Is anyone seeing problems delivering email to att.net? I see about 50% rejected, 50% accepted. The 50% accepted never make it to the endusers. Been like this for the last 36 hours. Anyone else? -Jim P.
Chris at UUNet help determine this is a rDNS issue. att.net seems to have started rejecting email from mail servers that don't have a proper reverse DNS entry. This is a good thing, even though it is causing me some problems at the moment. Thanks Chris. -Jim P.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jim Popovitch Sent: Friday, January 24, 2003 12:37 AM To: nanog@merit.edu Subject: att.net email issues?
Is anyone seeing problems delivering email to att.net? I see about 50% rejected, 50% accepted. The 50% accepted never make it to the endusers. Been like this for the last 36 hours. Anyone else?
-Jim P.
On Fri, 24 Jan 2003, Jim Popovitch wrote:
Chris at UUNet help determine this is a rDNS issue. att.net seems to have started rejecting email from mail servers that don't have a proper reverse DNS entry. This is a good thing, even though it is causing me some problems at the moment. Thanks Chris.
Hah! That'll last all of about three days. At least, that's how long it took for my users to line up outside with pitchforks and shotguns...we quickly removed that check from being the default behavior and added it to our most aggressive filtering configuration (for those users who, like me, just don't give a damn about getting mail from people who can't take the time to configure reverse DNS.) Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
On 1/24/2003 at 2:40 AM, owner-nanog@merit.edu wrote:
Chris at UUNet help determine this is a rDNS issue. att.net seems to have started rejecting email from mail servers that don't have a proper reverse DNS entry. This is a good thing, even though it is causing me some problems at the moment. Thanks Chris.
-Jim P.
The question is: is that a knee-jerk reaction to them getting clobbered by spam, or maybe a knee-jerk reaction for receiving "too much" mail ABOUT their customers to abuse@att.net ? Example: 12.158.240.0/23, 12.42.172.0/22, 12.158.224.0/23, 12.158.234.0/23, 12.158.236.0/23: Jan 24 16:11:03 sonet sendmail[11117]: NOQUEUE: ruleset=check_relay, arg1=if1.dlyforyourinfo.com, arg2=12.158.240.237, relay=if1.dlyforyourinfo.com [12.158.240.237], reject=550 NETBLOCK for CBB/cotennet.com - access for jpmailer.com denied - perpetual mail to non-existing users - Spammers must die. Upon complaint re: this spamhaus continuing to connect here: The original message was received at Fri, 24 Jan 2003 16:11:09 -0500 (EST) from root@localhost ----- The following addresses had permanent fatal errors ----- abuse@att.net ----- Transcript of session follows ----- ... while talking to gateway2.att.net.: <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway3.att.net.:
QUIT <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway1.att.net.: QUIT <<< 550 208.241.101.2 must be verifiable in DNS 554 abuse@att.net... Service unavailable
(a temporary failure due to renumbering) Rejecting on broken or non-existing DNS will probably reject mail from more than 15% of all mail servers on the Internet - guaranteeing a false positive rate not even matched by the combined 6 DNSBL's I use - cumulative and with hard 5xx rejects. AT&T on the other hand, will use DNSBL's when the first snowball emerges from hell unscathed. Makes you wonder if noc@att.net is missing a lotta mail today - "gee, za eanternet w0rcks zplend1d todey, duznt eet!" - think of http://www.despair.com/ap24x30prin.html :) Last but not least, Level3's tolerance of spamming customers has nothing on AT&T's ignorance of reports of DoS attacks in the form of address forgery committed by their spamming customers, or on behalf of said customers, despite notifying them by fax of such activity. That, and the mindless blather you receive back from abuse@att.net on very rare occasions when you complain about their customers hitting your spamtraps (dead users, rejects): "please forward the header and full body of the spam you received". Next: "please call 1-900-ATT-ABUSEDESK, get charged $5 for the call, and use the authorization code given to you in the subject line of your complaint to guarantee that your message is not shoved into /dev/null"
No kidding, dude. I've only been keeping track for a few weeks. Is anyone awake behind the wheel over there? matt@pants:~$ mysql -e 'select count(relayi) from logged where relayi like "12.%" ' spam +---------------+ | count(relayi) | +---------------+ | 249 | +---------------+ matt@pants:~$ mysql -e 'select relayi, reason, count(relayi) from logged where relayi like "12.%" group by relayi' spam +----------------+----------+---------------+ | relayi | reason | count(relayi) | +----------------+----------+---------------+ | 12.102.22.196 | honey | 1 | | 12.129.205.43 | accessdb | 3 | | 12.129.205.45 | accessdb | 2 | | 12.129.205.46 | accessdb | 7 | | 12.129.205.47 | norev | 6 | | 12.129.205.48 | norev | 4 | | 12.129.205.49 | norev | 1 | | 12.129.205.50 | accessdb | 15 | | 12.129.205.51 | honey | 4 | | 12.129.205.52 | accessdb | 4 | | 12.129.205.53 | accessdb | 20 | | 12.129.205.54 | honey | 1 | | 12.129.205.56 | norev | 2 | | 12.129.205.57 | norev | 3 | | 12.129.205.58 | honey | 1 | | 12.129.205.59 | accessdb | 3 | | 12.129.205.60 | accessdb | 2 | | 12.129.205.64 | honey | 2 | | 12.129.205.65 | honey | 1 | | 12.129.205.66 | accessdb | 4 | | 12.129.205.69 | honey | 1 | | 12.129.205.72 | accessdb | 5 | | 12.129.205.73 | honey | 16 | | 12.129.205.74 | accessdb | 2 | | 12.129.205.75 | honey | 1 | | 12.129.205.77 | norev | 3 | | 12.129.205.79 | accessdb | 3 | | 12.129.205.80 | accessdb | 4 | | 12.129.205.82 | accessdb | 3 | | 12.129.248.238 | honey | 2 | | 12.149.217.151 | norev | 1 | | 12.158.240.216 | honey | 2 | | 12.158.240.217 | honey | 2 | | 12.158.240.218 | honey | 1 | | 12.158.240.220 | honey | 1 | | 12.158.240.221 | honey | 8 | | 12.158.240.229 | honey | 3 | | 12.158.240.230 | honey | 4 | | 12.158.240.235 | honey | 5 | | 12.158.240.239 | honey | 6 | | 12.158.240.240 | honey | 8 | | 12.158.240.243 | honey | 22 | | 12.158.240.244 | honey | 6 | | 12.158.240.245 | honey | 1 | | 12.158.240.246 | honey | 1 | | 12.158.240.247 | honey | 2 | | 12.158.240.248 | honey | 12 | | 12.158.240.249 | honey | 12 | | 12.158.240.250 | honey | 6 | | 12.159.132.222 | norev | 1 | | 12.212.72.51 | honey | 2 | | 12.213.23.167 | honey | 1 | | 12.216.30.71 | honey | 1 | | 12.220.84.48 | honey | 1 | | 12.224.62.72 | accessdb | 1 | | 12.226.245.54 | honey | 1 | | 12.228.91.107 | honey | 1 | | 12.229.146.148 | honey | 1 | | 12.231.251.35 | honey | 1 | | 12.238.242.248 | honey | 1 | | 12.240.177.92 | honey | 1 | | 12.241.6.116 | norev | 1 | | 12.246.54.76 | accessdb | 1 | | 12.246.80.126 | honey | 1 | | 12.252.68.65 | honey | 1 | | 12.30.168.18 | honey | 1 | | 12.33.19.133 | honey | 1 | | 12.41.24.90 | honey | 1 | +----------------+----------+---------------+ On Fri, 24 Jan 2003 kai@pac-rim.net wrote: On 1/24/2003 at 2:40 AM, owner-nanog@merit.edu wrote:
Chris at UUNet help determine this is a rDNS issue. att.net seems to have started rejecting email from mail servers that don't have a proper reverse DNS entry. This is a good thing, even though it is causing me some problems at the moment. Thanks Chris.
-Jim P.
The question is: is that a knee-jerk reaction to them getting clobbered by spam, or maybe a knee-jerk reaction for receiving "too much" mail ABOUT their customers to abuse@att.net ? Example: 12.158.240.0/23, 12.42.172.0/22, 12.158.224.0/23, 12.158.234.0/23, 12.158.236.0/23: Jan 24 16:11:03 sonet sendmail[11117]: NOQUEUE: ruleset=check_relay, arg1=if1.dlyforyourinfo.com, arg2=12.158.240.237, relay=if1.dlyforyourinfo.com [12.158.240.237], reject=550 NETBLOCK for CBB/cotennet.com - access for jpmailer.com denied - perpetual mail to non-existing users - Spammers must die. Upon complaint re: this spamhaus continuing to connect here: The original message was received at Fri, 24 Jan 2003 16:11:09 -0500 (EST) from root@localhost ----- The following addresses had permanent fatal errors ----- abuse@att.net ----- Transcript of session follows ----- ... while talking to gateway2.att.net.: <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway3.att.net.:
QUIT <<< 550 208.241.101.2 must be verifiable in DNS ... while talking to gateway1.att.net.: QUIT <<< 550 208.241.101.2 must be verifiable in DNS 554 abuse@att.net... Service unavailable
(a temporary failure due to renumbering) Rejecting on broken or non-existing DNS will probably reject mail from more than 15% of all mail servers on the Internet - guaranteeing a false positive rate not even matched by the combined 6 DNSBL's I use - cumulative and with hard 5xx rejects. AT&T on the other hand, will use DNSBL's when the first snowball emerges from hell unscathed. Makes you wonder if noc@att.net is missing a lotta mail today - "gee, za eanternet w0rcks zplend1d todey, duznt eet!" - think of http://www.despair.com/ap24x30prin.html :) Last but not least, Level3's tolerance of spamming customers has nothing on AT&T's ignorance of reports of DoS attacks in the form of address forgery committed by their spamming customers, or on behalf of said customers, despite notifying them by fax of such activity. That, and the mindless blather you receive back from abuse@att.net on very rare occasions when you complain about their customers hitting your spamtraps (dead users, rejects): "please forward the header and full body of the spam you received". Next: "please call 1-900-ATT-ABUSEDESK, get charged $5 for the call, and use the authorization code given to you in the subject line of your complaint to guarantee that your message is not shoved into /dev/null" --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
Rejecting on broken or non-existing DNS will probably reject mail from more than 15% of all mail servers on the Internet - guaranteeing a false positive rate not even matched by the combined 6 DNSBL's I use - cumulative and with hard 5xx rejects. AT&T on the other hand, will use DNSBL's when the first snowball emerges from hell unscathed.
In the good old days, when network engineers used VT100 terminals and 300 baud (not bps) acoustic modems, ftp.uu.net enforced the requirement for "valid" reverse and forward DNS entries for anonymous FTP access. It was sometimes the only way I could convince customers to type the line in both DNS files. If you don't have valid Address<>Name mappings, you won't be able to download files from ftp.uu.net. Doesn't anyone else find it funny when people scream that ISPs should block ports and shoot people with misconfigured systems; yet when an ISP actually does enforce even a modest requirement; people start screaming how unfair or stupid that ISP is for doing that.
From: "Sean Donelan" <snip>
Doesn't anyone else find it funny when people scream that ISPs should block ports and shoot people with misconfigured systems; yet when an ISP actually does enforce even a modest requirement; people start screaming how unfair or stupid that ISP is for doing that.
I'm hoping that more large ISP's will make valid reverses a requirement. Everyone will conform to meet what the largest user bases require and allow the smaller guys who want to revamp able to safely do so. This is the standard premise for any form of migration. Can anyone get aol to enforce it, please? Jack Bates Network Engineer BrightNet Oklahoma
Once upon a time, Jack Bates <jbates@brightok.net> said:
I'm hoping that more large ISP's will make valid reverses a requirement. Everyone will conform to meet what the largest user bases require and allow the smaller guys who want to revamp able to safely do so. This is the standard premise for any form of migration. Can anyone get aol to enforce it, please?
It is funny that AT&T is doing this - we recently had a connection to AT&T installed and repeatedly asked for reverse DNS on the interface IPs (so traceroute would "look nice" for example), and it was never done. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Fri, 24 Jan 2003 19:16:55 -0500 (EST) Sean Donelan <sean@donelan.com> wrote:
Doesn't anyone else find it funny when people scream that ISPs should block ports and shoot people with misconfigured systems; yet when an ISP actually does enforce even a modest requirement; people start screaming how unfair or stupid that ISP is for doing that.
this isn't that simple. if folks had been enforcing something like this all along, then most everyone would have working rDNS and everything would be hunky dory. unfortunately, it didn't work this way. lots of people have broken or non-existent rDNS. some years ago, because of the correlation between no rDNS and spam, i tried a similar measure. the false positive rate was pretty impressive. my experiment only lasted a couple of days before i decided that it was unacceptably high. i don't think things are any better today. maybe att's decision will somehow make the net a better place if they stick to it. i won't bet against this. however, the transition period will be more painful than i think they realize. or perhaps they do realize how painful it will be and don't care. personally, i'd be happier if they'd focus on abuse problems on their own network. they don't seem to be doing much of a job of turfing spammers among their customer base. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Unix, Linux, IP Network Engineering, Security
Now that the noise level (SQLSlammer) is down: It looks like AT&T put the finger back into the dike on this for now: You don't really want your customer service call center get flooded by two issues at once: http://www.internet-magazine.com/news/view.asp?id=3110 On 1/24/2003 at 7:16 PM, sean@donelan.com wrote:
In the good old days, when network engineers used VT100 terminals and 300 baud (not bps) acoustic modems, ftp.uu.net enforced the requirement for "valid" reverse and forward DNS entries for anonymous FTP access.
It was the single most important source for files on the Internet, along with maybe SIMTEL-20 : you couldn't get around it, no matter how hard you tried. Fast forward 10 years: would you even dare to put "HostnameLookups yes" into your Apache config? Not if you don't feel like having well-populated DNS caches useful to you for some other purpose, you don't. A purely operational configuration choice.
Doesn't anyone else find it funny when people scream that ISPs should block ports and shoot people with misconfigured systems; yet when an ISP actually does enforce even a modest requirement; people start screaming how unfair or stupid that ISP is for doing that.
We sure all hate tracerouting through APNIC space, and seeing up to 12 routers in a row without reverse DNS - to the point where one could believe that noone in Korea ever heard of the in-addr.arpa zone : Apart from AT&T having the "left hand/right hand" (hypocritic) problem with being service providers to spammers on one hand, and aching under the receiving load of it on the other: Good intentions, but failed to even do a basic Google search to see how other people fared with this, let alone running a test and labelling incoming mails rather than blocking them. Now to toss a bit more oil into the fire: "unknown.level3.net" , anyone ? And remember: it's not neglience, it's Level3's secret "handshake", telling you that the block in question should be filtered by you at any cost :)
On Mon, 27 Jan 2003 kai@pac-rim.net wrote: Now to toss a bit more oil into the fire: "unknown.level3.net" , anyone ? And remember: it's not neglience, it's Level3's secret "handshake", telling you that the block in question should be filtered by you at any cost :) You mean 64.152.0.0/13? Sounds like a good idea to me. --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
One more follow-up worth mentioning.... I was able to contact SimpleNet (aka Yahoo! Servers) today and in short order, and very responsibly, they quickly added rDNS for me. Kudos to Raaf and company, thanks guys! -Jim P.
-----Original Message----- From: Jim Popovitch [mailto:jimpop@rocketship.com] Sent: Friday, January 24, 2003 2:41 AM To: nanog@merit.edu Subject: RE: att.net email issues?
Chris at UUNet help determine this is a rDNS issue. att.net seems to have started rejecting email from mail servers that don't have a proper reverse DNS entry. This is a good thing, even though it is causing me some problems at the moment. Thanks Chris.
-Jim P.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jim Popovitch Sent: Friday, January 24, 2003 12:37 AM To: nanog@merit.edu Subject: att.net email issues?
Is anyone seeing problems delivering email to att.net? I see about 50% rejected, 50% accepted. The 50% accepted never make it to the endusers. Been like this for the last 36 hours. Anyone else?
-Jim P.
participants (8)
-
Andy Dills
-
Chris Adams
-
Jack Bates
-
Jim Popovitch
-
just me
-
kai@pac-rim.net
-
Richard Welty
-
Sean Donelan