Sometime mid last week, one of my clients--a state chapter of a national
association--became unable to send to all of their AOL members. Assuming
it was simply that AOLs servers were inundated with infected emails, I
gave it some time. The errors were simply "delay" and "not delivered in
time specified" errors.
Well, it was still going on today. So, I went on site and upped the
logging on the server. What to my surprise did appear but a nice little
message informing us that "I'm sorry, your IP is dynamically assigned
and aol doesn't accept dynamic IPs.
WTF. This IP is NOT dynamic. The client has had it for about two years.
I just looked on their website to file a complaint and ask how they
determined what was dynamic and what was static and couldn't find a
contact email address. I did find the following statement:
"AOL's mail servers will not accept connections from systems that use
dynamically assigned IP addresses."
It was on the following page:
http://postmaster.info.aol.com/standards.html
So, since I know someone from AOL does lurk on this list, what's my
recourse. Feel free to email me offlist. Thanks.
On a side note, my client is also curious who's going to help pay the
bill that they shouldn't have needed to pay me due to AOL changing
policy and blocking them needlessly. Unless AOL is downloading the
entire routing pools from all ISPs on a daily basis, how do they know
which IPs are dynamic and which are static;) And, since static IPs can
actually be assigned out of a DHCP pool as well, even that won't work.
WTF. This IP is NOT dynamic. The client has had it for about two years.
What is the IP address they are rejecting ?
Unless AOL is downloading the
entire routing pools from all ISPs on a daily basis, how do they know
which IPs are dynamic and which are static;)
What would BGP tables tell you about internal routing and DNS ?
---Mike
I just looked on their website to file a complaint and ask how they
determined what was dynamic and what was static and couldn't find a
contact email address. I did find the following statement:
"AOL's mail servers will not accept connections from systems that use
dynamically assigned IP addresses."
It was on the following page:
http://postmaster.info.aol.com/standards.html
Whoa.. thats crazy. Obviously its an effort to stop relay forwarding from cable
modem and DSL customers but there are *lots* of legitimate smtp servers sitting
on customer sites on dynamic addresses.
I've numerous customers I can think of straight away who use setups such a
MS Exchange on dynamic addresses where they poll POP3 boxes and send their own
SMTP!
Whoa.. thats crazy. Obviously its an effort to stop relay forwarding
from cable modem and DSL customers but there are *lots* of legitimate
smtp servers sitting on customer sites on dynamic addresses.
And at one time it was considered "helpful" for mail servers to relay
anything that was presented to them. We don't think that way now, as
a DIRECT result of the way in which that arrangement has been abused.
So with "legitimate smtp servers" sitting on customer sites on dynamic
addresses: the flexibility and convenience of such arrangements became
subsidiary to the abuse and security issues they facilitated.
Now if the abuse and security teams of the large providers would move
*quickly* to isolate compromised machines and deal with other security
related issues when they arise, the "flexibility and convenience" would
probably win out in the end. But as things stand it isn't going to.
We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in
Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom
(who run dtag.de and t-dialin.net) for this being the situation.
They may think it's better for their bottom line to de-resource their
security and abuse departments, and better for their customers to let
them stay online while issues are resolved, but they remain oblivious
to the harm this policy is doing to the internet community as a whole.
I've numerous customers I can think of straight away who use setups
such a MS Exchange on dynamic addresses where they poll POP3 boxes
and send their own SMTP!
The fact that it is impossible to readily distinguish between their
IPs and those of compromised boxes running Jeem etc, will mean that
those sites are already likely to be experiencing significant mail
rejection - and that will get worse, not better. Unless there is a
turn-around soon in the attitude of backbones and other providers,
I can see a "registered SMTP senders only" policy being put in place
by the majority of sites by the end of 2004. Or possibly sooner.
AOL's mail handling policy may be disappointing - but those of us who
have been hit by their other disappointing mail policy (of accepting
all undeliverable mail and then bouncing it to the (forged) sender),
may see this as actually improving the situation because it visibly
reduces the quantity of forged bounces *we* see originating from AOL!
Funny, I didn't think this was 'aol-mail-policy-list'.
This isn't new, crazy, nor out of step with generally accepted
practices. They [and many others] have been doing it for a
while. A dynamic block is generally listed as such in a service
provider's reverse DNS and also often in a voluntary listing
such as the DUL. AOL's specific definition is point 12 on their
postmaster FAQ (http://postmaster.info.aol.com/faq.html). If
a service provider is providing business/static addressing and
not making it clear, thats a customer<->provider issue.
Whoa.. thats crazy. Obviously its an effort to stop relay
forwarding from cable modem and DSL customers but there are
*lots* of legitimate smtp servers sitting on customer sites
on dynamic addresses.
I suspect your definition of legitimate is different than
the service providers' on whose network these machines are
sitting. Use the submit protocol for client/end stations.
SMTP is for inter-server traffic; if you have a server on
a residential connection, check your service agreement. If
you have a business service being incorrectly tagged as
residential, then you have a legitimate beef - with your
provider. Not AOL and not NANOG.
I've numerous customers I can think of straight away who
use setups such a MS Exchange on dynamic addresses where
they poll POP3 boxes and send their own SMTP!
POP XMIT; SUBMIT [even MS products support it]. Use TLS if
you care that your customers are sharing their passwords
in the clear. Anyway, postmaster@aol might be more
interested in your concerns. Then again, they set the rules
for their network, so they might not.
Cheers,
Joe
...and I can think of alot of servers that will BL those customers. DUL
blacklists are very commonly used. However "legitimate" these MS Exchange
servers are, they'd better get a static IP if they want to avoid problems
with many recipients.
My guess is that since many of the BL's are being DDoS'd. perhaps AOL came
up with their own, possibly out of date DUL-type BL...
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
In article <20030828105754.GA85674@gweep.net>, Joe Provo <nanog-
post@rsuc.gweep.net> writes
AOL's specific definition is point 12 on their
postmaster FAQ (http://postmaster.info.aol.com/faq.html).
That's their definition of "Residential IP", not "Dynamic IP".
if you have a server on
a residential connection, check your service agreement.
My own ISP has DSL products called "Home Based Business" (and provide
static IP addressing). "Residential" and "Business" are not mutually
exclusive.
In article <20030828111600.C282.RICHARD@mandarin.com>, Richard Cox
<Richard@mandarin.com> writes
We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in
Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom
(who run dtag.de and t-dialin.net) for this being the situation.
Here's another tale of undeliverable email. It seems that [at least] one
of those organisations you mention assigns IP addresses for its ADSL
customers from the same blocks as dial-up. Which means that
organisations using MAPS-DUL reject email from teleworkers (or indeed
people running businesses with an ADSL connection) who run their own
SMTP servers.
In article <20030828111600.C282.RICHARD@mandarin.com>, Richard Cox
<Richard@mandarin.com> writes
We can thank the usual suspects - Cogent, Qwest, AT&T, Comcast - and in
Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom
(who run dtag.de and t-dialin.net) for this being the situation.
Here's another tale of undeliverable email. It seems that [at least] one
of those organisations you mention assigns IP addresses for its ADSL
customers from the same blocks as dial-up. Which means that
organisations using MAPS-DUL reject email from teleworkers (or indeed
people running businesses with an ADSL connection) who run their own
SMTP servers.
--
Roland Perry
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections.
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
-Matt
At least here in DE there are resellers of DTAG which offer DSL connections
without any SMTP relay. If you want relaying you also have to order a domain
via them. More funny: you cannot deliver mails to DTAG (actually T-Online)
as the resellers use address space of DTAG and hence the DTAG servers
believe you are a customer of them and should use the internal relays ...
Arnold
Also depends on how much clue said ISP has. I have a DSL-like connection
at home from a large LEC/ISP, but half the time their mail server either
doesn't respond or rejects me. If I was more concerned, I would just set
up my own mail server here and be done with it. As it is, I use ssh/pine.
But there's another good reason for customers to use their own mail server.
Aaron
I think that is also true of BT in the UK who as the incumbent are the only
provider of things like unmetered dialup..
Steve
....
SMTP & DNS should be run through the servers provided by the ISP for
the exact purpose. There is no valid reason for a dialup customer to
^^^^^ OH YES THERE IS !!!!
(at least to a different resolver other than yours)
go direct to root-servers.net and there is no reason why a dialup user
should be sending mail directly to AOL, or any mail server for that
matter (besides their host ISP)
-Matt
Except for the fact the your DNS server may be using a root cache file that
points to the restrictive USG root network that is currently controlled by a
a corrupt monopoly.
What about customers who want to use ORSC or Pacificroot? There are about
11,000 TLDs out there and you want to limit your customers to have to suffer
under the current totalitarian dictatorship? I wouldn't ever be a customer of your's.
In article <89081955-D962-11D7-A9DD-000A956885D4@crocker.com>, Matthew
Crocker <matthew@crocker.com> writes
Shouldn't customers that purchase IP services from an ISP use the ISPs mail
server as a smart host for outbound mail? We block outbound port 25
connections
on our dialup and DSL pool.
[snip]
there is no reason why a dialup user should be sending mail
directly to AOL, or any mail server for that matter (besides their host ISP)
Dial-up, I agree. DSL is a slightly different story. And I'm as much
against Spam as anyone.
In article <Pine.LNX.4.44.0308281540350.4034-100000@MrServer>, Stephen
J. Wilcox <steve@telecomplete.co.uk> writes
BT in the UK who as the incumbent are the only
provider of things like unmetered dialup..
I have a 19.99 a month unmetered dialup from Freeserve (based on
FRIACO). There must be others.
Shouldn't customers that purchase IP services from an ISP use the ISPs
mail server as a smart host for outbound mail?
applying that standard just how large do you have to get before
you "graduate" to running your own smtp server. "I'm sorry we won't accept
mail from you because you're not an lir?"
i was avoiding going into detail as most ppl here are probably not that
interested in the uk setup..
its complicated, energis, worldcom operate their own pstn friaco, there are also
ways of buying it in at sufficient volume as isdn or modem terminated l2tp or
buying ports on someone elses platform. but my generalisation is that there is a
dominant player in this market who is dominant as they can offer things which
the others cant afford to do !
Steve
Matthew Crocker wrote:
SMTP & DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP)
...and there is no reason for dialup customer to have direct access to any other port either,
they�ll just use the www-proxy and other ALG services from the ISP ?
This is a self-solving problem.
Pete
In article <Pine.LNX.4.44.0308280802370.7707-100000@twin.uoregon.edu>,
Joel Jaeggli <joelja@darkwing.uoregon.edu> writes
applying that standard just how large do you have to get before
you "graduate" to running your own smtp server.
I'd say having a "fixed connection" (eg DSL, T1) mainly because "we know
where you live".
Dial-ups are whole other ballpark.
If a larger corporation showed that they have a clue we remove the filters. If we start getting virus/spam notifications on again we re-enable the filter. We are either primary or backup MX for all of our customers. We can implement a port 25 inbound filter on a customer and their inbound mail is unaffected. We can then contact the customer and work with them to fix their broken mail server and remove the filter.
We make the determination based on skill level of the customer, not their size.
How does this sound for a new mail distribution network.
Customers can only send mail through their direct provider
ISPs can only send mail to their customers and their upstream provider. They purchase the ability to send mail to the upstream as part of their bandwidth.
ISPs can contact and work out other direct mail routing arrangements between themselves. For example, ISP A could send directly to ISP B if there is a large amount of A -> B mail. Both ISPs have to agree.
ISPs form a trusted ring of mail servers for direct connection. All others get shipped upstream to the next available mail server.
All mail servers are known, logged and can be kicked off the network by the upstream provider.
A central core of distributed mail servers gets built by each backbone ISP. The backbone ISPs peer with one another (trust each others mail). backbone ISPs accept mail from their customers and can block that mail if their customer doesn't have a clue.
Everything is logged, everything is validated. Setting up a mail server involves more than getting a static IP and setting up an MX record.
SPAM is eliminated because it can't enter the trust ring unless it goes through an ISP. That ISP can be kicked off if they allow spammers.
Viruses are managed because they can be tracked back to their origin. block at the core. virus protection could also be made a requirement for entering the trusted mail ring.
Mail servers are set to deny all mail by default, opening up connections from trusted hosts as you build trusts relationships.
Contact information needs to be maintained. I can't get into Sprints trust ring unless I can contact them
This can be phased into service by setting up trusted and untrusted mail servers. All mail entering untrusted mail servers has a higher spam score and cannot be forwarded outside the local network.
Trusted mail (i.e. from customers) can be forwarded upstream to other trusted,non-trusted mail servers.
-Matt