Re: [mailop] why "not comply with best practices" on SpamRats?

[陈俊平]

Hi all,


Today I got reply from SpamRats, they delisted our IP from blacklist.


Recently part of people on this list suggest Netease changing our PTR to match 
"the best practise", some suggest SpamRats should change its rules, some 
suggest take no move or others.


To make a easy world, we will choose the former, changing our PTR from 
"mNNN-NNN.domain" to "mail-NNN.domain". As the SpamRats testing page tells, the 
new PTR format does match "the best practise" and results in a PASS rather than 
a FAIL on SpamRats' page http://www.spamrats.com/lookup.php?ip=123.58.177.180 :


Using Old PTR we got: Does IP Address comply with reverse hostname naming 
convention... Failed!
Using New PTR we got: Does IP Address comply with reverse hostname naming 
convention... Passed!


Thank you guys for all discusions and suggestions,


-Junping Chen
Netease Inc.((NASDAQ: NTES))___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Rich Kulawiec]

On Wed, Jun 15, 2016 at 10:47:07AM +0300, Gil Bahat via mailop wrote:
> Your users will pay a price and netease will pay a price.

There's always a price.  The costs associated with both FP and FN
are non-zero -- although they might be negligibly small -- for either
sender or recipient or both.

Attempting to make the costs zero, just like attempting to make FP and
FN zero, isn't possible.  (Except for the edge cases of allow-all and
deny-all, both of which do so beautifully but are not viable in real
world mail systems.)

Thus the trick is to attempt to minimize both FP and FN simultaneously,
and to do so not only for the sake of our own operations, but for others.
(It's often lost on newcomers that the Internet is a cooperative exercise.
Nobody is too big or too important to be part of that cooperation.)
This is not a solved problem in mail system engineering, but if all
concerned make best efforts, we can asymptotically approach something
that looks like a solution for all of us.

Thus the secondary trick is to attempt to make mistakes (and incur
their associated costs) noisily, so that both senders and recipients
have a decent chance of identifying them and reporting them to the
appropriate people who will -- we hope -- pay attention and do something
useful.  This in turn requires working RFC 2142 contact addresses
that forward traffic to clueful, diligent, responsible, professional
eyeballs who understand that every message must be read, understood,
analyzed, acted on (if necessary), and answered (if appropriate).

Sometimes that'll help ourselves.  Sometimes that'll help others.
Sometimes it'll help both or maybe some third party who doesn't even know.
It doesn't matter who it helps: it's necessary cooperation.

---rsk


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 18:00, Suresh Ramasubramanian wrote:

>> On 15-Jun-2016, at 1:17 PM, Noel Butler  wrote: 
>> the regex methods are here to stay, in use at a number of places,
> 
> Yes of course. And snake handling is here to stay and practiced in a number 
> of places.  Both have about the same levels of popularity and make almost as 
> much sense.

In  *your* opinion that is.. 

what makes sense is to use what works, this works for me, end of my
story :) 

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Gil Bahat via mailop]

I think we agree or else there I didn't phrase myself correctly (sorry, not
a native english speaker):

1. Using a regex over DNS pattern is a 'proxy' method for using a more
trusted method of identifying PBL space.
2. No 'Big' player uses it.
3. 'Big' players are the most performance sensitive out of all mail
recipients out there and most targeted by attacks.
4. Deriving from 1+2+3 - Using said regex pattern cannot be reasonably
justified by performance considerations.
5. Netease (one of the largest mail services in the world) would have been
flagged by it.
6. Deriving from 4+5, the practice attests to lazyness or apathy to false
positives by the operator deploying it.

Gil

On Wed, Jun 15, 2016 at 12:36 PM, Michelle Sullivan 
wrote:

> Gil Bahat via mailop wrote:
>
>>  public PBL registry. Do you see any big recipients
>> (gmail/hotmail/yahoo/netease/etc) 'optimizing' by such a regex?
>>
>
> I would also beg to differ if you think at least 3 of those you mention
> would use any of the public DNSbls as a sole decision point...  Nor would
> they use 'such a regex'... even the other massive one that immediately
> comes to mind that you didn't mention that does use a DNSbl on the border
> as a sole decision point for "quick rejects" doesn't use a Dynamic/Policy
> blocklist of any type - despite recommendations by technical experts and
> live statistics being taken showing a 25%(ish) efficiency gain with zero
> false positives all because there is a "chance" of false positives.
>
> --
> Michelle Sullivan
> http://www.mhix.org/
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

> On 15-Jun-2016, at 1:17 PM, Noel Butler  wrote:
> 
>  the regex methods are here to stay, in use at a number of places,

Yes of course. And snake handling is here to stay and practiced in a number of 
places.  Both have about the same levels of popularity and make almost as much 
sense.___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

On 15-Jun-2016, at 12:51 PM, Noel Butler  wrote:
> I do see a lot of chinanet end users trying to talk here that get refused, 
> just as I see many OVH offenders, and these are very likely pretty much all 
> compromised machines, not a person deliberately sitting there committing 
> miscreant actions, if port 25 was blocked, good chance most of those would 
> vanish, and only the legit mail or deliberate spam, would be seen trying.
> 

This is comparing apples and oranges.

You’re talking about a mail provider who provides authenticated imap / smtp / 
webmail

And then you compare it to large broadband / hosting and VPS providers that 
originate a rather different kind of spam (and a whole lot of other attack 
traffic, spam is a miniscule part of the threat - malware, ddos, bot c - so 
many other things).

—srs___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 16:59, Gil Bahat via mailop wrote:

> I beg to differ. Spamhaus offers the PBL in rsync format for big enough sites 
> and i'm sure that if the cost is somehow a major factor, you could have a 
> proper public PBL registry. Do you see any big recipients 
> (gmail/hotmail/yahoo/netease/etc) 'optimizing' by such a regex? no, you 
> don't, and their performance requirements are much more stringent than yours. 
> That could be a good indication you're cutting corners and having someone 
> else pay the price for it. 
> 
> Gil

I'm very aware S.H. sell rsync connections, doesnt make any difference. 

I, like most here I would think, will do whatever they want to protect
their own network, that comes first, above all else, and if I or others
choose to deny access to our resources to people we don't know who are
using an address format common with those that dont typically have a
need to send direct mail, then so be it. I see nobody paying the price
for anything, since pretty much all of those connections will not be
legitimate mail senders that is my experience in over 20 years. Also,
you are not to know that gmail or hotmail etc dont do some for of
scoring based on a myriad of ways to decide to either inbox or junk box,
maybe they dont, maybe they do, its irrelevant because they are not my
networks so I have no need to know, just as they have no need to know
all the methods we use else the bad guys get an advantage. 

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 16:57, Suresh Ramasubramanian wrote:

> On 15-Jun-2016, at 12:18 PM, Noel Butler  wrote:
> 
>> In an ideal world all ISP's would block port 25 outbound except for official 
>> mail servers and make users use submission port, that would go along way to 
>> curbing the noise, but not eliminate it.
> 
> As far as I can see, 163.com [1] only provides webmail and smtp access, not 
> dialup or broadband of any sort

I'm not singling out 163.com here, thats why I never said "they should"
but said "all isp's" 

Webmail providers that dont allow smtp/pop3/imap are much easily
controlled, which would be why, as I mentioned earlier, that I see more
gmail spam than from anything from 163. 

I do see a lot of chinanet end users trying to talk here that get
refused, just as I see many OVH offenders, and these are very likely
pretty much all compromised machines, not a person deliberately sitting
there committing miscreant actions, if port 25 was blocked, good chance
most of those would vanish, and only the legit mail or deliberate spam,
would be seen trying.

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/

 

Links:
--
[1] http://163.com___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

On 15-Jun-2016, at 12:18 PM, Noel Butler  wrote:
> In an ideal world all ISP's would block port 25 outbound except for official 
> mail servers and make users use submission port, that would go along way to 
> curbing the noise, but not eliminate it.
> 

As far as I can see, 163.com only provides webmail and smtp access, not dialup 
or broadband of any sort___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 16:09, Gil Bahat via mailop wrote:

> Prudency aside, this is one of the things wrong in the email world. I don't 
> get it why recipients do something which is patently lax (having a naive 
> regex) when a more appropriate solutions exist (spamhaus PBL) with a 'screw 
> the sender, it's their problem, they'll bear the wrath of their users' - 
> obviously allowing recipients to do this even for one of the largest senders 
> in the world (126/163/yeah.net [1] with over 700m users!).

Its more about stopping spam, not just deliberate spam, but the
accidental, as in malware infected PC's , contacting DNSBL's uses
network resources, why take seconds when you can decide in nano seconds,
no need to keep throwing hardware at the problem, when you can cull it
there and then, our DNSBL's and anti spam-anti virus systems work 40%
less through blocking these types of hosts, since they are for the most
part malware/virus infected machines. 

In an ideal world all ISP's would block port 25 outbound except for
official mail servers and make users use submission port, that would go
along way to curbing the noise, but not eliminate it.

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/

 

Links:
--
[1] http://yeah.net___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 16:08, Suresh Ramasubramanian wrote:
On 15-Jun-2016, at 11:33 AM, Noel Butler  
wrote:
Its not just DNSBL's as has been pointed out by people other than 
myself who use similar rules locally, the safest bet is to accept this 
is how the world works in many places, and slightly changing the DNS 
should resolve all the problems, in fact, now it has been explained by 
several people in many different ways I hope the OP has understood 
(yes I accept language barriers can be problematic) and has already 
begun changing their A/PTRs to something that is less eye catching to 
remote sites.


One thing I learnt is that there’s a wide variety of sites operating
weird and wonderful filters of one sort or the other.


Oh. you are so right there :)



Unless it is a common best practice AND a practice widely implemented
including by the larger receivers, it is absolutely no use bending
over backwards to, for example, change perfectly valid PTR records to
suit the tastes of a very few individual receivers with an
infinitesimal number of mailboxes.


As I recently said, there is a reason Google and others use the method 
they do, one of them would be to avoid situations just like this. It 
would be best written as a SHOULD in smtp RFC for using non end user 
looking A/PTRs, that would be a "best practice", remember silently 
discarding spam has been done for decades before it made its way into 
RFC's.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Gil Bahat via mailop]

Prudency aside, this is one of the things wrong in the email world. I don't
get it why recipients do something which is patently lax (having a naive
regex) when a more appropriate solutions exist (spamhaus PBL) with a 'screw
the sender, it's their problem, they'll bear the wrath of their users' -
obviously allowing recipients to do this even for one of the largest
senders in the world (126/163/yeah.net with over 700m users!).

Gil

On Wed, Jun 15, 2016 at 9:03 AM, Noel Butler  wrote:

> On 15/06/2016 13:52, Suresh Ramasubramanian wrote:
>
>> That too is a workable approach. Though market forces usually deal
>> with poorly managed bls over time.
>>
>>
> Its not just DNSBL's as has been pointed out by people other than myself
> who use similar rules locally, the safest bet is to accept this is how the
> world works in many places, and slightly changing the DNS should resolve
> all the problems, in fact, now it has been explained by several people in
> many different ways I hope the OP has understood (yes I accept language
> barriers can be problematic) and has already begun changing their A/PTRs to
> something that is less eye catching to remote sites.
>
>
> --
> If you have the urge to reply to all rather than reply to list, you best
> first read  http://members.ausics.net/qwerty/
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

On 15-Jun-2016, at 11:33 AM, Noel Butler  wrote:
> Its not just DNSBL's as has been pointed out by people other than myself who 
> use similar rules locally, the safest bet is to accept this is how the world 
> works in many places, and slightly changing the DNS should resolve all the 
> problems, in fact, now it has been explained by several people in many 
> different ways I hope the OP has understood (yes I accept language barriers 
> can be problematic) and has already begun changing their A/PTRs to something 
> that is less eye catching to remote sites.

One thing I learnt is that there’s a wide variety of sites operating weird and 
wonderful filters of one sort or the other.

Unless it is a common best practice AND a practice widely implemented including 
by the larger receivers, it is absolutely no use bending over backwards to, for 
example, change perfectly valid PTR records to suit the tastes of a very few 
individual receivers with an infinitesimal number of mailboxes.

—srs
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 13:52, Suresh Ramasubramanian wrote:

That too is a workable approach. Though market forces usually deal
with poorly managed bls over time.



Its not just DNSBL's as has been pointed out by people other than myself 
who use similar rules locally, the safest bet is to accept this is how 
the world works in many places, and slightly changing the DNS should 
resolve all the problems, in fact, now it has been explained by several 
people in many different ways I hope the OP has understood (yes I accept 
language barriers can be problematic) and has already begun changing 
their A/PTRs to something that is less eye catching to remote sites.



--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

That too is a workable approach. Though market forces usually deal with poorly 
managed bls over time.

--srs

> On 15-Jun-2016, at 9:18 AM, Gil Bahat  wrote:
> 
> I went the time to research which of the providers using it were too reliant 
> on it, and convinced them to drop the list - it was a local mail provider in 
> hungary, with relative notability in-territory.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

Or just don't bother about some random  DNSBL  with ill defined criteria

If Spamhaus lists you, or a few other such list you, then sure you have 
problems.  Other than that there's several dozen others around with a 
comparatively minuscule userbase if at all.

--srs

> On 15-Jun-2016, at 8:36 AM, 陈俊平  wrote:
> 
> SpamRats using is not clear, we may figure it out by our continuing 
> discussions. Or catch the notice of SpamRats.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[陈俊平]

Correct, in fact the number "163" is the very first dial-up line phone number 
on 1990s in China, at that time the first thing/icon that Chinese cyber citizen 
knows and remembers is the number "163" -  they dialed this number everytime 
before they start surfing the Internet.


That's also why my employer woke up at mid-night 1997 from his bed and 
registered these domains 163.com and 163.net(163.net was then sold to the 
biggest local ISP ChinaNet who used the "163" for dial-up number the earliest), 
and many domains more afterwards, and start the first free email service 
business until now.




AH!! We are digressing here.. Netease only use static IP for delivering emails 
and all has a rDNS, tho we know different receiver/RBL provider uses different 
rule to recognize whether a rDNS is dynamic or static, the rules how SpamRats 
using is not clear, we may figure it out by our continuing discussions. Or 
catch the notice of SpamRats.


Thanks,
-Junping

At 2016-06-15 08:16:05, "Suresh Ramasubramanian"  wrote:
>Chinese has a lot of ideograms where  Chinese characters can be expressed as a 
>numerical equivalent.  All these (163, 126 and many others) names are based on 
>that concept.
>
>--srs
>
>> On 15-Jun-2016, at 5:09 AM, Noel Butler  wrote:
>> 
>> When I saw 126 the first thing that cokes to mind was the hacker crew from 
>> 20 odd years ago , the main opponents of phr0zen crew.. :)
>
>___
>mailop mailing list
>mailop@mailop.org
>https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

Chinese has a lot of ideograms where  Chinese characters can be expressed as a 
numerical equivalent.  All these (163, 126 and many others) names are based on 
that concept.

--srs

> On 15-Jun-2016, at 5:09 AM, Noel Butler  wrote:
> 
> When I saw 126 the first thing that cokes to mind was the hacker crew from 20 
> odd years ago , the main opponents of phr0zen crew.. :)

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 01:30, Suresh Ramasubramanian wrote:



That said, I haven’t seen 163 leak any more or less spam than any of
the comparable large freemails, personally speaking.



*nod*  we see far more spam from gmail than 163

--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 15/06/2016 01:25, Al Iverson wrote:
On Tue, Jun 14, 2016 at 6:54 AM, Noel Butler  
wrote:


I've worked at places that used single machines that handled over 30K 
mail

accounts each, of course the larger networks use multiple MX's behind
hardware LB's.

oh, also, i'd never *NEVER* use a vps for a mail server.


Congratulations? Lots of big enterprise companies do, including
multiple email service providers.


and plenty of them have fallen flat on their arses trying too.



Please stop trying to map your setup onto the rest of the world. Just
because it works for you doesn't mean it's the only possible best
practice.


wow.. the pot calling the kettle black... fancy that


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Jim Popovitch]

On Tue, Jun 14, 2016 at 5:33 PM, Peter Bowen  wrote:
> On Tue, Jun 14, 2016 at 1:48 PM, Jim Popovitch  wrote:
>> On Tue, Jun 14, 2016 at 12:16 PM, Suresh Ramasubramanian
>>  wrote:
>>>
>>> 163 is an email provider that I doubt provides dynamic IP space of any sort.
>>> And as Junping says, 700 million mailboxes.  Well north of 30 million, like
>>> I said :)
>>
>> Where does 123.com fit into all this?   
>> http://paste.debian.net/plainh/4f41f8c4
>
> I'm assuming you mean 126.com, based on the paste.

Opps, yes, 126  (what is up with all the numbered domains?!?!)

> 163.com, 126.com, yeah.net, vip.163.com, vip.126.com, vip.188.com, and
> netease.com are all NetEase domains.


So the paste is evidence that SpamRats is doing the right thing?

-Jim P.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Al Iverson]

Keep in mind that "looks dynamic" should be a starting point, not an
ending point. If the IP address truly is static, SpamRATS ought to fix
the listing. I know the owner of the SpamRATS blacklist is here. I
hope he does the right thing. It would be the courteous thing to do.
Consider the robustness principle.

--
Al Iverson
www.aliverson.com
(312)725-0130

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Franck Martin via mailop]

Junping,

I think many people don't know who netease is, at least your contribution
to this list will help.

I think the point people on this list are making is that you need to setup
specific PTR (that do not look like auto-generated) for the IPs that DO
send emails. You need to make sure all your dynamic IPs (and other IPs)
cannot send email directly and have to go through your mail servers.

Ideally the PTR should match what is in the helo (and vice versa).

Looking at your SPF, https://dmarcian.com/spf-survey/163.com, there are not
many IPs listed as potentially sending emails (compared to other SPF), so
you should be able to set some specific PTR for them.

Also as Suresh mentioned, if this blocking list is not blocking many emails
I would not worry much.


On Tue, Jun 14, 2016 at 6:11 AM, 陈俊平  wrote:

>
>
> Helpful thoughts Steve, many thanks again to you and to all :)
>
> Today Netease has 700+ million users and a lot of servers as well as IPs,
> you can see all IPs and ranges from the SPF record of domain 163.com,
> sothat we use the format "mxx-xx.domain" for reverse dns for balance.
>
> We keep reverse dns of our IPs to comply with standards and best
> practises, well, SpamRats doesn't elaborate the saying "best practise" on
> their page which'd create confusion.
>
> If I have no luck to receive SpamRats' reply then I will try changing the
> reverse dns of 123.58.177.172, for example:
>
> dig +short -x 123.58.177.172
> m172-177.vip.163.com. <== present
> mail-wmsvr2.vip.163.com. <== new
>
>
> Regards,
>
> -Junping
>
>
>
> 在 2016-06-14 20:47:41，"Steve Freegard"  写道：
>
>
>
> On 14/06/16 13:16, "陈俊平 via mailop.org" 
>  wrote:
>
>
> Here're some reverse dns of big senders, they also use the format
> "x-x.xx.domain".
>
> *$ dig +short -x 98.136.219.65*
> *ng5-vm13.bullet.mail.gq1.yahoo.com
> .*
>
>
> Doesn't contain any octets of the IP address
>
>
> *$ dig +short -x 209.85.218.44*
> *mail-oi0-f44.google.com .*
>
>
> Has a single octet of the IP address but clearly shows mail- as the
> function.  My own heuristics would allow this, can't speak for others.
>
> *$ dig +short -x 17.171.37.67*
> *mdn-txn-msbadger0502.apple.com .*
>
>
> Again - no octets of the IP address appear within the name.
>
> Kind regards,
> Steve.
>
> --
> Steve Freegard
> Development Director
> Fort Systems Ltd.
>
>
>
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 14/06/2016 22:16, 陈俊平 wrote:

> Here're some reverse dns of big senders, they also use the format 
> "x-x.xx.domain". 
> 
> _$ dig +short -x 98.136.219.65_ 
> _ng5-vm13.bullet.mail.gq1.yahoo.com._ 
> 
> _$ dig +short -x 209.85.218.44_ 
> _mail-oi0-f44.google.com._ 
> 
> _$ dig +short -x 17.171.37.67_ 
> _mdn-txn-msbadger0502.apple.com._ 
> 
> Things are strange that all these three reverse dns records do not result in 
> error on SpamRats' page, you can see it at 
> _http://www.spamrats.com/lookup.php?ip=98.136.219.65_ .

Why would they? They are not ip-ip.host.domain 
Look very carefully at them. There is a big difference between what they
do and what you do. 

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[陈俊平]

Here're some reverse dns of big senders, they also use the format 
"x-x.xx.domain".


$ dig +short -x 98.136.219.65
ng5-vm13.bullet.mail.gq1.yahoo.com.


$ dig +short -x 209.85.218.44
mail-oi0-f44.google.com.


$ dig +short -x 17.171.37.67
mdn-txn-msbadger0502.apple.com.


Things are strange that all these three reverse dns records do not result in 
error on SpamRats' page, you can see it at 
http://www.spamrats.com/lookup.php?ip=98.136.219.65 .




PS. I badly wish to receive the official reply from SpamRats asap, haha :)


PPS. I'm missing some posts forwarded from this list, hope it's just some 
delay...


-Junping



At 2016-06-14 19:43:22, "Suresh Ramasubramanian"  wrote:
>On 14-Jun-2016, at 5:04 PM, Noel Butler  wrote:
>> 
>> It's not just that, are you trying to tell us that your MX record is 
>> m172-177.vip.163.com ?
>> I doubt it, if your domain is  foo.com   then use mail.foo.com and have
>
>On a single Linux vps maybe. Possible.
>
>On a system of non trivial size that evidently needs a load balancer vip .. 
>good luck.
>___
>mailop mailing list
>mailop@mailop.org
>https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

On 14-Jun-2016, at 5:24 PM, Noel Butler  wrote:
> 
> I've worked at places that used single machines that handled over 30K mail 
> accounts each, of course the larger networks use multiple MX's behind 
> hardware LB's.

Yes. Junping handles I would say well north of 30 million.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 14/06/2016 21:43, Suresh Ramasubramanian wrote:

On 14-Jun-2016, at 5:04 PM, Noel Butler  wrote:


It's not just that, are you trying to tell us that your MX record is 
m172-177.vip.163.com ?
I doubt it, if your domain is  foo.com   then use mail.foo.com and 
have


On a single Linux vps maybe. Possible.

On a system of non trivial size that evidently needs a load balancer
vip .. good luck.


I've worked at places that used single machines that handled over 30K 
mail accounts each, of course the larger networks use multiple MX's 
behind hardware LB's.


oh, also, i'd never *NEVER* use a vps for a mail server.

--
If you have the urge to reply to all rather than reply to list, you best
first read  http://members.ausics.net/qwerty/

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

On 14-Jun-2016, at 5:04 PM, Noel Butler  wrote:
> 
> It's not just that, are you trying to tell us that your MX record is 
> m172-177.vip.163.com ?
> I doubt it, if your domain is  foo.com   then use mail.foo.com and have

On a single Linux vps maybe. Possible.

On a system of non trivial size that evidently needs a load balancer vip .. 
good luck.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Noel Butler]

On 14/06/2016 20:40, Steve Freegard wrote:

> On 14/06/16 10:19, "陈俊平 via mailop.org"  wrote: 
> 
>> Hello All, 
>> 
>> One of my IP address 123.58.177.172 got blacklisted on SpamRats' RBL, when 
>> tried removing it from the blacklist I got a rejection as below: 
>> 
>> _>> Does IP Address comply with reverse hostname naming convention... 
>> Failed!_ 
>> _>> RATS-Dyna - On the list. To be removed go here_ 
>> _>>_ 
>> _>> The IP address you have specified does not comply with best practices. 
>> Currently, the reverse DNS for this IP address is: m172-177.vip.163.com. For 
>> more information, please review the above "List Specifications" section, or 
>> this best practice documentation [1]._ 
>> 
>> This IP address is definitely a static one(rather than a dynamic IP) and it 
>> has a proper PTR record(not violating the RFC 1035 [2]) as: 
>> 
>> _$ dig -x 123.58.177.172_ 
>> _172.177.58.123.in-addr.arpa. 86400 IN   PTR m172-177.vip.163.com._ 
>> 
>> So I am wondering why SpamRats says "not comply with best practices", while 
>> I've contacted their admin on Help page, are there any guys got such kind of 
>> warnings? 
>> 
>> I appreciate any info and discussion, thank you very much.
> 
> Because the hostname contains the last two octets of the IP address, e.g. it 
> "looks" dynamic and basically it is dynamic - it's an automatically generated 
> name based on the IP address.
> 
> Whilst others might disagree with this, there's plenty of places and software 
> that with look at that PTR and say "it's dynamic" and treat it accordingly 
> and they don't have to use a DNSBL to determine that because it's simple to 
> do with heuristics.
> 
> Kind regards,
> Steve.

Correct, I use on some mail servers milter-regex rules that hit on
things like this as well, if it looks like, and smells like, then it
probably is. 

-- 

If you have the urge to reply to all rather than reply to list, 
you
best first read  http://members.ausics.net/qwerty/

 

Links:
--
[1] http://spamauditor.org/best-practices/check-ip-reverse-dns
[2] http://tools.ietf.org/html/rfc1035#page-12___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

You can dig any and figure it out I guess given that scenario 

--srs

> On 14-Jun-2016, at 4:56 PM, David Hofstee  wrote:
> 
> There are often multiple forwards (one for "the service" e.g. 
> mta1.domain.com, one for "infra monitoring" e.g. svr234-234.domain.net, ...). 
> 
> Not sure how you can be certain there is only one forward lookup or more? 
> Which one did the mta use? I find that a valid remark. 
> 
> Met vriendelijke groet,
> 
> 
> David Hofstee
> 
> Deliverability Management
> MailPlus B.V. Netherlands (ESP)
> 
> - Oorspronkelijk bericht -
> Van: "Suresh Ramasubramanian" 
> Aan: "Paul Smith" 
> Cc: mailop@mailop.org
> Verzonden: Dinsdag 14 juni 2016 12:57:33
> Onderwerp: Re: [mailop] why "not comply with best practices" on SpamRats?
> 
> MOn 14-Jun-2016, at 3:53 PM, Paul Smith  wrote:
>> 
>> Changing the reverse DNS to the 'real' forward DNS name of the mail server 
>> is the best idea.
> 
> Excellent. Did you try to look that up?
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[陈俊平]

Thanks guys, as Suresh mentioned, Netease has a large number of users and a lot 
of IP addresses, each one has been put a reverse DNS record and its reverse DNS 
has a A record pointing back to the same IP.


As the one hitting SpamRats' RBL, its PTR and the A of the reverse DNS looks 
fine, right?


$ dig +short -x 123.58.177.172
m172-177.vip.163.com.<-- The reverse DNS points to the FQDN of my 
SMTP server


$ dig +short a m172-177.vip.163.com.
123.58.177.172 <-- The A record points back to the same IP




Regards,
-Junping


At 2016-06-14 18:57:33, "Suresh Ramasubramanian"  wrote:
>MOn 14-Jun-2016, at 3:53 PM, Paul Smith  wrote:
>> 
>> Changing the reverse DNS to the 'real' forward DNS name of the mail server 
>> is the best idea.
>
>Excellent. Did you try to look that up?
>___
>mailop mailing list
>mailop@mailop.org
>https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

MOn 14-Jun-2016, at 3:53 PM, Paul Smith  wrote:
> 
> Changing the reverse DNS to the 'real' forward DNS name of the mail server is 
> the best idea.

Excellent. Did you try to look that up?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Paul Smith]

On 14/06/2016 10:38, Suresh Ramasubramanian wrote:
On 14-Jun-2016, at 2:49 PM, 陈俊平 > wrote:
/>> The IP address you have specified does not comply with best 
practices. Currently, the reverse DNS for this IP address is: 
m172-177.vip.163.com . For more 
information, please review the above "List Specifications" section, 
or this best practice documentation 
./


I think they are under the misapprehension that any hostname that has 
two sets of numbers separated by a hyphen must necessarily be dynamic.


It's a fairly good indicator that, while it may not be dynamic, it has 
probably not been deliberately set up for direct outgoing SMTP. One of 
the first things mail administrators tend to do nowadays is set up 
reverse DNS.


Remember that what they are trying to catch is people who are 
inadvertently running bots which are sending out spam.


Changing the reverse DNS to the 'real' forward DNS name of the mail 
server is the best idea.




___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] why "not comply with best practices" on SpamRats?

[Suresh Ramasubramanian]

And why?   In fact what Junping has -

suresh@steelydan 15:25:42 <~> $ host m172-177.vip.163.com
m172-177.vip.163.com has address 123.58.177.172

suresh@steelydan 15:29:52 <~> $ host -t ptr 123.58.177.172
172.177.58.123.in-addr.arpa domain name pointer m172-177.vip.163.com.

Is rather less generic than say -

suresh@steelydan 15:30:41 <~> $ host alt2.aspmx.l.google.com 
alt2.aspmx.l.google.com has address 74.125.25.26
alt2.aspmx.l.google.com has IPv6 address 2607:f8b0:400e:c03::1a

suresh@steelydan 15:30:42 <~> $ host -t ptr 74.125.25.26
26.25.125.74.in-addr.arpa domain name pointer pa-in-f26.1e100.net.

suresh@steelydan 15:30:49 <~> $ host -t ptr 2607:f8b0:400e:c03::1a
a.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.c.0.e.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa domain 
name pointer pa-in-x1a.1e100.net.

ps:: I would be entirely surprised if he doesn’t have that range delegated to 
him and so PTR under his control.

163 has a rather large number of users - and is better managed than most 
freemails out there.

—srs

> On 14-Jun-2016, at 3:21 PM, Gary Baribault  wrote:
> 
> Ask your ISP to change your reverse to the FQDN of your SMTP server
> 
> 
> 
> Gary B
> 

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop