Sometime mid last week, one of my clients--a state chapter of a national association--became unable to send to all of their AOL members. Assuming it was simply that AOLs servers were inundated with infected emails, I gave it some time. The errors were simply "delay" and "not delivered in time specified" errors. Well, it was still going on today. So, I went on site and upped the logging on the server. What to my surprise did appear but a nice little message informing us that "I'm sorry, your IP is dynamically assigned and aol doesn't accept dynamic IPs. WTF. This IP is NOT dynamic. The client has had it for about two years. I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: "AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses." It was on the following page: http://postmaster.info.aol.com/standards.html So, since I know someone from AOL does lurk on this list, what's my recourse. Feel free to email me offlist. Thanks. On a side note, my client is also curious who's going to help pay the bill that they shouldn't have needed to pay me due to AOL changing policy and blocking them needlessly. Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;) And, since static IPs can actually be assigned out of a DHCP pool as well, even that won't work. -- -- -- -Susan -- Susan Zeigler | Technical Services szeigler@spindustry.com | Spindustry Systems 515.225.0920 | "You cannot strengthen the weak by weakening the strong." -- Abraham Lincoln **************************************************************** Spindustry Systems, Inc. DES MOINES / CHICAGO / INDIANAPOLIS / DENVER CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message including any attachments.
At 02:34 AM 8/28/2003 -0500, Susan Zeigler wrote:
WTF. This IP is NOT dynamic. The client has had it for about two years.
What is the IP address they are rejecting ?
Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;)
What would BGP tables tell you about internal routing and DNS ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Mike Tancsa wrote:
At 02:34 AM 8/28/2003 -0500, Susan Zeigler wrote:
WTF. This IP is NOT dynamic. The client has had it for about two years.
What is the IP address they are rejecting ?
Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;)
What would BGP tables tell you about internal routing and DNS ?
---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
It's 216.161.123.79 IP does match forward and reverse. As a few others have mentioned, the mail server behind their firewall is handling outbound mail only. It pops their inbound mail from another source. We've chosen this solution due to how their membership database is integrated with the address books in their Exchange server and due to the limitations that their mail service provider has put on them--not to mention the fact that their mail service provider has been unstable in the past for sending. Internet service provided is great, they just can't do mail well. I've got an external server I can relay through if need be--and since their IP _IS_ static, it's not really a problem. It just ticks me off because I know there are a lot of others who will be in this boat. -- -- -Susan -- Susan Zeigler | Technical Services szeigler@spindustry.com | Spindustry Systems 515.225.0920 | "You cannot strengthen the weak by weakening the strong." -- Abraham Lincoln **************************************************************** Spindustry Systems, Inc. DES MOINES / CHICAGO / INDIANAPOLIS / DENVER CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message including any attachments.
At 03:48 PM 28/08/2003 -0500, Susan Zeigler wrote:
Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;)
What would BGP tables tell you about internal routing and DNS ?
It's 216.161.123.79
If they are creating lists by regex / name analysis 79.123.161.216.in-addr.arpa name = ddslppp79.desm.uswest.net looks awfully 'dynamic'/pool like... If AOL wants to do something so shotgun like, thats their prerogative. But apart from examining the name, there is no way to tell that that IP address is being assigned to the same customer. ---Mike
I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: "AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses."
It was on the following page: http://postmaster.info.aol.com/standards.html
Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses. I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP!
On Thu, 28 Aug 2003 10:10 (UTC) "Stephen J. Wilcox" <steve@telecomplete.co.uk> wrote: | Whoa.. thats crazy. Obviously its an effort to stop relay forwarding | from cable modem and DSL customers but there are *lots* of legitimate | smtp servers sitting on customer sites on dynamic addresses. And at one time it was considered "helpful" for mail servers to relay anything that was presented to them. We don't think that way now, as a DIRECT result of the way in which that arrangement has been abused. So with "legitimate smtp servers" sitting on customer sites on dynamic addresses: the flexibility and convenience of such arrangements became subsidiary to the abuse and security issues they facilitated. Now if the abuse and security teams of the large providers would move *quickly* to isolate compromised machines and deal with other security related issues when they arise, the "flexibility and convenience" would probably win out in the end. But as things stand it isn't going to. We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. They may think it's better for their bottom line to de-resource their security and abuse departments, and better for their customers to let them stay online while issues are resolved, but they remain oblivious to the harm this policy is doing to the internet community as a whole. | I've numerous customers I can think of straight away who use setups | such a MS Exchange on dynamic addresses where they poll POP3 boxes | and send their own SMTP! The fact that it is impossible to readily distinguish between their IPs and those of compromised boxes running Jeem etc, will mean that those sites are already likely to be experiencing significant mail rejection - and that will get worse, not better. Unless there is a turn-around soon in the attitude of backbones and other providers, I can see a "registered SMTP senders only" policy being put in place by the majority of sites by the end of 2004. Or possibly sooner. AOL's mail handling policy may be disappointing - but those of us who have been hit by their other disappointing mail policy (of accepting all undeliverable mail and then bouncing it to the (forged) sender), may see this as actually improving the situation because it visibly reduces the quantity of forged bounces *we* see originating from AOL! -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
In article <20030828111600.C282.RICHARD@mandarin.com>, Richard Cox <Richard@mandarin.com> writes
We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation.
Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. -- Roland Perry
In article <20030828111600.C282.RICHARD@mandarin.com>, Richard Cox <Richard@mandarin.com> writes
We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation.
Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. -- Roland Perry
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections. SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) -Matt
On Thursday, August 28, 2003 4:18 PM, Matthew Crocker <matthew@crocker.com> wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
At least here in DE there are resellers of DTAG which offer DSL connections without any SMTP relay. If you want relaying you also have to order a domain via them. More funny: you cannot deliver mails to DTAG (actually T-Online) as the resellers use address space of DTAG and hence the DTAG servers believe you are a customer of them and should use the internal relays ... Arnold
On Thu, 28 Aug 2003, Nipper, Arnold wrote:
On Thursday, August 28, 2003 4:18 PM, Matthew Crocker <matthew@crocker.com> wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
At least here in DE there are resellers of DTAG which offer DSL connections without any SMTP relay. If you want relaying you also have to order a domain via them. More funny: you cannot deliver mails to DTAG (actually T-Online) as the resellers use address space of DTAG and hence the DTAG servers believe you are a customer of them and should use the internal relays ...
I think that is also true of BT in the UK who as the incumbent are the only provider of things like unmetered dialup.. Steve
In article <Pine.LNX.4.44.0308281540350.4034-100000@MrServer>, Stephen J. Wilcox <steve@telecomplete.co.uk> writes
BT in the UK who as the incumbent are the only provider of things like unmetered dialup..
I have a 19.99 a month unmetered dialup from Freeserve (based on FRIACO). There must be others. -- Roland Perry
On Thu, 28 Aug 2003, Roland Perry wrote:
In article <Pine.LNX.4.44.0308281540350.4034-100000@MrServer>, Stephen J. Wilcox <steve@telecomplete.co.uk> writes
BT in the UK who as the incumbent are the only provider of things like unmetered dialup..
I have a 19.99 a month unmetered dialup from Freeserve (based on FRIACO). There must be others.
i was avoiding going into detail as most ppl here are probably not that interested in the uk setup.. its complicated, energis, worldcom operate their own pstn friaco, there are also ways of buying it in at sufficient volume as isdn or modem terminated l2tp or buying ports on someone elses platform. but my generalisation is that there is a dominant player in this market who is dominant as they can offer things which the others cant afford to do ! Steve
On Thu, 28 Aug 2003, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Also depends on how much clue said ISP has. I have a DSL-like connection at home from a large LEC/ISP, but half the time their mail server either doesn't respond or rejects me. If I was more concerned, I would just set up my own mail server here and be done with it. As it is, I use ssh/pine. But there's another good reason for customers to use their own mail server. Aaron
.... SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to ^^^^^ OH YES THERE IS !!!! (at least to a different resolver other than yours)
go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
-Matt
Except for the fact the your DNS server may be using a root cache file that points to the restrictive USG root network that is currently controlled by a a corrupt monopoly. What about customers who want to use ORSC or Pacificroot? There are about 11,000 TLDs out there and you want to limit your customers to have to suffer under the current totalitarian dictatorship? I wouldn't ever be a customer of your's.
In article <89081955-D962-11D7-A9DD-000A956885D4@crocker.com>, Matthew Crocker <matthew@crocker.com> writes
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool.
[snip]
there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
Dial-up, I agree. DSL is a slightly different story. And I'm as much against Spam as anyone. -- Roland Perry
On Thu, 28 Aug 2003, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
applying that standard just how large do you have to get before you "graduate" to running your own smtp server. "I'm sorry we won't accept mail from you because you're not an lir?"
We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections.
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
-Matt
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Speaking on Deep Background, the Press Secretary whispered:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
applying that standard just how large do you have to get before you "graduate" to running your own smtp server. "I'm sorry we won't accept mail from you because you're not an lir?"
Yea! I think the registry should run the mail server. That way, there's just 3 or 4 nationwide. Makes it easier for Ashcroft and RIAA, to boot. And we all know how well NSI does on complex things... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
----- Original Message ----- From: "David Lesher" <wb8foz@nrk.com> To: "nanog list" <nanog@merit.edu> Sent: Thursday, August 28, 2003 10:22 Subject: Re: Fun new policy at AOL
Speaking on Deep Background, the Press Secretary whispered:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
applying that standard just how large do you have to get before you "graduate" to running your own smtp server. "I'm sorry we won't accept mail from you because you're not an lir?"
Yea! I think the registry should run the mail server. That way, there's just 3 or 4 nationwide. Makes it easier for Ashcroft and RIAA, to boot.
And we all know how well NSI does on complex things...
This brings up a more general point about the dangers of blocking everything under the sun. When you limit yourself to just a few chokepoints, its easier for those who would stifle communications to shut things down. This is a very dangerous path to take. Not that we shouldn't consider some sort of port restrictions to stop spam, but there are undesirable long term effects that need to be considered. Those on the dark side will be "considering" them, you may be sure, while licking their chops.
This brings up a more general point about the dangers of blocking everything under the sun. When you limit yourself to just a few chokepoints, its easier for those who would stifle communications to shut things down.
This is a very dangerous path to take. Not that we shouldn't consider some sort of port restrictions to stop spam, but there are undesirable long term effects that need to be considered. Those on the dark side will be "considering" them, you may be sure, while licking their chops.
It can be built without choke points. ISPs could form trust relationships with each other and bypass the central mail relay. AOL for example could require ISPs to meet certain criteria before they are allowed direct connections. ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming. -Matt
On 28 Aug 2003 16:07 UTC Matthew Crocker <matthew@crocker.com> wrote: | AOL for example could require ISPs to meet certain criteria before | they are allowed direct connections. ISPs would need to contact AOL, | provide valid contact into and accept some sort of AUP (I shall not | spam AOL...) and then be allowed to connect from their IPs. AOL could | kick that mail server off later if they determine they are spamming. If you replace "AOL" with some body or set of bodies, unrelated to (but trusted by) large numbers of networks, then you have what I regard as the only ultimately workable solution to the present situation. The devil is in the details - finding and trusting such bodies: however it may be that they are already amongst us but under a different name! -- Richard Cox %% HELO - the first word of every Email transaction - is in Welsh! %%
In article <B9D3F155-D971-11D7-828E-000A956885D4@crocker.com>, Matthew Crocker <matthew@crocker.com> writes
ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming.
Next time I'm lobbying about "the cost of Spam", I'll have to remember to add in all this activity as well as the end user perspective (and the more traditional "we need to buy bigger servers and pipes" stuff). -- Roland Perry
In article <Pine.LNX.4.44.0308280802370.7707-100000@twin.uoregon.edu>, Joel Jaeggli <joelja@darkwing.uoregon.edu> writes
applying that standard just how large do you have to get before you "graduate" to running your own smtp server.
I'd say having a "fixed connection" (eg DSL, T1) mainly because "we know where you live". Dial-ups are whole other ballpark. -- Roland Perry
On Thursday, August 28, 2003, at 11:07 AM, Joel Jaeggli wrote:
On Thu, 28 Aug 2003, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
applying that standard just how large do you have to get before you "graduate" to running your own smtp server. "I'm sorry we won't accept mail from you because you're not an lir?"
If a larger corporation showed that they have a clue we remove the filters. If we start getting virus/spam notifications on again we re-enable the filter. We are either primary or backup MX for all of our customers. We can implement a port 25 inbound filter on a customer and their inbound mail is unaffected. We can then contact the customer and work with them to fix their broken mail server and remove the filter. We make the determination based on skill level of the customer, not their size. How does this sound for a new mail distribution network. Customers can only send mail through their direct provider ISPs can only send mail to their customers and their upstream provider. They purchase the ability to send mail to the upstream as part of their bandwidth. ISPs can contact and work out other direct mail routing arrangements between themselves. For example, ISP A could send directly to ISP B if there is a large amount of A -> B mail. Both ISPs have to agree. ISPs form a trusted ring of mail servers for direct connection. All others get shipped upstream to the next available mail server. All mail servers are known, logged and can be kicked off the network by the upstream provider. A central core of distributed mail servers gets built by each backbone ISP. The backbone ISPs peer with one another (trust each others mail). backbone ISPs accept mail from their customers and can block that mail if their customer doesn't have a clue. Everything is logged, everything is validated. Setting up a mail server involves more than getting a static IP and setting up an MX record. SPAM is eliminated because it can't enter the trust ring unless it goes through an ISP. That ISP can be kicked off if they allow spammers. Viruses are managed because they can be tracked back to their origin. block at the core. virus protection could also be made a requirement for entering the trusted mail ring. Mail servers are set to deny all mail by default, opening up connections from trusted hosts as you build trusts relationships. Contact information needs to be maintained. I can't get into Sprints trust ring unless I can contact them This can be phased into service by setting up trusted and untrusted mail servers. All mail entering untrusted mail servers has a higher spam score and cannot be forwarded outside the local network. Trusted mail (i.e. from customers) can be forwarded upstream to other trusted,non-trusted mail servers. -Matt
On Thu, 28 Aug 2003 12:00:29 EDT, Matthew Crocker said:
How does this sound for a new mail distribution network.
Only a few problem here: 1) Bootstrapping it - as long as you need to accept legacy SMTP because less than 90% of the mail is being done the new way, you have a hard sell in getting anybody to go to the effort of buying in. 2) Feel free in working out arrangements with 4,000 other ISPs, or getting stuck with a provider. You thought it sucked trying to get a route announced for multihoming, this is going to be a lot worse. 3) Go read up on why ADMD/PRMD sucked in X.400 (hint - see (2)).
On Thursday, August 28, 2003, at 12:25 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 28 Aug 2003 12:00:29 EDT, Matthew Crocker said:
How does this sound for a new mail distribution network.
Only a few problem here:
1) Bootstrapping it - as long as you need to accept legacy SMTP because less than 90% of the mail is being done the new way, you have a hard sell in getting anybody to go to the effort of buying in.
Play with DNS MX records like QMTP does. Something like crocker.com IN MX 65000 trusted-mx.crocker.com # Trusted connections are tried first IN MX 66000 untrusted-mx.crocker.com # untrusted are tried second. untrusted-mx.crocker.com accepts mail from everyone just as regular SMTP works today. trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only accept connections from IPs it trusts. ISP runs an internal DNSRTTL list and/or there is a Internet wide list of trusted ISPs sending mail server knows the rules, attempts to connect on trusted-mx.crocker.com If accepted it uses its private key to sign a message. If not, resort to the untrusted-mx.crocker.com host trusted-mx.crocker.com looks up the IP in its RTTL (Real Time Trust List), accepts the connection and using DNS pulls the public key of the sending mail server. trusted-mx.crocker.com validates the signed message using the public key and accepts the mail. Current SMTP traffic (untrusted) tries to connect to trusted-mx.crocker.com which rejects the connection so it tries the next higher MX record (untrusted-mx.crocker.com) You could have several RTTLs on the network maintained by certain people (Paul Vixie ??, AOL, etc). ISPs can use their own and/or one of the Internet ones. ISPs need to request access to an RTTL by the maintainer and needs to meet requirements of that RTTL. Each RTTL could have different/more strict rules to gain access. As more and more ISPs join the RTTLs more traffic is handled by the trusted mail servers. ISPs can file a formal complaint if spam is coming in from a trusted source. They can either block them internally or petition to have them removed from the RTTL. ISP always has the option of not using a specific RTTL and forces the traffic back to untrusted. The untrusted mail server starts getting less and less traffic. More and more messages are marked as SPAM/auto deleted. Untrusted is always available but starts off with a very high spam score. ISP customers can choose to accept mail from untrusted mail servers if they want with some easy procmail scripts (if Recieved by header has untrusted-mx.crocker.com, put in SPAM folder) All of the technology is in place today. Just need to reverse the RBL to become an RTTL Maybe I should write up an IETF-draft. Anyone want to help me with that? Seems pretty simple to me, It can be implemented today without affecting existing mail servers.
2) Feel free in working out arrangements with 4,000 other ISPs, or getting stuck with a provider. You thought it sucked trying to get a route announced for multihoming, this is going to be a lot worse.
No need to do that. Just establish a couple RTTLs and have ISPs register/validate themselves with the RTTL. Once in the RTTL they would be trusted by everyone using the RTTL. Access to an RTTL requires that the ISP meet certain specifications. Develop a '10 commandments of mail serving'. 1. Thou shall not relay 2. Thou shall not distribute viruses more than 1 day old 3. Thou shall not distribute UCE 4. Thou shall not covet thy neighbors mail server ...
3) Go read up on why ADMD/PRMD sucked in X.400 (hint - see (2)). <mime-attachment>
Play with DNS MX records like QMTP does.
