Threading the senderbase reputation needle
Howdy, Has anyone come up with a reverse DNS 'pattern' that one can employ that will prevent Senderbase from assigning a poor reputation to an entire /24 because they saw an email they didn't like from a single IP address? We're an infrastructure provider, which means that we lease servers, etc to customers and everything we do uses static IPs. Our current 'default (before the customer changes it)' is a x.x.x.x.static.domain.com, apparently Senderbase cannot look up CIDR boundaries in the RIR database (even though we spend a lot of time making sure that we publish the CIDR information) so they just assume that each 'offender' owns the entire /24 and they also consider any 'email' from the static.domain.com domain to be the 'same offender' (which is completely silly). The other little annoyance about their system is that we assign CIDR blocks to users (almost always a /29) these CIDRs include IP addresses like the gateway address, the broadcast address, the network address, etc and the users may only use 2-3 of the IPs in the /29, but they expect us or the user to set a 'custom looking' reverse DNS on all of the IPs in the range. Originally, we were not putting any reverse DNS on our IPs until the customer requested it (or did it themselves via our system) but then we ran into problems with some RBLs that require reverse DNS on all IPs, and other RBLs that require matching forward and reverse DNS on all IPs. I've contacted Senderbase for advice on what specifically we need to do but they've been vague at best and I have even asked them for examples of companies who 'meet their specifications' but I wasn't given any. I'm considering doing something like customerXXXXX.static.domain.com but then I can see other problems with that also. Any advice? -Drew
Has anyone come up with a reverse DNS 'pattern' that one can employ that will prevent Senderbase from assigning a poor reputation to an entire /24 because they saw an email they didn't like from a single IP address?
We're an infrastructure provider, which means that we lease servers, etc to customers and everything we do uses static IPs. [...] Any advice?
Since email reputation is now being based on the neighborhood theory you must do one of the following: Do one of the following (hopefully #1): 1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS is matching forward and reverse DNS. Anything else is suspect... 2.) Set up a relay host and funnel all customers mail through it. Side effects of each: 1.) Slightly more work on the front end (but hey, even AT&T will do this for business DSL customers). People will know you have clue. The technical staff at your customers will be happy and recommend you to their peers (well, I guess this depends a bit on what kind of customers you have). 2.) You have taken responsibility for all your customers' outbound mail flows. You will need to scale an abuse desk and maintain effective anti-spam policies (including customer education). If you don't run an effective abuse desk (including blocking your own customers outbound mail when necessary), you will be blacklisted eventually anyway. You could charge extra for or outsource this ESP service. ~JasonG
Since email reputation is now being based on the neighborhood theory you must do one of the following: Do one of the following (hopefully #1): 1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS is matching forward and reverse DNS. Anything else is suspect... 2.) Set up a relay host and funnel all customers mail through it. Side effects of each: 1.) Slightly more work on the front end (but hey, even AT&T will do this for business DSL customers). People will know you have clue. The technical staff at your customers will be happy and recommend you to their peers (well, I guess this depends a bit on what kind of customers you have). 2.) You have taken responsibility for all your customers' outbound mail flows. You will need to scale an abuse desk and maintain effective anti-spam policies (including customer education). If you don't run an effective abuse desk (including blocking your own customers outbound mail when necessary), you will be blacklisted eventually anyway. You could charge extra for or outsource this ESP service. ====== Okay, as I mentioned, we allow the customers to set their reverse DNS to whatever they want as long as the forward and the reverse match. we don't own the customer's domains nor do we host the DNS for 99% of them, so I'm not sure how we could enforce a rule saying that everyone on our network has to have their reverse DNS set a certain way. That is why we set it up like we did, because we can control hostnames within our domain and we can set the PTR record to match. Like I said before we're a hosting company, we sell Co-Lo, Dedicated servers, and Virtualization products. It seems somewhat impossible to employ either of your suggestions in our environment. thanks, -Drew
On Tue, Feb 2, 2010 at 10:32 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
Since email reputation is now being based on the neighborhood theory you must do one of the following:
Do one of the following (hopefully #1):
1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS is matching forward and reverse DNS. Anything else is suspect...
2.) Set up a relay host and funnel all customers mail through it.
Side effects of each:
1.) Slightly more work on the front end (but hey, even AT&T will do this for business DSL customers). People will know you have clue. The technical staff at your customers will be happy and recommend you to their peers (well, I guess this depends a bit on what kind of customers you have).
2.) You have taken responsibility for all your customers' outbound mail flows. You will need to scale an abuse desk and maintain effective anti-spam policies (including customer education). If you don't run an effective abuse desk (including blocking your own customers outbound mail when necessary), you will be blacklisted eventually anyway. You could charge extra for or outsource this ESP service. ======
Okay, as I mentioned, we allow the customers to set their reverse DNS to whatever they want as long as the forward and the reverse match. we don't own the customer's domains nor do we host the DNS for 99% of them, so I'm not sure how we could enforce a rule saying that everyone on our network has to have their reverse DNS set a certain way. That is why we set it up like we did, because we can control hostnames within our domain and we can set the PTR record to match. Like I said before we're a hosting company, we sell Co-Lo, Dedicated servers, and Virtualization products.
It seems somewhat impossible to employ either of your suggestions in our environment.
thanks, -Drew
I used to work at a hosting company and we had a few solutions in place. Whenever a client purchased a server or an additional block of ip's, it was assigned the reverse dns related to the hostname of their server. This even included example.com sometimes. The client could then change it as they wish. Another option we had was an outgoing spam filter setup with ASSP. This scrubbed all outgoing mail for spam messages. Honestly the first option was good enough for most people. About 99.95% of your clients assign a forward DNS for their server/colo/virtualization products. Just make it a requirement that they provide that before you turn up their service. This prevents DUHLs from listing you for those generic RDNS names.
On Tue, Feb 02, 2010 at 09:37:44AM -0500, Drew Weaver wrote:
Has anyone come up with a reverse DNS 'pattern' that one can employ that will prevent Senderbase from assigning a poor reputation to an entire /24 because they saw an email they didn't like from a single IP address?
I think this discussion would be much better on the mailop list, but the short answer here is "real mail servers have real, non-generic names with matching forward/reverse DNS". ---Rsk
I think this discussion would be much better on the mailop list, but the short answer here is "real mail servers have real, non-generic names with matching forward/reverse DNS". -------- That certainly is true, but if a "real mail server" that has real, non-generic names with matching forward/reverse DNS happens to be in the same /24 as a server that doesn't it is given a poor reputation by Senderbase since Senderbase cannot do simple RIR lookups to see the scope of that particular customer's network/impact. -Drew
participants (4)
-
Drew Weaver -
Jason Gurtz -
Rich Kulawiec -
Ronald Cotoni