : //www.autonomica.se/ # Autonomica AB, Stockholm ! Voice : +46 8 - 615 85 72 #----------------------------------------------------------------------
on Wed, Sep 22, 2004 at 10:16:41AM +0200, Lars-Johan Liman wrote:
I cannot agree to the "block port 25" line of action.
I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work.
Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports.
I know enough about this business to not trust my ISP with anything more than moving packets to and from my server (and even that is streching it ;-). I don't want to pay for their lousy mail service, I can do it better myself.
And you don't want to let me?
I don't mind at all. Get rDNS that provides a clue that you have a clue, and I'm happy as all get out to accept mail from you. Otherwise, you're functionally identical to fifty million spam zombies, as far as I have time to determine. Understand me? You're the /rare exception/.
Now, *why* should *I* be punished because the rest of my neighbours have chosen to jump into the commercial bed of an operating system that is a walking invitation to cracking?
Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server. <snip unhelpful Internet architecture lesson> -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
schampeo@hesketh.com:
Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports.
I did. "Reverse *what*?" Just to clue you in. They used to have the only two authoritative servers for their reverse zone sitting on the same LAN with the IP#s next to each other. Then that LAN goes out (happens from time to time) ther is *NO* rDNS, with the obvious "lame delegation" time-outs from servers I (as a customer of theirs) try to access. (In all fairness, I just checked my facts, and it seems as they have recently improved on that situation.) Like I said, I barely trust them to move bits to my box.
I don't mind at all. Get rDNS that provides a clue that you have a clue, and I'm happy as all get out to accept mail from you. Otherwise, you're functionally identical to fifty million spam zombies, as far as I have time to determine.
Understand me? You're the /rare exception/.
I *understand* that I'm a rare exception. The problem is that the world *won't let me* be a well functioning exception. My ISP won't let me have my own rDNS, and "you" won't let me use port 25 properly.
Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server.
With that attitude you're never going to improve things ... Cheers, /Liman
On Thu, 23 Sep 2004, Lars-Johan Liman wrote:
I *understand* that I'm a rare exception.
The problem is that the world *won't let me* be a well functioning exception.
Correction, the world *can't* let you be a well functioning exception. People always scream 'no censorship', but there is only that many more mail servers and preprocessing machines you can throw at a $20/month account. You don't hear me complaining the $0.50 washing powder couldn't get the motor oil out of my velvet shirt. People don't scream 'cripple ware' at the washing powder.
My ISP won't let me have my own rDNS, and "you" won't let me use port 25 properly.
And Unilever won't let me clean my shirt.
Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server.
With that attitude you're never going to improve things ...
If you ditched your ISP for the non-service they are offering, and go to one that does allow your rDNS records, things would improve not only for you, but for the world too as this IP is losing customers and either goes away or changes their policy. the real question is, how much money is it worth it for you. But don't put to blame on us for not adding another rack of mailservers so people like you can get their mail out. Paul -- "Non cogitamus, ergo nihil sumus"
On Thu, 23 Sep 2004, Randy Bush wrote:
The problem is that the world *won't let me* be a well functioning exception. Correction, the world *can't* let you be a well functioning exception.
not true. it can but many have decided not to.
Just like I also 'chose' to not read messages tagged by software as spam. There is no choice. Paul -- "Non cogitamus, ergo nihil sumus"
paul@xtdnet.nl:
Correction, the world *can't* let you be a well functioning exception. People always scream 'no censorship', but there is only that many more mail servers and preprocessing machines you can throw at a $20/month account.
Hmm. "You get what you pay for.", you mean? I can If you mean that if I pay enough money, I can get a DSL (or even leased line) service with fixed IP address, and proper rDNS, that is not filtered by recipient MTAs. Sure. I probably could - theoretically.
the real question is, how much money is it worth it for you. But don't put to blame on us for not adding another rack of mailservers so people like you can get their mail out.