Something like
crocker.com. MX 65000 trusted-mx.crocker.com. MX 66000 untrusted-mx.crocker.com.
there are at least two problems with this approach. one is that an mx priority is a 16 bit unsigned integer, not like your example. another is that spammers do not follow the MX protocol, they deliberately dump on higher cost relays in order to make the victim's own inbounds carry more of the total workload of delivery. (additionally, many hosts do more spam filtering on their lower cost MX's than on their higher cost (backup?) MX's, and the spammers know this, and take advantage of it.) -- Paul Vixie
On donderdag, aug 28, 2003, at 20:10 Europe/Amsterdam, Paul Vixie wrote:
Play with DNS MX records like QMTP does.
here are at least two problems with this approach. one is that an mx priority is a 16 bit unsigned integer, not like your example. another is that spammers do not follow the MX protocol, they deliberately dump on higher cost relays in order to make the victim's own inbounds carry more of the total workload of delivery. (additionally, many hosts do more spam filtering on their lower cost MX's than on their higher cost (backup?) MX's, and the spammers know this, and take advantage of it.)
Yes, that's why I don't use my ISP's servers as MX for my domains anymore. Having fallback MXes that only queue the mail for a while don't provide any real benefits anyway. But how about this: in addition to MX hosts, every domain also has one or more MO (mail originator) hosts. Mail servers then get to check the address of the SMTP server they're talking to against the DNS records for the domain in the sender's address. Then customers who use an email address under their ISP's domain have to use the ISP's relay, while people with their own (sub) domain get to use their own. For AOL and the likes this would also help against spam as they can rate limit incoming mail from unknown domains. Spammers are forced to register new domains all the time in addition to having to find abusable IP addresses so hopefully life for them will be a little more miserable too. (Could reuse MX for this if a new RR is too much hassle, but large ISPs don't use the same SMTP servers for incoming as for outgoing.)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Omachonu Ogali wrote: |>trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only |>accept connections from IPs it trusts. | | | Hate to break up your envisionary experiences and insight into | reinventing the wheel, but what happened to consideration of | SMTP authentication? It's only as good as the strength of your user community's passwords. A friend of mine supports a school's servers and they were brute forced the other day resulting in essentially an open relay for the spammers. Auth is nice, but not enough. ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE/T5N3E1XcgMgrtyYRAhEqAJ0WiFj5AsQ/PxVngx2UGglN9QkPfACg3rKY gr9y5pQalwSdaqKVgkuJKQM= =UF7i -----END PGP SIGNATURE-----
Matthew Crocker wrote:
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
...and there is no reason for dialup customer to have direct access to any other port either, they´ll just use the www-proxy and other ALG services from the ISP ? This is a self-solving problem. Pete
On Thursday, August 28, 2003, at 11:31 AM, Petri Helenius wrote:
Matthew Crocker wrote:
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
...and there is no reason for dialup customer to have direct access to any other port either, they´ll just use the www-proxy and other ALG services from the ISP ?
This is a self-solving problem.
Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly. We do remove the filters for customers that have a valid need and show that they have a clue out it all works. -Matt
Matthew Crocker wrote:
Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly.
How many ISPs actively provide ALG´s for the 50% of their traffic which consists of the peer2peer applications? Or is the most popular "killer app" not a required service? RIAA & friends would love you if you declared HTTP the only allowed protocol. Would also give a boost to the applications implementing IP over HTTP. Pete
On Thu, Aug 28, 2003 at 12:04:09PM -0400, Matthew Crocker wrote:
Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly.
We do remove the filters for customers that have a valid need and show that they have a clue out it all works.
There is a perfectly good reason for direct access: We buy IP connectivity. We don't buy {list of specific applications} connectivity. If I create a new network application, how many ISPs are going to sit there and create a new proxy so it will work? Even on the outside chance that I could talk my own ISP into it since I pay them, it's not going to be a very useful app if one of the prerequisites is "must be a customer of ISP X". -c
In article <4236FCAF-D971-11D7-828E-000A956885D4@crocker.com>, Matthew Crocker <matthew@crocker.com> writes
There is no reason for a customer to have direct access to the net
Unless that's what they thought "Internet Access" was all about :-(
so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage
And why do we know this? Because people doing this aren't 100% successful at it. Not to mention all the reconfiguration issues as the customer moves from provider to provider. Either when they fall out with the provider (which gives him every incentive to assist the departing customer ... not) or if they are a mobile user (I often hop daily between approximately three providers). -- Roland Perry
On Thu, Aug 28, 2003 at 10:18:45AM -0400, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port
For some, sure. Maybe even most. That doesn't mean all. Are you a fairly small, perhaps boutique, provider? Such players have very different rules than ones with more than one kind of customer.
25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick
Asking is one thing, forcing is another. Giving the option but leaving the choice entirely up to the customer's discretion is yet another. Giving a default, but allowing customers to request exceptions, with reasonably automated tests to verify they can handle it... well, you get the idea. You get SPAM/abuse notifications without diverting all mail through you. You need to investigate either way (unless you trust unknown third parties more than your own customers), which still doesn't require all mail to pass through your server.
the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections.
Do you also limit your customers' use of web traffic? Bandwidth, at the end of the day, is still bandwidth. Having it all eaten up is a problem, but not enough justification to take away all choice. Your own border shouldn't be that much greater than the aggregate total of your customers, should it? That'd be bandwidth you pay a lot for and can't use. Usual model would suggest your downstream customers represent some value more bandwidth from you than your incoming server could get, or perhaps 1:1. What if I have my own virus scanner? What if your mail server is too slow because all those scans chew up a lot more resources than my own traffic on my server will? What size attachments do you allow? What spam filters do you run; do they account for sender IP in the same probability weighting that mine does? Even per-user configuration of filters like Postini represents a reduction in choice that may not fly with all customers, particularly small and home busineses. Finding solutions that account for the broadest number of cases is useful. If you provide a server architecture doc the way I can expect to see line topo docs, then maybe I'll trust you to get it right, or maybe not. Expecting to tell customers, "I know how to run an email server better than you," doesn't fly in this age of bonehead ISPs, at least not for a lot of us/them. Perhaps you do the former; if so, please let me know if you provide service in the San Francisc/Sillycon Valley area, as our choices in home/small pipe have declined quite a bit these years. =)
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
Let's back up. It's entirely possible, even probable, that any ISP I go to will provide good Internet (pipe) and bad Service (protocols), or vice-versa. If they're good pipe, I can setup my own server, and have everything I need. Providing reliable and high-rate connectivity does not mean I trust you, or anyone else, to run an extra man in the middle. You, of course, are not required to trust your customers, and your policy will self-select out the ones who disagree, but suggesting it's applicable in enough cases to be a general standard misses the point. I can think of a number of businesses (including some who are fairly well known in email software, services, etc) who came up with the use of DSL as a server home. They may not rely on it for their primary bandwidth (which would probably be foolish), but particularly for things like DNS and SMTP, both of which provide for multiple addresses and locations, could sanely choose to maintain secondary servers over a completely isolated alternate pipe. Remember, BGP fails, ISPs fail, T1 cards fail, routers fail, etc. Having that last "home" DSL connection may just save some companies from going totally unreachable at times. That's worth $79.99/month in many books. -- Ray Wong rayw@rayw.net
On Thu, 28 Aug 2003, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive. --vadim
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive.
If your ISP violates your privacy or has a privacy policy you don't like, find another one. If your ISP doesn't allow your domain through, attachments of a certain size or quantity of RCPT TOs, find another one. If the ISP is too restrictive you can't do what you want, find another one If the ISP isn't restrictive and your IP gets black holed because of another customer, find another one. The market will decide what is acceptable. I filter a chunk of stuff for my users. It is a service to help protect them as well as me. If they ask for and appear to have a clue I will remove filters for customers. I'll never force them to do it 'my way or the highway' but by default customers are filtered. 99% of them are happy that I am doing it and think it is a good thing. 1% call and I remove the filters. Simple RADIUS update and they are back to full, unfiltered Internet. I do this on all my dialup, DSL, dedicated circuits. Everything is built from either LDAP or RADIUS (which comes from LDAP anyway) information about the customer. Pull down menu to select/deselect a filter and reconnect. It isn't all that hard and for 99% of my customers I am saving myself a ton of work in the long run. I'm not huge by any stretch of the imagination but I'm pretty good sized for my area. I think my current network design/management could easily scale to the 100's of thousands and/or millions of customers. I'm in the 10's of thousands now. -Matt
On Thu, 28 Aug 2003, Matthew Crocker wrote:
If your ISP violates your privacy or has a privacy policy you don't like, find another one.
How do I know that? As a hobby, I'm running a community site for an often misunderstood sexual/lifestyle minority. Most of patrons would be very unhappy if there was an uncontrolled record of their affiliation with the community (such as mail logs) - they may trust me, but not some anonymous tech at the ISP! So, no third-party SMTP relays for me. --vadim
In article <86792543-D982-11D7-828E-000A956885D4@crocker.com>, Matthew Crocker <matthew@crocker.com> writes
If your ISP ... <does a bad thing> ... find another one.
Great in theory, but the market is imperfect. Even if money (and the loss you'd incur from terminating your current ISP early) isn't the main issue. Many countries, even those with de-regulated comms markets, don't have a very wide choice. Ask for something a bit out of the ordinary (like a dial-up account with static IP), and the choice is reduced even further. That's why we must encourage all ISPSs to be good guys, because we don't want Government Regulators setting standards in these areas, do we? -- Roland Perry
That's why we must encourage all ISPSs to be good guys, because we don't want Government Regulators setting standards in these areas, do we?
if recent activity in the VoIP market is any indication, then we here won't have much input as to when and how the ISP market gets regulated. -- Paul Vixie
On Thu, 28 Aug 2003, Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive.
