Deny MX queries for dynamic IP pools
Dear DNS Experts, This post is intended for discussion. The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international provider¹s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Dear Wael, In what way is blocking Port 25 any worse than blocking MX/root queries for clients? Both solutions neglect the fact, that spam is not a technical problem. Some ISPs think it is a good idea to forward you to a search web page, when you mispell some URL, this is done via DNS. Obviously, if the customer dislikes this, the customer will (and can) use his/her own recursor, stupidity of ISP solved - if the ISP would prevent the customer from doing this, the customer might not be a customer any longer. Just my 2 cents. -Sven On Sun, January 31, 2010 14:25, Wael Shaheen wrote: Dear DNS Experts, This post is intended for discussion. The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international provider¹s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
To me this seems to be a firewall/routing issue. If you know for sure that some IP is sending spam, if you can not stop them, then at least you can block their outgoing access to port 25. Alternatively and maybe better arrange for a proxy server to do filtering and discard spam. The proxy solution is actually used many places and works reasonably well also for non-spammers. Sven Eschenberg wrote: Dear Wael, In what way is blocking Port 25 any worse than blocking MX/root queries for clients? Both solutions neglect the fact, that spam is not a technical problem. Some ISPs think it is a good idea to forward you to a search web page, when you mispell some URL, this is done via DNS. Obviously, if the customer dislikes this, the customer will (and can) use his/her own recursor, stupidity of ISP solved - if the ISP would prevent the customer from doing this, the customer might not be a customer any longer. Just my 2 cents. -Sven On Sun, January 31, 2010 14:25, Wael Shaheen wrote: Dear DNS Experts, This post is intended for discussion. The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international provider¹s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Hi, On 1/31/10 5:17 PM, Sven Eschenberg s...@whgl.uni-frankfurt.de wrote: Dear Wael, In what way is blocking Port 25 any worse than blocking MX/root queries for clients? Both solutions neglect the fact, that spam is not a technical problem. This spam issue is major for DSPs and large ISPs. Their reputation is key in acquiring connections from some major international providers. This brings the issue to a very high priority for connectivity is the most important part. Blocking port 25 is much worse IMHO because it forces users out of the service, by restricting their ability to use their own mail servers that can be hosted externally. I believe good mail administrators will force SMTPS which uses a different port but then again a lot wont, and hence blocking SMTP service will deny all of these users from accessing their email servers and most of these users are not technically educated enough to find a workaround. On the other hand denying the dynamic user MX/root queries will affect users that have installed mail servers on their systems or otherwise infected and both of these scenarios are illegal for dynamically assigned IPs. Some ISPs think it is a good idea to forward you to a search web page, when you mispell some URL, this is done via DNS. Obviously, if the customer dislikes this, the customer will (and can) use his/her own recursor, We do not redirect users if they misspelled their destinations and we do not manipulate DNS replies in any way. Some users may choose to use their own installed DNS service, but then again if your service provider has a stable DNS service and a good and stable internet connection then would that overcome this disadvantage? At the end I think that something has to be sacrificed. Sincerely, Wael Shaheen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Hi, On 1/31/10 5:28 PM, Sten Carlsen st...@s-carlsen.dk wrote: To me this seems to be a firewall/routing issue. If you know for sure that some IP is sending spam, if you can not stop them, then at least you can block their outgoing access to port 25. Most of the RBLs list dynamic IP addresses for they should not be sending emails whatsoever in most cases. Identifying the the origin of the spam in huge networks with thousands of compromised machines is not an easy task and blocking the port 25 based on that network analysis will produce false positives for these are dynamically assigned IP addresses and will change with every time the user connects. Alternatively and maybe better arrange for a proxy server to do filtering and discard spam. The proxy solution is actually used many places and works reasonably well also for non-spammers. The email proxy can work in many places but I am not sure it would in a DSP, or a big ISP. If you want to cope with the email volume that is being generated by hundreds of thousands of clients then you will need to build a monster solution. Not only that, you also may cause your users legitimate emails to be rejected or flagged as SPAM for they will be sent from a destination other than their email server. Regards, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
At 05:25 31-01-10, Wael Shaheen wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Mail submission is done over port 587 and not port 25. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. That can be bypassed as you explained below. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. The idea is another variation of the walled garden. You could look into doing traffic flow analysis and using feedback reports to identify the source of the abuse. Regards, -sm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
On Sun, Jan 31, 2010 at 8:25 AM, Wael Shaheen wael.sha...@gmail.com wrote: As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. Perhaps you may want to join mailops or one of the other mail admin lists. IMO, this problem (reducing spam emitted from your company's network) isn't one DNS should be used to fix. I believe that people on mail admin forums would be able to share current best current practices for ISPs/NSPs in your situation. -- HTH, YMMV, HANW :) Jason The path to enlightenment is /usr/bin/enlightenment. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
In message c78b5f8c.46e43%wael.sha...@gmail.com, Wael Shaheen writes: Dear DNS Experts, This post is intended for discussion. The ISP I work for has HUGE dynamic IP pools that are full of spammers (of course). This huge volume of spam is actually influencing the decision for some of the international provider=B9s whether to give us links or not let alone the bad reputation and RBLs listing etc... As a solution the routing team was thinking to block port 25 for outgoing as some ISPs do. However, I do not see this to be a valid solution for many reasons such as clients that have email servers outside, or if decided to be redirected to spam filters then that will just cost the company too much. Luckily we have two set of DNS server farms; one that is serving static IP users and one that is dedicated only for dynamic IP users. The idea I have proposed is to deny these dynamic users from performing MX queries. So instead of blocking port 25 we can redirect the DNS port to the DNS farm that is dedicated for dynamic users, that will guarantee that no standard DNS port forwarded queries are going to external servers. Then we will block the MX and root queries for those dynamic clients. That will prevent them from using a locally installed DNS service on their machines or query MX records for targets they want to send spam to. Of course there will still be some challenges like if some spammers know the A record of the mail server they want to connect to or if they used the IP address of the targeted mail server also if they used open dns that works on non-standard ports, but then again I believe these users will stand out and will be identified more easily. I would appreciate any comments you may have. Sincerely, Wael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Firstly, cleanup / quarantine the machines that are spamming. This is the best thing you can do. A machine that is spamming is compromised and a compromised machine can do anything. Secondly, don't block the MX queries. MUAs can and do perform MX queries to check that addresses are valid before attempting to send anything. Thirdly, if you do block SMTP do it fully (traffic to and from port 25) and provide a mechanism to optout. If you publish, or provide information to those that publish, blocking lists ensure that they reflect the optout status of any IP address that has opted out. Blocking SMTP traffic is only masking the symptoms of the infection. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deny MX queries for dynamic IP pools
Firstly, I feel this really belongs on mailops not bind list :) secondly... On Mon, 2010-02-01 at 00:00 +0300, Wael Shaheen wrote: Blocking port 25 is much worse IMHO because it forces users out of the service, by restricting their ability to use their own mail servers that can be hosted externally. I believe good mail administrators will force SMTPS The bigger question is why are you not blocking, suspending, or terminating the accounts of those who you know are spamming, be it deliberate, or not (as the end result is the same) Cheers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY logging problem
In message c0ab6ee34cf7e8f660d78...@11.sub-97-53-216.myvzw.com, Frank Cusack writes: How can I get logs of all NOTIFY messages sent? logging { // use local0 instead of daemon channel local0_syslog { syslog local0; severity info; }; category notify{ local0_syslog; default_debug; }; }; The above only generates a summary log: zone XXX/IN/internet: sending notifies (serial 2010012700) I'd like to see a verification of every host a NOTIFY message was sent to. You need to be looking a debug 3. notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s, addrbuf); -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NOTIFY logging problem
In message ed6e4c848e8fef4b16e71...@181.sub-97-18-81.myvzw.com, Frank Cusack writes: On February 1, 2010 11:35:15 AM +1100 Mark Andrews ma...@isc.org wrote: You need to be looking a debug 3. notify_log(notify-zone, ISC_LOG_DEBUG(3), sending notify to %s, addrbuf); ouch, debug 3 is probably way TMI. I guess I'll just patch the above to log at info. Why isn't that the default anyway? Seems to me that you aren't likely to have too many servers and the info level is already pretty verbose so you would expect (or at least *I* would expect) to have that amount of information. When you have 10+ zones with 10's of servers it gets noisy. Log to a file with debug 3; As it is, and I mean without turning on debug logging, I have to infer what servers notify was sent to based on AXFR/IXFR requests. (I try not to trust looking at config files when debugging because you can't be sure that the running config is the same as the on-disk config.) Anyway thanks for the pointer, it looks trivial to update. -frank -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how do I get a slave to send NOTIFY messages?
On 29.01.10 22:11, Frank Cusack wrote: I have also-notify configured for a slave zone. The real master is a so-called stealth master and all other slaves must consult this slave nameserver that has also-notify configured. The slave doesn't appear to be sending NOTIFY messages to the also-notify hosts. zytrax does say that also-notify only applies to type master servers however I can't find confirmation of that anywhere else. can you have notify no; in your options? Note that I do not want to send NOTIFY messages to the NS servers for the zone, I want to send them to different servers. notify explicit; is here for this usage -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how do I get a slave to send NOTIFY messages?
On Fri, Jan 29, 2010 at 10:11:43PM -0500, Frank Cusack wrote: ... hosts. zytrax does say that also-notify only applies to type master servers however I can't find confirmation of that anywhere else. ... I don't believe that this is the case - I'm using them on servers serving copies of the zone that are slaved to a master copy elsewhere. The ARM, in Chapter 6, under Boolean Options [for some value of the word Boolean, I guess ;-)], says: notify If 'yes' (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see the section called Notify. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the 'also-notify' option. If 'master-only', notifies are only sent for master zones. If 'explicit', notifies are sent only to servers explicitly listed using 'also-notify'. If 'no', no notifies are sent. The 'notify' option may also be specified in the 'zone' statement, in which case it overrides the 'options notify' statement. It would only be necessary to turn off this option if it caused slaves to crash. and under Zone Transfers it says: When a 'zone' 'notify' statement is set to 'no', the IP addresses in the global 'also-notify' list will not be sent NOTIFY messages for that zone. I suspect that the notify option is set to 'no' either in your global options or in your view or in your zone. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how do I get a slave to send NOTIFY messages?
In message 20100131220833.a16...@gwyn.tux.org, Joseph S D Yao writes: The ARM, in Chapter 6, under Boolean Options [for some value of the word Boolean, I guess ;-)], says: Well it started out as a Boolean Option. :-) Boolean/Enumerated Options would be a more accurate description these days. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users