Re: check_hostbyrename (discussion)
Matt Sergeant wrote: I pay [*] for a business DSL line (static IP, 20:1 contention, etc). I've faxed my provider 3 times to try and get them to delegate rDNS to me and they've done nothing. I've now given up. SPF is a more complete solution to the problem that rDNS based blocking is trying to solve. FWIW, unless you have a /27 or larger, you are unlikely to get an ISP to delegate the rDNS to your server. However, you may have better luck asking the ISP to change the reverse IP directly, so that the forward and reverse DNS correspond to what you'd like them to be. I know that my ISP will do that for fixed IP accounts (SpeakEasy). HTH John
Re: check_hostbyrename (discussion)
On Tue, 23 Mar 2004, Skaag Argonius wrote: I disagree with you and robert about remote mail admins not giving a damn. Every mail admin i've talked to online, made the efforts to fix the problems, because I am hosting mail for some companies that do some serious business. Lost mail means lost business! I've helped them understand why they need a reverse dns record in the first place (yes many don't know!), and explained many other aspects of mail administration to them, and they were more than happy to help. Obviously, I was not the only person blocking their mail, and they were relieved to know they were more compliant now, and that their mail would be accepted by more servers on the net. I pay [*] for a business DSL line (static IP, 20:1 contention, etc). I've faxed my provider 3 times to try and get them to delegate rDNS to me and they've done nothing. I've now given up. SPF is a more complete solution to the problem that rDNS based blocking is trying to solve. But then you may never see this email, so it matters not :-) [*] This is actually a slight lie, but it complicates the matter even further rather than simplifies it. Email me offlist if you want the gritty details. -- !-- Matt -- :-get a SMart net/:- I am Jack's broken heart.
Re: check_hostbyrename (discussion)
(note: I'm the author) I have to agree with this guy here. Since I wrote the plugin, I've been in touch with at least 10 mail admins who were interested in bringing their server closer to spec. Course I'm not quite sure what spec is, I'm just a hacker who is sick of spam on his box and used a bit of hazy long-term memory topped with common sense to come up with my rules. The current version that I'm running on my MTA actually sends a reasonable error message to the remote admin to the tune of: 450 Sender A.B.C.D has no reverse DNS. Please contact [EMAIL PROTECTED] if you think this was bounced in error. or 550 Hostname rejected. Contact [EMAIL PROTECTED] if you think this is an error. There's also new support for ENV vars set by the tcpserver. If KNOWNIP is set, the connection automatically passes my tests, but I generally let the other plugins take their stab at it instead of giving it an all-clear. Additionally, I hardcoded a small name-based white-list because my kids' school uses a sometimes-on, dynamic-ip setup for their mail. Abysmal, but I have to live with it. I guess that routine oughta be config-file controlled. Make no mistake, this plugin is a heavy hand. Nobody pays me for my mail services so I get free reign over how they're handled and if the users don't like it, they can shell out some cash to someone who will care even less about their personal issues than I would. If people are interested in trying these changes I'll go update the web page with new code (including config-based white-list) and send the link back to the list. One intersting side effect of my bastard-op ethos is that clamav (with frequent virus definition updates) has only managed to find ONE virus-laden email in the past 2 days because the vast majority of the propogation attempts are coming from hostnames that I block. Bonus. -Frank P.S. I've also since renamed the plugin to hnbl: HostName Bl[ao]ckList (haven't nailed down the vowel yet) because the old name was ugly in my logs. On Tue, 23 Mar 2004, Skaag Argonius wrote: # I disagree with you and robert about remote mail admins not giving a damn. # Every mail admin i've talked to online, made the efforts to fix the # problems, because I am hosting mail for some companies that do some serious # business. Lost mail means lost business! I've helped them understand why # they need a reverse dns record in the first place (yes many don't know!), # and explained many other aspects of mail administration to them, and they # were more than happy to help. Obviously, I was not the only person blocking # their mail, and they were relieved to know they were more compliant now, and # that their mail would be accepted by more servers on the net. # # It reminds me of that story with the little kid, about changing the world. # Unlike others (donno if you saw the movie American Splendor) I do beleive # that people are basically good inside :-) # # My friends call me a fatal optimist. # # Aric
Re: check_hostbyrename (discussion)
frank wrote: (note: I'm the author) I have to agree with this guy here. Since I wrote the plugin, I've been in touch with at least 10 mail admins who were interested in bringing their server closer to spec. Course I'm not quite sure what spec is, I'm just a hacker who is sick of spam on his box and used a bit of hazy long-term memory topped with common sense to come up with my rules. Sam here, I'm the one that started this discussion. Frank, thank you for the plugin. I have had good luck with mail admins trying to repair their problems. Most of the time, I get the office expert, who realizes that they have been having problems, but never suspects that it is a real problem on their end. They always have to refer me on to their ISP or their IT department. Some of the time, it ends there and I never get a call back. Make no mistake, this plugin is a heavy hand. By its self, this plug-in seemed to eliminate the largest chunk of remaining spam when I added it in. It also reduced the load on the server by saving the following plugins the effort of more tests. If people are interested in trying these changes I'll go update the web page with new code (including config-based white-list) and send the link back to the list. Yes, I am interested in seeing the updated code. If I can find some refinement that allows me as an ISP to put this back into full use, I would love it. The interesting side effect for me is that since I set up my spam blocking machine 6 months ago, I have taken these plugins as my oppertunity to learn perl. Sam
Re: check_hostbyrename (discussion)
On Tue, 23 Mar 2004, Sam Laffere wrote: Make no mistake, this plugin is a heavy hand. By its self, this plug-in seemed to eliminate the largest chunk of remaining spam when I added it in. It also reduced the load on the server by saving the following plugins the effort of more tests. Note that the same could be said for any plugin which defers or rejects all mail. So it's not necessarily a good sign :-) [When I first installed a challenge response system I thought that it was wonderful, as I suddenly stopped receiving any spam. It was only later that I started getting all the bounce and failed delivery messages, and started to consider all the please confirm messages going to innocent third partied...] --- Charlie
Re: check_hostbyrename (discussion)
By its self, this plug-in seemed to eliminate the largest chunk of remaining spam when I added it in. It also reduced the load on the server by saving the following plugins the effort of more tests. I used to do the equivalent for qmail, i.e. temporarily rejecting incoming TCP connections from hosts with no reverse DNS. Once I stopped doing it, I noticed a lot of the connections were really just innocent sites out there trying to deliver bounces (of joe jobs mostly), so allowing them to do it again caused a temporary upsurge in incoming activity followed by an overall *reduction* in incoming connection attempts. I recommend using checks like reverse-DNS, paranoid forward lookups, SPF, and so on, only on incoming *messages* after other, localized checks have failed to produce a definitive answer to the question should I accept this email one way or another. (Localized checks include any that don't require DNS lookups or other forms of contacting external hosts for information such as IDENT, DNSBLs, or RHSBLs. They might include local versions of such data bases, built out of local decisions about what constitutes unwanted incoming email, or locally applied tests such as virus or spam scanning.) At the moment, my qmail-smtpd setup doesn't do any reverse-DNS, IDENT, or paranoid lookups at all. And, surprisingly, the tiny bit of localized checking it *does* do has reduced my incoming spam and vermin to a (comparative) trickle. And by deferring external lookups until they're truly needed, one can more-quickly process incoming bounces even from valid hosts. I get tons of bounces (again, of joe jobs) from aol.com, and since turning off rDNS, IDENT, and paranoid lookups (in tcpserver), they are dealt with much more quickly, which makes both my system and AOL's happier. -- James Craig Burley Software Craftsperson http://www.jcb-sc.com
Re: check_hostbyrename (discussion)
With some inspiration from Sam, I cleaned up my code a bit and added a configurable whitelist to my hnbl plugin. The new config file is called 'notbadmailfromhost'. Please note the need to edit the $errormail variable to point to a fairly open address that you can check regularly like yahoo or hotmail. If the account starts getting overrun with spam (it will happen) make a new one and put it in your code. http://web.they.org/software/mailfun/hnbl.php .enjoy -Frank On Tue, 23 Mar 2004, Sam Laffere wrote: # frank wrote: # (note: I'm the author) # # I have to agree with this guy here. Since I wrote the plugin, I've # been in # touch with at least 10 mail admins who were interested in bringing # their # server closer to spec. Course I'm not quite sure what spec is, I'm # just a # hacker who is sick of spam on his box and used a bit of hazy long-term # memory topped with common sense to come up with my rules. # # Sam here, I'm the one that started this discussion. # Frank, thank you for the plugin. I have had good luck with mail admins # trying to repair their problems. Most of the time, I get the office expert, # who realizes that they have been having problems, but never suspects that it # is a real problem on their end. They always have to refer me on to their # ISP or their IT department. Some of the time, it ends there and I never get # a call back. # # # Make no mistake, this plugin is a heavy hand. # # By its self, this plug-in seemed to eliminate the largest chunk of remaining # spam when I added it in. It also reduced the load on the server by saving # the following plugins the effort of more tests. # # # If people are interested in trying these changes I'll go update the # web # page with new code (including config-based white-list) and send the # link # back to the list. # # Yes, I am interested in seeing the updated code. If I can find some # refinement that allows me as an ISP to put this back into full use, I would # love it. # # The interesting side effect for me is that since I set up my spam blocking # machine 6 months ago, I have taken these plugins as my oppertunity to learn # perl. # # Sam # # # -- Nobody snuggles with Max Power. You strap yourself in and feel the Gs!
check_hostbyrename (discussion)
I implemented this plugin on a test domain, and it seemed great, but after implementing on my production server, I had too many customers not getting their email because of the 'no reverse lookup' part. For now I have remarked that out and still use the badmailfromhost file. The badmailfromhost file caused one known problem, but after 8 phone calls to Southwestern Bell, that DSL person was able to get a real PTR file for their mail server and has not had any more problems. This person had been having strange problems with most mail getting through, but the occasional email not reaching the destination. The exchange server was not giving him enough info to troubleshoot effectively. I think he was being denied for the same reason my server denied him, but just could not figure it out. I have read some of the discussion regarding reverse dns for mail servers, and while I would love to block them all, as an ISP, I can not do that to my clients. I have played with the denysoft_greylist lately, and was considering just greylisting the emails that failed the reverse lookups. I am a newbie at perl programming, but I could blend those two plugins together. My problems as an ISP with each of them has brought about this realization. The 450 DENYSOFT that they both use has a couple of problems in the real world. 1. Some mail servers(possibly Lotus Notes and others) don't queue and retry. 2. The repeated DENYSOFT from check_hostbyrename never allows the message on through. If a greylist was added, then problem 1 kicks in. 3. My customers calling to say that such-and-such email is not getting here can eat up a TREMENDOUS amount of time. I wish I had answers. Sorry I don't. Here is one possible thing that could be done that might somehow allow the mail to get through, yet help the cause for those of us that try to play by the rules. If there was version of ALLOWSOFT (opposite of DENYSOFT) that would allow the mail to get through, yet send a 'courtesy' message back to the sender and the [EMAIL PROTECTED] that informs them politely of the ignorance of their ways. Something like: We have accepted this email even though your mail server does not have a reverse dns entry, or has messed up on the 450 reply that we recently sent you. Please fix this problem, as we reserve the right to refuse this mail in the future, and in the fight against spam, more and more servers will be refusing your mail in the future This might be a subtle way to try to change the ways of the ignorant. Thanks for letting me vent a little. If I was not an ISP, I would not have to worry about it, I would just block it. There are just too many 'broken' mail servers that even a small ISP like myself cannot spend the time to correct other peoples mistakes just so my customers get their mail. Hopefully, this will start the thought processes going on a way to fix this. Thanks. Sam
Re: check_hostbyrename (discussion)
1. Some mail servers(possibly Lotus Notes and others) don't queue and retry. Can you confirm this? It would not surprise me if Lotus Notes is doing something suboptimal, but this particular problem seems unlikely. If there was version of ALLOWSOFT (opposite of DENYSOFT) that would allow the mail to get through, yet send a 'courtesy' message back to the sender and the [EMAIL PROTECTED] that informs them politely of the ignorance of their ways. Something like: We have accepted this email even though your mail server does not have a reverse dns entry, or has messed up on the 450 reply that we recently sent you. Please fix this problem, as we reserve the right to refuse this mail in the future, and in the fight against spam, more and more servers will be refusing your mail in the future This is called 'DECLINED' and set a flag. I'm working on a framework for qpsmtpd that will let you implement something like this if you want. Personally, I wouldn't recommend doing it, but that's the magic of qpsmtpd, it lets you do whatever you want. This might be a subtle way to try to change the ways of the ignorant. It won't work. But if you want to try, go ahead. -R