I'm opposed to marketing systems that actively (means it costs them money) put in restrictions in systems to make me pay more to have them remove it again. It's not worth the 5-fold amount that they will charge me, but if I can't use the 'net propersly, it might not be worth connecting to at all, so they'll lose me as customer. One port blocked is not much to quarrel over in practice, but this is a trend. Mail goes first. Web comes next ("we funnel all your web traffic through our cache"). VOIP is around the corner. It's like a phone system where the won't let you call anyone on the phone system. "If you want to call to this part of the world, you will have to call through our listening station, and if you don't want to do that, you can buy our premium service for $200 per minute." Sorry, it doesn't strike me as tempting at all. The cost cannot be motivated in a personal budget - and it becomes a class thing. "We could only afford limited Internet." No, I don't like it. But then again, I'm just the rare exception ...
Correction, the world *can't* let you be a well functioning exception.
randy@psg.com:
not true. it can but many have decided not to.
Well, what Paul's saying (in my understanding) is "the world *can't* let you be a well functioning exception ... *FOR THAT SMALL AMOUNT OF MONEY*, because their ends will not meet (... with enough overlap ;-)". ... which is probably what you mean too. (Correct me if I'm wrong, Paul.) Cheers, /Liman
On Thu, 23 Sep 2004, Lars-Johan Liman wrote:
paul@xtdnet.nl:
Correction, the world *can't* let you be a well functioning exception. People always scream 'no censorship', but there is only that many more mail servers and preprocessing machines you can throw at a $20/month account.
Hmm. "You get what you pay for.", you mean? I can
If you mean that if I pay enough money, I can get a DSL (or even leased line) service with fixed IP address, and proper rDNS, that is not filtered by recipient MTAs. Sure. I probably could - theoretically.
the real question is, how much money is it worth it for you. But don't put to blame on us for not adding another rack of mailservers so people like you can get their mail out.
I'm opposed to marketing systems that actively (means it costs them money) put in restrictions in systems to make me pay more to have them remove it again.
It's not worth the 5-fold amount that they will charge me, but if I can't use the 'net propersly, it might not be worth connecting to at all, so they'll lose me as customer.
One port blocked is not much to quarrel over in practice, but this is a trend. Mail goes first. Web comes next ("we funnel all your web traffic through our cache"). VOIP is around the corner. It's like a phone system where the won't let you call anyone on the phone system. "If you want to call to this part of the world, you will have to call through our listening station, and if you don't want to do that, you can buy our premium service for $200 per minute." Sorry, it doesn't strike me as tempting at all.
If that's the case, then you learn to rise above it with tunneling, IPSEC, VPN or any of a number of technologies that have been around for the past ten years. And yes, this requires a box on the outside. We're in the era of the $50 a month dedicated server, here. If you're trying to put a commercial grade service on a consumer grade line, deal with it. This is getting really far off-topic at this point. We're clear people are of two opinions on things, and nobody's going to change their mind. Anyone care to let it rest? -Dan -- "A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum." -No Doubt, "Different People", from "Tragic Kingdom" --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Lars-Johan Liman <liman@autonomica.se> wrote:
schampeo@hesketh.com:
Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports. I did. "Reverse *what*?"
I took my home ADSL to a company that delegates appropriate bits of in-addr.arpa to my servers. I suggest you might want to do the same. -- PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote:
schampeo@hesketh.com:
Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports.
I did.
"Reverse *what*?"
So explain it to them in words of two syllables or less, where possible. I recommend using "I am finding a new eye ess pee".
Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server.
With that attitude you're never going to improve things ...
/My/ attitude? You're the one giving your money to a bunch of incompetents. -- join us! http://hesketh.com/about/careers/web_designer.html join us! hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com join us! http://hesketh.com/about/careers/account_manager.html join us!
I was just going to stay out of this, but I can't... Steven Champeon wrote:
on Thu, Sep 23, 2004 at 10:37:10AM +0200, Lars-Johan Liman wrote:
schampeo@hesketh.com:
Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know where to send the abuse reports.
I did.
"Reverse *what*?"
So explain it to them in words of two syllables or less, where possible. I recommend using "I am finding a new eye ess pee".
There's plenty of them out there that will welcome you, as well. When I call tech support, I never get the nonsense about rebooting my machine to fix things. In fact, I usually have someone on the line who has heard of Slackware and OpenBSD. You get what you pay for.
Because that's how things are today. You're a 1-in-50-million chance, as far as I can tell from my mail server.
With that attitude you're never going to improve things ...
/My/ attitude? You're the one giving your money to a bunch of incompetents.
You know, it's just not that hard. I have what is termed "Business Class" SDSL, which may be pricier than the average geek wants to pay, but so what? If you want to be treated as _not one of the crowd_ of random clueless users, you need to differentiate yourself in a way that is simple for others, _not for yourself_. I have friends who have only one dedicated IP, but it's from an ISP that takes reverse seriously, and that will happily delegate to them, if desired. It isn't everyone else's responsibility to cater to you, if you can't get even the simplest stuff (rdns) fixed. Oh, and mine isn't delegated to me, but I don't worry about it, since it has a nice rdns that I'm find with (and I like the anonymity when I browse elsewhere). -- You've confused equality of opportunity for equality of outcomes, and have seriously confused justice with equality. -- Woodchuck
Lars-Johan Liman <liman@autonomica.se> writes:
I cannot agree to the "block port 25" line of action.
I am a Unix sysadmin, with 15 years of experience as sendmail and DNS expert. I have a DSL line at home, with static IP, and generic rDNS provided by my ISP. Behind it I have a serious Unix server, configured to roughly the same standard that I use at work. ... This all boils down to cost and cost model.
Yep, precisely. You're running a business/professional type of configuration on a consumer-grade circuit. Your ISP has to assume that you're Joe or Jane Luddite with an unpatched Windows PC when you buy this configuration, but your requirements are outside of the standard product definition (and best current practices) for consumer b/w. Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify. ---Rob
On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote: [..]
Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify.
What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it? Alexander
Alexander Koch wrote:
What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it?
$ ssh -2 -L2525:your.mail.server:25 you@your.mail.server srs (check my headers and tell me if you can see my home dsl ip)
Alexander Koch <koch@tiscali.net> writes:
On Wed, 22 September 2004 10:40:30 -0400, Robert E.Seastrom wrote: [..]
Buy an appropriate connectivity product for your home connectivity and the problems go away. Put your servers in a colo (a la http://www.vix.com/personalcolo/ ) and the problems go away. It costs more to maintain a zone file that is not created by a perl script (ie, your generic rDNS). You can expect to pay for this. Presumably as a Unix sysadmin with 15 years of experience, this is a cost you can afford/justify.
What will that 1U server help me if I am sending stuff from my Unix box at home via SMTP to it when my IP block is in the various 'dialup' RBLs and ends up in the Received headers, so every SA on the way happily scores it rather high as these RBLs sum up. What would be gained than at the end of it?
Think about what you just wrote -- if things actually worked this way, nobody who ran SpamAss would ever receive any mail. :) (if you're a conspiracy theorist or just weird, set up an ipsec, ssh, or gre tunnel and call it done). What's it buy you? Unblocked ports, control of in-addrs associated with your addresses, data center UPSes, data center cooling, (still subject to Acts of God as recent experiences in NoVA showed, but that's life), not having your *server* in a block that is identified as dialup. ---Rob
AK> Date: Wed, 22 Sep 2004 16:54:20 +0200 AK> From: Alexander Koch AK> What will that 1U server help me if I am sending stuff from AK> my Unix box at home via SMTP to it when my IP block is in AK> the various 'dialup' RBLs and ends up in the Received Presumably you'd admin the 1U server, and your authenticated SMTPS traffic would be allowed despite RBL listings, yes? AK> headers, so every SA on the way happily scores it rather AK> high as these RBLs sum up. What would be gained than at the AK> end of it? Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked.
On Wed, 22 Sep 2004 15:44:10 -0000, "Edward B. Dreger" said:
Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way.
Unless you do final delivery on that hypothetical 1U colo box (presumably to yourself and whoever else you give access to), the mail will almost certainly acquire at least 1 or 2 more Received: lines while getting to the remote site. The problem is that some tools run through *all* the Received: headers looking for borked forward/backward chains or hosts that are in a blacklist. So if they saw the dialup IP address in one of the earliest Received: lines, you'd get scored some dings on the spam-o-meter. After all, 95% of any email that ever passed through a dialup is spam, right? ;) We now return you to our regularly scheduled episode of "What's wrong with this picture?"....
On Wed, 22 Sep 2004, Edward B. Dreger wrote:
AK> headers, so every SA on the way happily scores it rather AK> high as these RBLs sum up. What would be gained than at the AK> end of it?
Huh?! Either you're running { UUCP | some strange multihop relaying } or I'm totally confused. You connect to your colo box directly. There are no other hops along the way.
Older versions of SA, especially with custom DNSBL rules, may have had this issue (applying DUL type DNSBL rules to IPs in every Received: header:) but thats been fixed for some time. Welcome to NANOST (North American Network Operaters Spam Talk). But seriously, anyone who has an interest in such issues ought to at least occasionaly read spam-l or spamtools before posting to nanog about long fixed problems in old software. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Wed, 22 Sep 2004 12:52:54 EDT, Jon Lewis said:
Older versions of SA, especially with custom DNSBL rules, may have had this issue (applying DUL type DNSBL rules to IPs in every Received: header:) but thats been fixed for some time.
In many cases, "fixed" != "deployed", unfortunately. And that adoption curve has got a LONG tail at the far end going to infinity, because some sites will never upgrade. Has anybody done a comparison for different instances of this same problem (for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a Microsoft 'critical' software fix, patching bind/ssh/apache/whatever after a vulnerability is found), to see if the underlying curve has similar characteristics? I'm familiar with Eric Rescorla's "Security Holes - Who cares?" paper (http://www.rtfm.com/Upgrade-usenix.pdf) and Beattie, Arnold, Cowan, Wagle, and Wright's "Timing the Application of Security Patches for Optimal Uptime" from LISA XVI - any other cites, especially for those that succeed in mathematically modelling it in the real world well enough to make predictions from?
On Wed, 22 Sep 2004 Valdis.Kletnieks@vt.edu wrote:
Has anybody done a comparison for different instances of this same problem (for instance, rate of fixing of 69/8 filters, open SMTP relays, installing a
Coworkers keep breaking the SQL db access, and when I notice it broken, I fix it...but http://69box.atlantic.net/cgi-bin/bogon still lists a several hundred networks with 69/8 issues. They're still slowly getting fixed. I just found several listed IPs that are finally reachable from 69/8. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Let's move this thread to some place where people love to talk about spam: http://www.claws-and-paws.com/spam-l/spam-l.html -- spam-l list for spam prevention and discussion http://www.abuse.net/spamtools.html -- spam tools list for software tools that detect spam net.admin.net-abuse.email | net.admin.net-abuse.usenet -- usenet lists
At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote:
I cannot agree to the "block port 25" line of action.
You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density. This can be readily determined by having customer support mail a short form with relevant questions such as "Is your mail server RFC2505 compliant?", "Please list the mechanism used to secure mail submission to your server?", and "Are you prepared to handle SPAM reports for all email originated or relayed?" No problem for someone who knows what they're doing but enough to deter the random end user. /John
At 10:16 AM +0200 9/22/04, Lars-Johan Liman wrote:
I cannot agree to the "block port 25" line of action.
You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density.
[ we have had this discussion before. how many times are we doomed to have it? ] in the north american culture, this is usually termed "guilty until proven innocent," and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them? lars-johan's posting was a wonderfully eloquent plea for the survival of the internet, as opposed to the walled-garden telco model. randy
At 4:51 PM +0100 9/22/04, Randy Bush wrote:
in the north american culture, this is usually termed "guilty until proven innocent," and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them?
I am *so* happy that the power grid doesn't operate this way... fuses and circuit breakers are there in your home, the pedestal, and the pole for good reason. Call your power company if you want to upgrade *and* can demonstrate appropriate certified electrical work in advance. /John
in the north american culture, this is usually termed "guilty until proven innocent," and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them?
I am *so* happy that the power grid doesn't operate this way...
i think history has disabused the apocrypha that the telco or the power grid are so reliable randy
On Sep 22, 2004, at 12:06 PM, John Curran wrote:
At 4:51 PM +0100 9/22/04, Randy Bush wrote:
in the north american culture, this is usually termed "guilty until proven innocent," and generally discouraged. perhaps we should not deprive the customer of rights/services until they have been shown to have abused them?
I am *so* happy that the power grid doesn't operate this way... fuses and circuit breakers are there in your home, the pedestal, and the pole for good reason. Call your power company if you want to upgrade *and* can demonstrate appropriate certified electrical work in advance.
I'm *so* happy the sidewalks don't operate this way. Can you imagine asking for permission every time you wanted to cross the street? And being _licensed_ for it? That was not a commentary on whether we should or should not block port 25. I _am_ saying we should not use analogies to justify it one way or the other, since this is really a rather new, different thing. (BTW: That includes the cultural thing Randy said too, although I am an American and absolutely identify with what he said.) We've done pretty well in the past letting each operator decide on their own about new ideas, and the majority can ostracize the bad apples. Then again, I did say this is new, and I meant it, so perhaps even past Internet experience might not be enough.... There, I think I've said absolutely nothing, so I'm right in keeping with this thread in general. Back to your regularly scheduled flame fest. :) -- TTFN, patrick
Randy Bush <randy@psg.com> writes: <reductio ad absurdum comments about American jurisprudence elided>
lars-johan's posting was a wonderfully eloquent plea for the survival of the internet, as opposed to the walled-garden telco model.
In a vacuum, we all agree with him. He should be sending his plea to Redmond, from whence comes the vulnerable software that makes this stopgap BCP necessary. ---Rob
jcurran@mail.com:
You block port 25 until a customer says that they're claim to have setup a responsible mail submission agent and demonstrate the necessary clue density.
Then in all fairness block also port 80. A comparable amount of junk is sent using port 80.
This can be readily determined by having customer support mail a short form with relevant questions such as "Is your mail server RFC2505 compliant?", "Please list the mechanism used to secure mail submission to your server?", and "Are you prepared to handle SPAM reports for all email originated or relayed?" No problem for someone who knows what they're doing but enough to deter the random end user.
Ditto | sed -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/' :-) Cheers, /Liman
On Wed, 22 Sep 2004, Lars-Johan Liman wrote:
It's too d---ned cheap to send out spam, and it'll be too d---ned cheap to sell your stuff over VOIP in the future.
But we've fixed that! We added a ENUM layer with DNSSEC on top of it. So now we can decide what to tell our potential callers without them being to spoof it. Like "do not disturb me now" Oh yeah, and we'll use the phone number as index for all this information! Now if you'll excuse me, I'll go sob in the corner over there..... Paul -- "Non cogitamus, ergo nihil sumus"
As such, when we have seen our IP blocks get blocked strictly because of the rDNS entry having 'dsl' in it, a simple email to the admins explaining that we are not providing dynamic services has gotten our rDNS entries taken off of the blacklist.
I don't particularly like situation where outside party has to "guess" if another ISP's address is dynamic or static and should or should not be source of email. This is not helpfull either to ISP and their customers not to those trying to filter email and guess what are good and bad ips. Lets suppose there was a standartized way that ISPs could enter in their DNS policy record that says that certain ip address is/is not used for sending email. Would you be interested in using this? If you answer yes and would like to help towards such a standard, please go through the questions I put below. Your answers will go toward a draft which has good chance of being used as part of Unified SPF. To help with creating something that will work well for ISP as well as for end-users, I'd like to receive answers from both major ISPs and smaller networks and small mail operators, but please answer in private so as not to anger moderators of this mail list. If you do want to discuss any particular details of the email policy technology, I'd request that signup for SPF discuss mail list: http://spf.pobox.com/mailinglist.html Now here are the questions, I'd like to receive feedback on: ------------------------------------------------------------------- 1. Are you ISP? What size? a. Major ISP (> 20,000 customers) b. Small or Mid-size ISP c. End-User network customer who runs mail server. Specify if its on i. dedicated line or co-located box ii. DSL or cable (residential variety) d. End-User who does not run own mail server 2. If you're ISP are you willing to quickly deploy these records if such standard becomes available? If so how quickly can you deploy it - a. 1-6 months b. 6-12 months c. > 12 months d. Would not deploy it 3. Are you willing to configure/upgrade your email server to check of these policy records and reject SMTP connection based on these records? a. Yes - will rely solely on these records b. No - will never deploy this c. Will not reject SMTP connection based solely on this record, but willing to make it part of overall email filtering system (i.e. adds points to SpamAssassin or similar) 4. Many users and even RIRs have expressed doubts about relying on IN-ADDR and said it has technical problems and/or that IN-ADDR zones are badly maintained by ISPs and that we should not rely on it. Do you agree? a. No - INADDR is well maintained by RIRs and ISPs b. Yes - INADDR is BAD and can't be fixed, we should not rely on it c. There are deployment issues with INADDR due to how ISPs use it but technically its good and we can rely on it. If you answered c: Does your ISP maintain IN-ADDR zones for all its IPs and do you quickly update it based on your customers requests? i. Yes we do. We update zones in < 1 day per customer requests ii. We maintain it, but don't update it as often as it maybe needed. We're willing to make an effort and answer tech support from customers in regards to in-addr records in < 24 hours or quicker (same level of support you provide for customer domains hosted on ISP dns servers). iii. We don't maintain INADDR records at all. But are willing to do it if it becomes a requirement for email 5. Would you prefer email policy records be entered in the IN-ADDR zone for each ip or would you prefer it to be entered as part of the HOST record for PTR address of the ip? a. IN-ADDR zone b. PTR HOST record c. Neither - prefer different alternative. Specify: ______________ Note: When thinking about this answer to #5 please also go back to question #4 and think what would be easier for you (as an ISP or end-user) to maintain and provide ability to update if you or your custoemers need to be able to update it. 6. The suggestion that has been made to allow DNS policy record for SMTP Mail server as used in EHLO to override policy record for IP as a way to get around non-cooperative or slow ISPs that don't let their customers control what record is in the INADDR zone. What do you think about this? a. No, we should not allow any other mail policy to override email record for ip b. Yes, that is ok if other policy records override ip records. c. This is ok for most cases when some other email policy record can override ip policy records, but in some cases, ISPs do need to specify records that can not be overridden. 7. For the policy record would you prefer to just say that no email is to come from the ip or would you prefer to be able to specify more complex record: a. Prefer to have two choices (outgoing SMTP yes/no) b. Prefer to have more then two choices: i. Three choices: - Full mail server exists on ip - IP only used as source of submission by end-users - No email connections should be sent ii. more then three choices Explain what you like to see: ___________________________ 8. Would you like to have an option as part of policy record that can be used so that other email servers when they see SMTP connection from certain ip would report back to you if ip is used for outgoing email connections? a. No, we don't need it b. Yes, I'd like to see it as option but will not use it much c. Yes, I'd like to see it and will