Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On 2020-06-18 11:14 p.m., Benoît Panizzon via mailop wrote: Hi Michael And when you say 'only one PTR per RR' is "allowed", could you explain that further? "allowed" by whom, or what policy. I recall we ran into some problems with systems that attempt to match A and PTR records and only considered the first PTR returned and that while looking if that was correct behaviour, I found an RFC hinting that only one PTR per RR is allowed. But let's dig into those RFC :-) https://tools.ietf.org/html/rfc1034 Section 3.6.2 Aliases and canonical names.. hint to that an PTR should point to only one ressource. https://tools.ietf.org/html/rfc2181 Section 10.2. Confusion about canonical names has lead to a belief that a PTR record should have exactly one RR in its RRSet. This is incorrect, [...] Ok, I was wrong :-) Takes a big man to admit he is wrong ;) But the day we stop learning, is the day we should roll over.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
Hi Michael > And when you say 'only one PTR per RR' is "allowed", could you > explain that further? "allowed" by whom, or what policy. I recall we ran into some problems with systems that attempt to match A and PTR records and only considered the first PTR returned and that while looking if that was correct behaviour, I found an RFC hinting that only one PTR per RR is allowed. But let's dig into those RFC :-) https://tools.ietf.org/html/rfc1034 Section 3.6.2 Aliases and canonical names.. hint to that an PTR should point to only one ressource. https://tools.ietf.org/html/rfc2181 Section 10.2. Confusion about canonical names has lead to a belief that a PTR record should have exactly one RR in its RRSet. This is incorrect, [...] Ok, I was wrong :-) -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On 6/18/20 5:46 PM, Michael Peddemors via mailop wrote: On 2020-06-18 4:37 a.m., Benoît Panizzon via mailop wrote: Allow your customers to set an additional PTR. AFAIK only one PTR per RR is allowed, even if most DNS allow to set multiple ones. And when you say 'only one PTR per RR' is "allowed", could you explain that further? "allowed" by whom, or what policy. Multiple PTR's do have a legitimate reason sometimes, albeit nothing worse than the operator who has 40-50 PTR records, this is not efficient, for DNS queries.. DNS Round Robin is still a common thing, where systems may share a name in the PTR's but also have a unique name.. Other reasons for multiple PTR's still do exist, eg transitioning from one naming convention to another, so systems should be designed to 'walk' the PTR records, and 'A' records, when doing 'match' validation. Just because checking for a valid FCrDNS is quite common nowadays and some mail software may fail at that if there are multiple PTR. That said, having to set the RDNS to something in the domain of the customer is the most stupid requirement I have ever seen. And that will fail with all outlook based mail domains for example anyway. smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
on Thu, Jun 18, 2020 at 09:57:58AM -0700, Michael Peddemors via mailop wrote: > WHO do I contact when I have problems related to a domain.. I've been creating patterns based on PTR records and associating classifications with them as an anti-spam and anti-abuse mechanism for almost eighteen years, and now have around 96.7% of IPv4 (and some IPv6 but those are mostly multi-homed mail servers with the same name as the IPv4) classified. This means that I've done easily three hundred thousand WHOIS lookups, probably far more, over the years. The GDPR is my nemesis. One of the data points I collect is the entity responsible for a given domain. I also think it makes sense that if you have $domain you ought to be able to visit $domain in a browser, but my expectations are pretty much constantly disappointed. What makes matters worse is that many TLDs don't have a functional WHOIS service, and many others have such useless information that it is often impossible to find out the name of the entity that owns the domain. Brazil usually has an "owner" but not a corporate description; Argentina usually just has a registration number as the owner; many other Latin American countries' domains just have a network engineer as the sole contact information in WHOIS. Much of Eastern Europe is similar, and for some reason Poland often has records where the name of the org is followed by the name of some other network engineer (eg, Foo Bar Baz s.p. z o.o Stanislaw Wojciehowicz). That's if there is any information at all other than a confirmation that the domain has been registered. Germany is a nightmare because of the GDPR; probably the only useful and reliable WHOIS service is Canada's, where they often also tell you what sort of organization owns the domain, which I find very helpful. What's most annoying about the whole situation is that I can often find out what I need to know about an IP by doing an rwhois lookup, so the GDPR masking domain WHOIS is essentially useless as a form of information privacy. Total policy fail. Oh, also, there is apparently an ISP or telco for every fourteen people in Brazil, which just compounds the frustration. So many lookups. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ Internet security and antispam hostname intelligence: http://enemieslist.com/ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On Thu, 18 Jun 2020, Benoît Panizzon wrote: AFAIK only one PTR per RR is allowed, Incorrect. Whether others will process them in a way you want might be the larger concern. /mark ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
Dnia 18.06.2020 o godz. 09:57:58 Michael Peddemors via mailop pisze: > > WHO do I contact when I have problems related to a domain.. "postmaster@domain" is required by the RFC. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On 2020-06-18 9:43 a.m., Jaroslaw Rafa via mailop wrote: Dnia 18.06.2020 o godz. 08:55:35 Michael Peddemors via mailop pisze: - the web pages of the domain must have an correct imprint This is one that people forget about, and I agree with.. And I wish I could find the old MAAWG recommendations on this to quote, but if you have a PTR record of server.domain.com, there BETTER be a URL for domain.com that answers, and has contact information of the operator. That's a strange requirement. Email is email, and web is web. Two completely different services. There may be a completely legit domain that only sends and receives mail and has no web pages at all. There's no logical reason to require that you need to have a website to be able to send and receive mail. Especially in large organizations I have seen quite often that while their main website is at eg. company.com, they send and receive mail exclusively from eg. x...@company-mail.com, and that other domain does not have any web presence. That's a perfectly correct setup and denying mail acceptance based on existence (or not) of a website - that is, a completely different service - is illogical. It's about transparency, and it takes two seconds to redirect 'company-mail.com' to the 'company.com' website. WHO do I contact when I have problems related to a domain.. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
There's been some confusion around this requirement from T-Online for a while now, and it seems to be unevenly enforced. And perhaps not even clearly defined. Couldn't hurt if you want to reach out to t...@rx.t-online.de and ask for clarification. Like I did about their filtering over all. I don't want to be the only one who nibbles them to death with questions. They did respond to me and answer my questions, though it took a bit of back and forth for them to understand that I was asking about policy and not specifically asking for help with any particular IP address. Cheers, Al On Thu, Jun 18, 2020 at 11:03 AM Michael Peddemors via mailop wrote: > > On 2020-06-18 3:57 a.m., Andreas Bueggeln - NOC - Profihost AG via > mailop wrote: > > - the ptr to the server ip hast to resolve to the customer domain and > > vice versa > > But they need to do a more sophisticated PTR <<>> A record matching, to > handle multiple PTR records.. > > > - the mails are not allowed from a cloud vm host > > Tough policy, but given the state of some of them out there, > understandable when frustration reaches a certain point.. > > Reputation services help here, so that at least the poor legitimate guy > in the middle of a bunch of bad actors has some chance, eg they already > paid a year in advance for their hosting plan ;) > > And there ARE some good cloud providers out there.. maybe some people > might argue few and far between.. > > But it does hit the bad cloud providers in the pocket, which might help > to clean up bad practices which allow bad actors to flourish.. > > > - the web pages of the domain must have an correct imprint > > This is one that people forget about, and I agree with.. And I wish I > could find the old MAAWG recommendations on this to quote, but if you > have a PTR record of server.domain.com, there BETTER be a URL for > domain.com that answers, and has contact information of the operator. > > And end user doesn't know about 'rwhois' to check ownership and/or > validity, or to report a complaint regarding and problems related to > domain.com, they simply visit the site, looking for contact information. > > I don't blame anyone says that if you want to send them email, you need > to provide transparency. > > > > -- > "Catch the Magic of Linux..." > > Michael Peddemors, President/CEO LinuxMagic Inc. > Visit us at http://www.linuxmagic.com @linuxmagic > A Wizard IT Company - For More Info http://www.wizard.ca > "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. > > 604-682-0300 Beautiful British Columbia, Canada > > This email and any electronic data contained are confidential and intended > solely for the use of the individual or entity to which they are addressed. > Please note that any views or opinions presented in this email are solely > those of the author and are not intended to represent those of the company. > > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Al Iverson // Wombatmail // Chicago Song a day! https://www.wombatmail.com Deliverability! https://spamresource.com And DNS Tools too! https://xnnd.com ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
Dnia 18.06.2020 o godz. 08:55:35 Michael Peddemors via mailop pisze: > > >- the web pages of the domain must have an correct imprint > > This is one that people forget about, and I agree with.. And I wish > I could find the old MAAWG recommendations on this to quote, but if > you have a PTR record of server.domain.com, there BETTER be a URL > for domain.com that answers, and has contact information of the > operator. That's a strange requirement. Email is email, and web is web. Two completely different services. There may be a completely legit domain that only sends and receives mail and has no web pages at all. There's no logical reason to require that you need to have a website to be able to send and receive mail. Especially in large organizations I have seen quite often that while their main website is at eg. company.com, they send and receive mail exclusively from eg. x...@company-mail.com, and that other domain does not have any web presence. That's a perfectly correct setup and denying mail acceptance based on existence (or not) of a website - that is, a completely different service - is illogical. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On 2020-06-18 3:57 a.m., Andreas Bueggeln - NOC - Profihost AG via mailop wrote: - the ptr to the server ip hast to resolve to the customer domain and vice versa But they need to do a more sophisticated PTR <<>> A record matching, to handle multiple PTR records.. - the mails are not allowed from a cloud vm host Tough policy, but given the state of some of them out there, understandable when frustration reaches a certain point.. Reputation services help here, so that at least the poor legitimate guy in the middle of a bunch of bad actors has some chance, eg they already paid a year in advance for their hosting plan ;) And there ARE some good cloud providers out there.. maybe some people might argue few and far between.. But it does hit the bad cloud providers in the pocket, which might help to clean up bad practices which allow bad actors to flourish.. - the web pages of the domain must have an correct imprint This is one that people forget about, and I agree with.. And I wish I could find the old MAAWG recommendations on this to quote, but if you have a PTR record of server.domain.com, there BETTER be a URL for domain.com that answers, and has contact information of the operator. And end user doesn't know about 'rwhois' to check ownership and/or validity, or to report a complaint regarding and problems related to domain.com, they simply visit the site, looking for contact information. I don't blame anyone says that if you want to send them email, you need to provide transparency. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On 2020-06-18 4:37 a.m., Benoît Panizzon via mailop wrote: Allow your customers to set an additional PTR. AFAIK only one PTR per RR is allowed, even if most DNS allow to set multiple ones. And when you say 'only one PTR per RR' is "allowed", could you explain that further? "allowed" by whom, or what policy. Multiple PTR's do have a legitimate reason sometimes, albeit nothing worse than the operator who has 40-50 PTR records, this is not efficient, for DNS queries.. DNS Round Robin is still a common thing, where systems may share a name in the PTR's but also have a unique name.. Other reasons for multiple PTR's still do exist, eg transitioning from one naming convention to another, so systems should be designed to 'walk' the PTR records, and 'A' records, when doing 'match' validation. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