If your ISP violates your privacy or has a privacy policy you don't like, find another one. If your ISP doesn't allow your domain through, attachments of a certain size or quantity of RCPT TOs, find another one. If the ISP is too restrictive you can't do what you want, find another one If the ISP isn't restrictive and your IP gets black holed because of another customer, find another one. The market will decide what is acceptable.
If one ISP (Demon has been mentioned) has the ability for end users on static IPs to smtp to other major ISPs (AOL has been mentioned) but lots of other ISPs cant send mail from end users to these major ISPs .. arent these major ISPs producing an anti-competitive market? Steve
Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Look carefully at that question and find the logic error. ....... In case you missed it, the customer purchased 'IP' service, not 'ISP mail service'.
We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections.
Running a walled garden is fine as long as that is what your customers are signing up for. One question though, why aren't you also running a web proxy and NetNanny to protect your customers from the 'bad' content on port 80? What makes port 25 so special?
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
This line of thinking leads us to a cabal that has complete control over communication. Think about it, a few large organizations allow/encourage abuse, then claim that the only resolution to the abuse is to route all communication through the centrally controlled servers. We end up back in the PTT style monopolies where censorship becomes trivial. Tony
At 12:53 PM 8/28/2003, Tony Hain wrote:
Matthew Crocker wrote:
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Look carefully at that question and find the logic error. ....... In case you missed it, the customer purchased 'IP' service, not 'ISP mail service'.
If the customer is purchasing IP only service, then they need to either purchase the *right* kind of IP service to operate their own ISP services off that connection, or they need to purchase ISP services from another vendor and then use that vendor's smarthost. If the company they purchase IP services from blocks outbound port 25 except to their own smarthost, then the customer needs to buy ISP services from a vendor who offers mail services on an alternate port, or use the IP provider's smarthost. This is not rocket science here. The days of "I'm not an ISP but I play one on my residential-service dynamically allocated IP connection to the Internet" are over, just as the days of open relays are over. Adjust, adapt, and move on. jc
In the immortal words of Matthew Crocker (matthew@crocker.com):
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail?
Given the way that most ISP "shared resource" machines (including but hardly limited to DNS caching/recursive resolves, NNTP servers, web caches, and SMTP smarthosts) are administered, the answer to that question is "Only if they don't actually care if that mail is ever delivered." -n ------------------------------------------------------------<memory@blank.org> "For years, I've been predicting that artists, writers, and filmmakers would be paid by the government not to produce work, just like farmers are paid not to grow food. Or that they'd be paid to make their work, but would then be forced to store it in a silo unshown or unread. But now I see I was a little off in my prediction. The Internet is that silo." (--Slotcar Hatebreath) <http://blank.org/memory/>----------------------------------------------------
On Thu, Aug 28, 2003 at 10:06:10AM -0400, Roland Perry wrote:
Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers.
In which case, the telecommuters should use their organization's mail servers with SMTP authentication (yes, authentication, not pop-before-smtp). If I'm a corporation, and you're my employee, you should be using my VPN, not sending mail from your unsupported remote installation running sendmail, qmail, exim, postfix, or whatever. As for the business people, can't give you any advice there. Maybe it's time to invest in some mail services from mail.com, Critical Path, or maybe even your ISP.
In article <20030829162412.GA9397@dipole.informationwave.net>, Omachonu Ogali <nanog@missnglnk.com> writes
In which case, the telecommuters should use their organization's mail servers with SMTP authentication (yes, authentication, not pop-before-smtp).
I'm a telecommuter, I'm also a freelance, so my organisation is "me". I like the idea of running a reliable mail server with authentication, at my home base. Which is my home. I just have to get AOL not to define it as "residential". -- Roland Perry
Funny, I didn't think this was 'aol-mail-policy-list'. This isn't new, crazy, nor out of step with generally accepted practices. They [and many others] have been doing it for a while. A dynamic block is generally listed as such in a service provider's reverse DNS and also often in a voluntary listing such as the DUL. AOL's specific definition is point 12 on their postmaster FAQ (http://postmaster.info.aol.com/faq.html). If a service provider is providing business/static addressing and not making it clear, thats a customer<->provider issue.
Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses.
I suspect your definition of legitimate is different than the service providers' on whose network these machines are sitting. Use the submit protocol for client/end stations. SMTP is for inter-server traffic; if you have a server on a residential connection, check your service agreement. If you have a business service being incorrectly tagged as residential, then you have a legitimate beef - with your provider. Not AOL and not NANOG.
I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP!
POP XMIT; SUBMIT [even MS products support it]. Use TLS if you care that your customers are sharing their passwords in the clear. Anyway, postmaster@aol might be more interested in your concerns. Then again, they set the rules for their network, so they might not. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
In article <20030828105754.GA85674@gweep.net>, Joe Provo <nanog- post@rsuc.gweep.net> writes
AOL's specific definition is point 12 on their postmaster FAQ (http://postmaster.info.aol.com/faq.html).
That's their definition of "Residential IP", not "Dynamic IP".
if you have a server on a residential connection, check your service agreement.
My own ISP has DSL products called "Home Based Business" (and provide static IP addressing). "Residential" and "Business" are not mutually exclusive. -- Roland Perry
On Thu, 28 Aug 2003, Stephen J. Wilcox wrote:
I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: "AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses."
It was on the following page: http://postmaster.info.aol.com/standards.html
Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable modem and DSL customers but there are *lots* of legitimate smtp servers sitting on customer sites on dynamic addresses.
I've numerous customers I can think of straight away who use setups such a MS Exchange on dynamic addresses where they poll POP3 boxes and send their own SMTP!
...and I can think of alot of servers that will BL those customers. DUL blacklists are very commonly used. However "legitimate" these MS Exchange servers are, they'd better get a static IP if they want to avoid problems with many recipients. My guess is that since many of the BL's are being DDoS'd. perhaps AOL came up with their own, possibly out of date DUL-type BL... James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Does the IP address of your client's SMTP server have a reverse DNS entry (PTR record) assigned to it? It seems to be a new "best practice" to not accept e-mail from an IP address that doesn't have a PTR record assigned. Furthermore, if those PTR records indicate anything like "dial" "dns" "cable" then more 'strict' policies tend to reject them. If you can't get your upstream to modify the PTR records to your specifications (or delegate the block to you) then another way around this would be to configure your client's SMTP server to forward to the provider's "smart host" (e.g. a SMTP relay server with a known address and appropriate PTR record configured to accept relay traffic from customer IP's). Not the most elegant but a serviceable workaround none the less. HTH Ben ~~~~~~~~~~ R. Benjamin Kessler Network Engineer CCIE #8762, CISSP, CCSE Kessler Consulting Email: ben@kesslerconsulting.com http://www.kesslerconsulting.com Phone: 260-625-3273 -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Susan Zeigler Sent: Thursday, August 28, 2003 2:35 AM To: nanog@merit.edu Subject: Fun new policy at AOL Sometime mid last week, one of my clients--a state chapter of a national association--became unable to send to all of their AOL members. Assuming it was simply that AOLs servers were inundated with infected emails, I gave it some time. The errors were simply "delay" and "not delivered in time specified" errors. Well, it was still going on today. So, I went on site and upped the logging on the server. What to my surprise did appear but a nice little message informing us that "I'm sorry, your IP is dynamically assigned and aol doesn't accept dynamic IPs. WTF. This IP is NOT dynamic. The client has had it for about two years. I just looked on their website to file a complaint and ask how they determined what was dynamic and what was static and couldn't find a contact email address. I did find the following statement: "AOL's mail servers will not accept connections from systems that use dynamically assigned IP addresses." It was on the following page: http://postmaster.info.aol.com/standards.html So, since I know someone from AOL does lurk on this list, what's my recourse. Feel free to email me offlist. Thanks. On a side note, my client is also curious who's going to help pay the bill that they shouldn't have needed to pay me due to AOL changing policy and blocking them needlessly. Unless AOL is downloading the entire routing pools from all ISPs on a daily basis, how do they know which IPs are dynamic and which are static;) And, since static IPs can actually be assigned out of a DHCP pool as well, even that won't work. -- -- -- -Susan -- Susan Zeigler | Technical Services szeigler@spindustry.com | Spindustry Systems 515.225.0920 | "You cannot strengthen the weak by weakening the strong." -- Abraham Lincoln **************************************************************** Spindustry Systems, Inc. DES MOINES / CHICAGO / INDIANAPOLIS / DENVER CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message including any attachments.
participants (27)
-
Aaron Dewell -
Bruce Pinsky -
Clayton Fiske -
David Lesher -
Iljitsch van Beijnum -
JC Dill -
Joe Provo -
Joel Jaeggli -
John Palmer -
Matthew Crocker -
Mike Tancsa -
Nathan J. Mehl -
Nipper, Arnold -
Omachonu Ogali -
Paul Vixie -
Petri Helenius -
R. Benjamin Kessler -
Ray Wong -
Richard Cox -
Richard D G Cox
-
Roland Perry -
Stephen J. Wilcox -
Susan Zeigler -
Tony Hain -
up@3.am -
Vadim Antonov -
Valdis.Kletnieks@vt.edu