set it up for many ips 9. Would you like to have an option as part of policy record that lets specify who the administrator is to contact in case email does come from specified ip that somebody does not like: a. No we do not need this - users should do whois on ip for abuse reports. b. Yes, this is good option, but we will not use it much c. Yes, this is good option and we'll use it for many ips 10. Would you like to have an option of contact information as part of policy record that can be used in 500 rejects and bounces? (i.e. if you set policy record that says no email is to come from the ip, additional email address is added and when email is rejects, email server would include that info so that whoever is trying to send the email would be notifed). a. We don't need it. Since whoever is using ip is already customer they should already know who to contact. b. Yes, this is usefull option 11. If you answered yes on #9 or #10, would you be ok if there was only one policy record of email contact for ip with different meaning depending on if email from ip is to be rejected or accepted? a. Yes - dual meaning is ok b. No - the contact info option should for one or the other 12. Do you consider that these email policy records for ips would be alternative for ISP port 25 blocking or a complimentary technology that can be used together with it? a. Yes. b. No No matter how you answer 12 (both for yes and no), I request that you justify your answer below and tell in your words why email policy records would or would not be usefull and why port 25 blocking can or can not continue to be promoted as proper way for ISPs to prevent email abuse from the their networks: ------------------------------------------------------------------------ If you took the time to complete this questionnaire, I really appreciate your contribution and if you do have any particular ideas in this area, please feel free to also include that. All this input will go towards a draft that we hope can be published as EXPERIMENTAL RFC within next 6 months and if it becomes used widely this may well become full internet standard. Thank you for your time. -- William Leibzon Elan Networks william@elan.net
Now here are the questions, I'd like to receive feedback on: -------------------------------------------------------------------
1. Are you ISP? What size?
I am ISP. Well rather, I'm AN ISP. Okay, so I just operate one, but you get the gist.
2. If you're ISP are you willing to quickly deploy these records if such standard becomes available? If so how quickly can you deploy it -
"If you're ISP"? Who's asking the questions, Ali G?
3. Are you willing to configure/upgrade your email server to check of these policy records and reject SMTP connection based on these records?
No, because I already utilize multiple DNS-based blacklists which do precisely that (blocking dynamically assigned dialup/cable/DSL address pools), as part of SpamAssassin and other spam filtering mechanisms.
4. Many users and even RIRs have expressed doubts about relying on IN-ADDR and said it has technical problems and/or that IN-ADDR zones are badly maintained by ISPs and that we should not rely on it. Do you agree?
No need to look at in-addr. See above.
6. The suggestion that has been made to allow DNS policy record for SMTP Mail server as used in EHLO to override policy record for IP as a way to get around non-cooperative or slow ISPs that don't let their customers control what record is in the INADDR zone. What do you think about this?
Don't take it personally, but I think that's a bad idea.
7. For the policy record would you prefer to just say that no email is to come from the ip or would you prefer to be able to specify more complex record:
"For the policy record"? Are you an officer of the court? Columbo? What "record" are you keeping, and for which organization(s)? Did Ray P. step down and make you the CEO of ARIN?
8. Would you like to have an option as part of policy record that can be used so that other email servers when they see SMTP connection
That doesn't parse. "SMTP connections"? Or "a SMTP connection"?
from certain ip would report back to you if ip is used for outgoing email connections?
Yes. I'd hope IP is being used for e-mail connections. It sure beats the alternatives, such as DECNet, AppleTalk, and IPX.
9. Would you like to have an option as part of policy record that lets specify who the administrator is to contact in case
Depends. Lets who specify?
12. Do you consider that these email policy records for ips would be alternative for ISP port 25 blocking or a complimentary technology that can be used together with it?
No. Again, you're reinventing the wheel unnecessarily. See existing dnsbl's.
participants (19)
-
abuse@cabal.org.uk
-
Alexander Koch
-
Dan Mahoney, System Admin
-
Edward B. Dreger
-
Etaoin Shrdlu
-
John Curran
-
Jon Lewis
-
Lars-Johan Liman
-
Patrick W Gilmore
-
Paul Wouters
-
Randy Bush
-
Ricardo "Rick" Gonzalez
-
Robert E.Seastrom
-
Sean Crandall
-
Steven Champeon
-
Suresh Ramasubramanian
-
Susan Harris
-
Valdis.Kletnieks@vt.edu
-
william(at)elan.net