On Thu, 18 Jun 2020, Andreas Bueggeln - NOC - Profihost AG via mailop wrote: Hello, we host hundreds of dedicated servers on VMs and our customers send thousands of mail to t-online.de mailboxes every day. a new customer uses an ip, which has been offline for months or even years wanted to send mails to t-online.de boxes. the usual blacklisting happened, but now the helpdesk at t-online.de refuses because of a new policy: - the ptr to the server ip hast to resolve to the customer domain and vice versa - the mails are not allowed from a cloud vm host - the web pages of the domain must have an correct imprint the imprint on the domain is mandatory in germany and not the problem, but our system use a generic server domain for the ptr and the smtp connect. this cannot be changed and many VMs host several domains. does anybody know how to solve this? Would it be useful to give each (virtual ?) sending box a /64 and each domain have a separate IPv6 address within that space ? Caveat: I believe that some big recipients are stricter with mail from IPv6 addreses than IPv4 servers, so if you do this you would need to do it right. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
Hai! Allow your customers to set an additional PTR. AFAIK only one PTR per RR is allowed, even if most DNS allow to set multiple ones. Besides that you dont want to create ddos vectors dont you? I request thousands of pointers back... Amplification plus plus. Bye, Raymond. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
> Allow your customers to set an additional PTR. AFAIK only one PTR per RR is allowed, even if most DNS allow to set multiple ones. -- Mit freundlichen Grüssen -Benoît Panizzon- @ HomeOffice und normal erreichbar -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] t-online.de refuses to remove an ip from their blacklist
Allow your customers to set an additional PTR. Kind regards, / Tobias Herkula Manager Detection Anti Spam Cyren (Berlin) From: mailop on behalf of Andreas Bueggeln - NOC - Profihost AG via mailop Sent: Thursday, June 18, 2020 12:57 To: mailop@mailop.org Subject: [mailop] t-online.de refuses to remove an ip from their blacklist Hello, we host hundreds of dedicated servers on VMs and our customers send thousands of mail to t-online.de mailboxes every day. a new customer uses an ip, which has been offline for months or even years wanted to send mails to t-online.de boxes. the usual blacklisting happened, but now the helpdesk at t-online.de refuses because of a new policy: - the ptr to the server ip hast to resolve to the customer domain and vice versa - the mails are not allowed from a cloud vm host - the web pages of the domain must have an correct imprint the imprint on the domain is mandatory in germany and not the problem, but our system use a generic server domain for the ptr and the smtp connect. this cannot be changed and many VMs host several domains. does anybody know how to solve this? -- Mit freundlichen Grüßen Andreas Büggeln Ihr Profihost Team --- Profihost AG Expo Plaza 1 30539 Hannover Deutschland Tel.: +49 (511) 5151 8181 | Fax.: +49 (511) 5151 8282 URL: http://www.profihost.com | E-Mail: i...@profihost.com Sitz der Gesellschaft: Hannover, USt-IdNr. DE813460827 Registergericht: Amtsgericht Hannover, Register-Nr.: HRB 202350 Vorstand: Cristoph Bluhm, Sebastian Bluhm, Stefan Priebe Aufsichtsrat: Prof. Dr. iur. Winfried Huck (Vorsitzender) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] t-online.de refuses to remove an ip from their blacklist
Hello, we host hundreds of dedicated servers on VMs and our customers send thousands of mail to t-online.de mailboxes every day. a new customer uses an ip, which has been offline for months or even years wanted to send mails to t-online.de boxes. the usual blacklisting happened, but now the helpdesk at t-online.de refuses because of a new policy: - the ptr to the server ip hast to resolve to the customer domain and vice versa - the mails are not allowed from a cloud vm host - the web pages of the domain must have an correct imprint the imprint on the domain is mandatory in germany and not the problem, but our system use a generic server domain for the ptr and the smtp connect. this cannot be changed and many VMs host several domains. does anybody know how to solve this? -- Mit freundlichen Grüßen Andreas Büggeln Ihr Profihost Team --- Profihost AG Expo Plaza 1 30539 Hannover Deutschland Tel.: +49 (511) 5151 8181 | Fax.: +49 (511) 5151 8282 URL: http://www.profihost.com | E-Mail: i...@profihost.com Sitz der Gesellschaft: Hannover, USt-IdNr. DE813460827 Registergericht: Amtsgericht Hannover, Register-Nr.: HRB 202350 Vorstand: Cristoph Bluhm, Sebastian Bluhm, Stefan Priebe Aufsichtsrat: Prof. Dr. iur. Winfried Huck (Vorsitzender) ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop