Re: [mailop] hetzner and the btinternet.com blacklist
Hi guys, thank you very much for all the input. Seems like SMTP proxies/smarthosts + port 25 blocks/connection counting might be good for something. However I really hope that breaking up TLS connections will never get a routine practice. I mean we are fighting this for years now with all these shitty snake-oil "security" appliances – and I'm not keen of seeing this malpractice more widespread. Brandon also mentioned clickbots/fraud farming. So that means a good dc provider should also try to prevent/detect that? Do these activities influence email deliverability as well? Or is that a separate bucket only used to detect ad fraud? What is "state of the art" when it comes to preventing these clickbots etc from a dc provider perspective? regards, Felix ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] hetzner and the btinternet.com blacklist
In article <1499809822.14353.11.ca...@ns.five-ten-sg.com> you write: >> Doesn't matter -- the "transparent" filters force all of the >> connections to the provider's filtering host, so if there's a TLS >> connection, it terminates at the filtering host. > >That sort of proxy will break some of your outbound mail if your mail >server checks for DNSSEC/TLSA records, and the recipient domain has >published those. Try sending mail to comcast.net from such a connection. >Of course, using mail software that uses the TLSA records. That is correct, but for the other 99.99% of mail servers, it works OK. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] hetzner and the btinternet.com blacklist
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2017-07-11 at 19:50 +, John Levine wrote: > Doesn't matter -- the "transparent" filters force all of the > connections to the provider's filtering host, so if there's a TLS > connection, it terminates at the filtering host. That sort of proxy will break some of your outbound mail if your mail server checks for DNSSEC/TLSA records, and the recipient domain has published those. Try sending mail to comcast.net from such a connection. Of course, using mail software that uses the TLSA records. dig comcast.net mx +short 5 mx2.comcast.net. 5 mx1.comcast.net. dig _25._tcp.mx1.comcast.net tlsa +short 3 1 1 90E2F742B459860C0BBF1343B5A36BC5842A3F45056D30BF25DBB475 A62ECA47 But the provider can still count the number of outbound TCP SYN packets to port 25. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlllSBgACgkQL6j7milTFsH3ygCeIKAsfN/sGnTC06fqIF3BD029 8acAn0fPPLo7UtN24FER0AKfCLWLoK/N =opHr -END PGP SIGNATURE- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] hetzner and the btinternet.com blacklist
In article <9cdac510-4000-56f3-f919-8c5f1edaf...@schwarz.eu> you write: > >Am 10.07.2017 um 21:45 schrieb John Levine: >> Many other hosting companies manage to control their spam. The usual >> approach is to filter the mail their customers send, either with >> "transparent" filters hijacking port 25 traffic > >From your experience: Are spammers relying on unencrypted SMTP? I just checked >and most of our outbound SMTP deliveries are using TLS. Doesn't matter -- the "transparent" filters force all of the connections to the provider's filtering host, so if there's a TLS connection, it terminates at the filtering host. >> or by blocking port 25 and providing a smarthost. > >That might work - at least if server got hacked. That happens all the time. Look at your web server logs and you'll find endless probes for known holes in old versions of drupal and wordperfect and every other CMS to try to break in and use them to send spam. >If I'm not mistaken also Hetzner's mail admins are reading this list so maybe >they can convice their management to do something about the bad reputation. That would be nice but I'm not holding my breath. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop