Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On Tue, 03 May 2005 09:53:38 -0500, Ben Kamen wrote Not if they run MS Exchange. I've testing online with a user while I had him on the phone.. all MS says is something bland like, Can't deliver mail... even though my server sends back a very descript failure code and message. This is a misconfiguration of MS exhchange, it can be configured to return the SMTP response code and message, it just does not do it out of the box. and yes /rant on!!! ;-) Jim -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
James Ebright wrote: On Tue, 03 May 2005 09:53:38 -0500, Ben Kamen wrote This is a misconfiguration of MS exhchange, it can be configured to return the SMTP response code and message, it just does not do it out of the box. Really?? When I guess TI.com (Yes, Texas Instruments - one of thr world leaders in semiconductor technology) hasn't found that check-box yet. and yes /rant on!!! ;-) :) -Ben ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On Tue, 03 May 2005 13:24:37 -0500, Ben Kamen wrote Really?? When I guess TI.com (Yes, Texas Instruments - one of thr world leaders in semiconductor technology) hasn't found that check- box yet. I believe it does require a more current version of MS exchange as well (or so I am told) so Exchange 2003 or higher. Perhaps TI had a reason to run an older less capable (smirk.. like exchange is all that capable of a MTA, nice calendar though) version. Seems MS decided to adhere more to the standards with the 2003 release as that is also where you begin to be able to verify users before accepting the entire message, etc. Jim -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On 4/27/2005 16:36, James Ebright wrote: Honestly, in your case I would use CNAMES liberally and make your MX server the same as the PTR reverses but have customers still use the CNAME for their MUA configurations. This will not appear any different to the end user but will bring you into full compliance without using a CNAME for the MX record (which is a rfc MUST NOT). Hmm, I guess that's not too a bad idea. It'll be a weird name but definitely more correct. Now the only question is why didn't I consider that before!? Cheers, ~Jason -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On Thu, 2005-04-28 at 10:47, Jason Gurtz wrote: On 4/27/2005 16:36, James Ebright wrote: Honestly, in your case I would use CNAMES liberally and make your MX server the same as the PTR reverses but have customers still use the CNAME for their MUA configurations. This will not appear any different to the end user but will bring you into full compliance without using a CNAME for the MX record (which is a rfc MUST NOT). Hmm, I guess that's not too a bad idea. It'll be a weird name but definitely more correct. Now the only question is why didn't I consider that before!? CNAMEs are a little weird in that *all* related info follows them. In particular if the target of the CNAME has an MX record, the CNAME will have that MX record associated as well. In your case that's probably what you want but it can be confusing if you don't expect that. -- Les Mikesell [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
James Ebright wrote: You can whitelist users or entire domains from the rDNS check in your access file using Niel's hack. I know... but it just seemed that while I was playing by all the rules, the slobs were just making my access file grow to biblical proportions. (shaking head some more) Well, when the person who asked me to turn it off gets flooded with spam.. I have a feeling I'll be asked to turn it back on again. I sometimes (when I'm feeling really generous) call the person in charge of the system being bounced, I explain that AOL and others use the same spam detection techniques, they'll respond by saying, our mail doesn't bounce from AOL... I reply, you have a spam folder, don't you? They usually do. So then I ask, how often do you actually weed through the thousands of emails to check it rather than just empty it? They usually don't. They just empty. I tell them that's why you don't get bounces. Legit emails from poorly setup servers just get filed there. And then *you* delete them. Then they get it. *THEN* they realize how unreliable email is becoming. :) -Ben ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
Then they get it. *THEN* they realize how unreliable email is becoming. I made the same comment a few days ago. Email has lost all reliability because of SPAM. If you send a letter you take it for granted it arrives. If you send a fax you assume it gets there but it sometimes has problems getting to the correct desk. But if you send an email, you have to wait for a reply or follow-up that it arrived. It's very annoying. KAM ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On 4/26/2005 09:58, James Ebright wrote: Hello all, this is a bit off topic but relevant. We finally decided it was probably time to implement AOL style reverse DNS checks into our MTA. Since AOL has been doing it now for something like 6 months it is a pretty fair bet that most US customers that are legit have corrected their DNS issues... or so we thought! I think AOL's approach to this is reasonable. It's not as strict as you might think. From what Carl said on the SPF list a while back they check just for the existence of a PTR but not that it necessarily match 100% with the MX/A record. For example, because we outsource dns service to easydns and because our isp's (SBC) policy is to not do custom PTR records unless they're doing the forward hosting also we are stuck with just plain generic PTR records for our block (ip.addr.sbc.com etc...). As an aside, I think Carl et al have done a great job at turning around one of the biggest spam problems of a few years ago. I remember when most spam I got came from AOL. No problems sending to AOL so far. I'm sure there are lots of other people in the same boat. I guess if AOL changes to full reverse validation then we'll be forced to degrade our domain's DNS service level and host it all our self. If you do strict reverse checking you'll definitely throw out valid mail. You'll just have to see if that's OK or how much BOFH you can get away with. ~Jason -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
As an aside, I think Carl et al have done a great job at turning around one of the biggest spam problems of a few years ago. I remember when most spam I got came from AOL. I certainly agree there -- as an ISP receiving roughly 700k-1 million messages per day, we receive the least amount of crap from AOL. The worst offenders are yahoo, hotmail, and MSN in our case. No problems sending to AOL so far. I'm sure there are lots of other people in the same boat. I guess if AOL changes to full reverse validation then we'll be forced to degrade our domain's DNS service level and host it all our self. If you do strict reverse checking you'll definitely throw out valid mail. You'll just have to see if that's OK or how much BOFH you can get away with. I would definitely caution anyone in using rDNS as a determining factor in whether or not to accept mail. Most of our clients are small to medium businesses -- they're always looking for the cheapest broadband, mail hosting, web, and DNS hosting. So, some of these clients will have completely different providers for all of the above. Adelphia, the largest provider of broadband in our area (WNY), absolutely outright refuses to set up custom PTR records for *any* of their clients, business or residential. Due to several organizations now using strict rDNS checking, we've had to host several client mail servers (MS Exchange, Lotus, Groupwise, etc.) at our NOC in order to help these clients get around the rDNS validation (in that case we provide the IP and the rDNS PTR for the client server, and have to go through a pain-in-the-a$$ process of setting up VPN over DSL and cable PVCs). While rDNS validation is a good way to ensure that you're receiving mail from a valid, unique domain/network, it just causes headaches in the long run. We simply bump the spam score by a few points whenever mail comes through with invalid rDNS, and that has worked very well for us. - Chris -- Chris Gauch Systems Administrator Digicon Communications, Inc. http://www.digiconcommunications.com [EMAIL PROTECTED] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On Wed, 27 Apr 2005 15:14:20 -0400, Jason Gurtz wrote If you do strict reverse checking you'll definitely throw out valid mail. You'll just have to see if that's OK or how much BOFH you can get away with. Niel's hack only tempfails in the scenario where there is a PTR but it does not match This gives our admin staff alot of time to decide to whitelist or to take other actions, so far we have whitelisted one local ISP from rDNS checks and one local business that is working on correcting their issues (more numerous than just rDNS). Honestly, in your case I would use CNAMES liberally and make your MX server the same as the PTR reverses but have customers still use the CNAME for their MUA configurations. This will not appear any different to the end user but will bring you into full compliance without using a CNAME for the MX record (which is a rfc MUST NOT). Jim -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] OT - Using rDNS sendmail hack - your experiences
Hello all, this is a bit off topic but relevant. We finally decided it was probably time to implement AOL style reverse DNS checks into our MTA. Since AOL has been doing it now for something like 6 months it is a pretty fair bet that most US customers that are legit have corrected their DNS issues... or so we thought! Why reinvent the wheel... we implemented a slightly modified version of this sendmail m4 HACK here: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 Which basically does this: 1. Check relay for rDNS then check the response (gethostbyaddr check) 2. If there is not PTR record FAIL 3. If you cannot find DNS record for it at all, maybe DNS is down, TEMPFAIL 4. If there is rDNS (PTR) but it appears forged (different than forward or result doesnt resolve), TEMPFAIL Now we have been using the delay_checks feature for some time and you can add some options to this HACK if you do delay_checks, we made our default entry REJECT but frankly... we plan on putting any user level entrys to our access file in with an explicit REJECT or OK as it just makes the file much easier to read and understand. We placed it after the delay checks feature (as Niel suggests) and above the dnsbl entries in the mc file. Now I know the order really should not matter much in the mc file but it does seem to run before dnsbl checks do.. and cuts that load/traffic down considerably. Implementing this actually has cut the load on this server (my test one before I implement everywhere) in half! Not to mention the bandwidth savings which should be apparrent after a few days trending (since it is catching it earlier and avoiding even dnsbl checks in many cases, much less SA and most of MD checks. Anyway, So far I have only identified one domain I have had to whitelist (local mom-and-pop ISP) that was tempfailing due to a bad DNS setup, we have notified them and hopefully they will correct their DNS soon, I asked if they had customers that coudl not send to AOL... hehe, the answer was yes... we have alot of problems with AOL! So, my question is... I have been monitoring for about 6 hours now, will probably let it go another day before pushing this change out to my other servers... in the mean time.. any caveats from the peanut gallery? Any horror/war stories on a similar implementation? Jim -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
Personally, we've looked in to it. We tend to agree that AOL's position is somewhat aggressive since their techs are usually behind the time and don't support their own new technologies well. But, political opinions aside, we were leary about implementing it because, frankly, we were afraid of the possible negative impact. So, we have relied on MimeDefang to do this check for us.. However, as time has worn on (and the amount of SPAM has blossomed), we have started testing this hack on our in-house testing server. Hearing of your experiences does make me feel a bit better regarding the patch, too. Do you have any stats on how many connections this has prevented? I'd personally be interested in seeing your modified version of the hack (your hacked hack :) ) just to see and understand the differences. -Rich Hello all, this is a bit off topic but relevant. We finally decided it was probably time to implement AOL style reverse DNS checks into our MTA. Since AOL has been doing it now for something like 6 months it is a pretty fair bet that most US customers that are legit have corrected their DNS issues... or so we thought! Why reinvent the wheel... we implemented a slightly modified version of this sendmail m4 HACK here: http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4 Which basically does this: 1. Check relay for rDNS then check the response (gethostbyaddr check) 2. If there is not PTR record FAIL 3. If you cannot find DNS record for it at all, maybe DNS is down, TEMPFAIL 4. If there is rDNS (PTR) but it appears forged (different than forward or result doesnt resolve), TEMPFAIL ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
Rich West wrote: Personally, we've looked in to it. We tend to agree that AOL's position is somewhat aggressive since their techs are usually behind the time and don't support their own new technologies well. But, political opinions aside, we were leary about implementing it because, frankly, we were afraid of the possible negative impact. So, we have relied on MimeDefang to do this check for us.. However, as time has worn on (and the amount of SPAM has blossomed), we have started testing this hack on our in-house testing server. Hearing of your experiences does make me feel a bit better regarding the patch, too. Do you have any stats on how many connections this has prevented? I've been using it on and off and I'd like to say I am simply AMAZED at the number of domains with horked up DNS, but considering the temperature of today's hire the cheapest admin we can attitude, I'm not. I just turned it off today after having it on since like December to see what happens (actually to prove to the person who asked me to turn it off that the people he wants email from should just fix their damn DNS)... So it definitely has its blessed-cursedness... It stops a lot of spam. It stops a lot of legit email. Can't say much more than that. I have some stats... they're tabular so... for what it's worth http://www.benjammin.net/www/pages/spam/month-index.html Look at the noDNS and ForgedDomain -Ben ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
On Tue, Apr 26, 2005 at 04:21:23PM -0400, Rich West wrote: Personally, we've looked in to it. We tend to agree that AOL's position is somewhat aggressive since their techs are usually behind the time and We've found it highly effective when combined with other RFC related checks. No RDNS with a HELO that doesn't match and has no apparent relation to the IP, the IP has no obvious relation to the domain, etc. By itself it's going to get alot of legit mail from poorly configured hosts along with the spam. -- Kelsey Cummings - [EMAIL PROTECTED] sonic.net, inc. System Architect 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax)http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896 ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT - Using rDNS sendmail hack - your experiences
You can whitelist users or entire domains from the rDNS check in your access file using Niel's hack. I would rather whitelist a single domain than turn it off entirely if you had been using it since december with only a little fallout. Add: rdns:1.2.3.4 OK rdns:@somehost.com OK to whitelist for solely rdns, it will also honor regular whitelist entries with no left hand side token: 1.2.3.4OK 5.6.7 OK 5.6RELAY All of the above exempts those IPs (or domain names) from rdns checks. As long as your users are not completely virtual (i.e. this box does mail routing only) then you can also do this on a per user basis. Jim On Tue, 26 Apr 2005 15:30:43 -0500, Ben Kamen wrote I just turned it off today after having it on since like December to see what happens (actually to prove to the person who asked me to turn it off that the people he wants email from should just fix their damn DNS)... -- EsisNet.com Webmail Client ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
