RE: FW: The worst abuse e-mail ever, sverige.net

As such, when we have seen our IP blocks get blocked strictly because of
the rDNS entry having 'dsl' in it, a simple email to the admins
explaining that we are not providing dynamic services has gotten our
rDNS entries taken off of the blacklist.

I don't particularly like situation where outside party has to "guess" if
another ISP's address is dynamic or static and should or should not be
source of email. This is not helpfull either to ISP and their customers
not to those trying to filter email and guess what are good and bad ips.

Lets suppose there was a standartized way that ISPs could enter in
their DNS policy record that says that certain ip address is/is not used
for sending email. Would you be interested in using this?

If you answer yes and would like to help towards such a standard, please
go through the questions I put below. Your answers will go toward a draft
which has good chance of being used as part of Unified SPF. To help with
creating something that will work well for ISP as well as for end-users,
I'd like to receive answers from both major ISPs and smaller networks and
small mail operators, but please answer in private so as not to anger
moderators of this mail list.

If you do want to discuss any particular details of the email policy
technology, I'd request that signup for SPF discuss mail list:
http://spf.pobox.com/mailinglist.html

Now here are the questions, I'd like to receive feedback on:

Now here are the questions, I'd like to receive feedback on:
-------------------------------------------------------------------

1. Are you ISP? What size?

I am ISP. Well rather, I'm AN ISP. Okay, so I just operate one, but
you get the gist.

2. If you're ISP are you willing to quickly deploy these records if such
   standard becomes available? If so how quickly can you deploy it -

"If you're ISP"? Who's asking the questions, Ali G?

3. Are you willing to configure/upgrade your email server to check of
   these policy records and reject SMTP connection based on these records?

No, because I already utilize multiple DNS-based blacklists which do
precisely that (blocking dynamically assigned dialup/cable/DSL address
pools), as part of SpamAssassin and other spam filtering mechanisms.

4. Many users and even RIRs have expressed doubts about relying on IN-ADDR
   and said it has technical problems and/or that IN-ADDR zones are badly
   maintained by ISPs and that we should not rely on it. Do you agree?

No need to look at in-addr. See above.

6. The suggestion that has been made to allow DNS policy record for
   SMTP Mail server as used in EHLO to override policy record for IP as
   a way to get around non-cooperative or slow ISPs that don't let their
   customers control what record is in the INADDR zone. What do you
   think about this?

Don't take it personally, but I think that's a bad idea.

7. For the policy record would you prefer to just say that no email
   is to come from the ip or would you prefer to be able to specify
   more complex record:

"For the policy record"? Are you an officer of the court? Columbo?
What "record" are you keeping, and for which organization(s)? Did Ray
P. step down and make you the CEO of ARIN?

8. Would you like to have an option as part of policy record that
   can be used so that other email servers when they see SMTP connection

That doesn't parse. "SMTP connections"? Or "a SMTP connection"?

   from certain ip would report back to you if ip is used for outgoing
   email connections?

Yes. I'd hope IP is being used for e-mail connections. It sure beats
the alternatives, such as DECNet, AppleTalk, and IPX.

9. Would you like to have an option as part of policy record
   that lets specify who the administrator is to contact in case

Depends. Lets who specify?

12. Do you consider that these email policy records for ips would be
    alternative for ISP port 25 blocking or a complimentary technology
    that can be used together with it?

No. Again, you're reinventing the wheel unnecessarily. See existing dnsbl's.

Coworkers keep breaking the SQL db access, and when I notice it broken, I
fix it...but http://69box.atlantic.net/cgi-bin/bogon still lists a several
hundred networks with 69/8 issues. They're still slowly getting fixed.
I just found several listed IPs that are finally reachable from 69/8.

schampeo@hesketh.com:

Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
where to send the abuse reports.

I did.

"Reverse *what*?"

Just to clue you in. They used to have the only two authoritative
servers for their reverse zone sitting on the same LAN with the IP#s
next to each other. Then that LAN goes out (happens from time to time)
ther is *NO* rDNS, with the obvious "lame delegation" time-outs from
servers I (as a customer of theirs) try to access. (In all fairness,
I just checked my facts, and it seems as they have recently improved
on that situation.)

Like I said, I barely trust them to move bits to my box.

I don't mind at all. Get rDNS that provides a clue that you have a clue,
and I'm happy as all get out to accept mail from you. Otherwise, you're
functionally identical to fifty million spam zombies, as far as I have
time to determine.

Understand me? You're the /rare exception/.

I *understand* that I'm a rare exception.

The problem is that the world *won't let me* be a well functioning
exception. My ISP won't let me have my own rDNS, and "you" won't let
me use port 25 properly.

Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.

With that attitude you're never going to improve things ...

        Cheers,
          /Liman

jcurran@mail.com:

You block port 25 until a customer says that they're claim to have
setup a responsible mail submission agent and demonstrate the
necessary clue density.

Then in all fairness block also port 80. A comparable amount of junk
is sent using port 80.

This can be readily determined by having customer support mail
a short form with relevant questions such as "Is your mail server
RFC2505 compliant?", "Please list the mechanism used to secure
mail submission to your server?", and "Are you prepared to handle
SPAM reports for all email originated or relayed?" No problem for
someone who knows what they're doing but enough to deter the
random end user.

Ditto | sed -e 's/25/80/' -e 's/SMTP/HTTP/' -e 's/MIME/HTML/'

        Cheers,
          /Liman

I *understand* that I'm a rare exception.

The problem is that the world *won't let me* be a well functioning
exception.

Correction, the world *can't* let you be a well functioning
exception.
People always scream 'no censorship', but there is only that many more
mail servers and preprocessing machines you can throw at a $20/month
account.

You don't hear me complaining the $0.50 washing powder couldn't get
the motor oil out of my velvet shirt. People don't scream 'cripple ware'
at the washing powder.

My ISP won't let me have my own rDNS, and "you" won't let
me use port 25 properly.

And Unilever won't let me clean my shirt.

Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.

With that attitude you're never going to improve things ...

If you ditched your ISP for the non-service they are offering, and go
to one that does allow your rDNS records, things would improve not
only for you, but for the world too as this IP is losing customers and
either goes away or changes their policy.

the real question is, how much money is it worth it for you. But don't
put to blame on us for not adding another rack of mailservers so people
like you can get their mail out.

Paul

The problem is that the world *won't let me* be a well functioning
exception.

Correction, the world *can't* let you be a well functioning exception.

not true. it can but many have decided not to.

randy

Just like I also 'chose' to not read messages tagged by software as spam.

There is no choice.

Paul

I took my home ADSL to a company that delegates appropriate bits of
in-addr.arpa to my servers. I suggest you might want to do the same.

schampeo@hesketh.com:
> Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
> where to send the abuse reports.

I did.

"Reverse *what*?"

So explain it to them in words of two syllables or less, where possible.
I recommend using "I am finding a new eye ess pee".

> Because that's how things are today. You're a 1-in-50-million chance,
> as far as I can tell from my mail server.

With that attitude you're never going to improve things ...

/My/ attitude? You're the one giving your money to a bunch of incompetents.

paul@xtdnet.nl:

Correction, the world *can't* let you be a well functioning
exception.
People always scream 'no censorship', but there is only that many more
mail servers and preprocessing machines you can throw at a $20/month
account.

Hmm. "You get what you pay for.", you mean? I can

If you mean that if I pay enough money, I can get a DSL (or even
leased line) service with fixed IP address, and proper rDNS, that is
not filtered by recipient MTAs. Sure. I probably could -
theoretically.

the real question is, how much money is it worth it for you. But
don't put to blame on us for not adding another rack of mailservers
so people like you can get their mail out.

I'm opposed to marketing systems that actively (means it costs them
money) put in restrictions in systems to make me pay more to have
them remove it again.

It's not worth the 5-fold amount that they will charge me, but if I
can't use the 'net propersly, it might not be worth connecting to at
all, so they'll lose me as customer.

One port blocked is not much to quarrel over in practice, but this is
a trend. Mail goes first. Web comes next ("we funnel all your web
traffic through our cache"). VOIP is around the corner. It's like a
phone system where the won't let you call anyone on the phone
system. "If you want to call to this part of the world, you will have
to call through our listening station, and if you don't want to do
that, you can buy our premium service for $200 per minute." Sorry, it
doesn't strike me as tempting at all.

The cost cannot be motivated in a personal budget - and it becomes a
class thing. "We could only afford limited Internet."

No, I don't like it. But then again, I'm just the rare exception ...

Correction, the world *can't* let you be a well functioning exception.

randy@psg.com:

not true. it can but many have decided not to.

Well, what Paul's saying (in my understanding) is

  "the world *can't* let you be a well functioning exception ... *FOR
  THAT SMALL AMOUNT OF MONEY*, because their ends will not meet
  (... with enough overlap ;-)".

... which is probably what you mean too.

(Correct me if I'm wrong, Paul.)

        Cheers,
          /Liman

I was just going to stay out of this, but I can't...

Steven Champeon wrote:

schampeo@hesketh.com:
   

Congrats. Ask your ISP for non-generic rDNS, in your domain, so I know
where to send the abuse reports.
     

I did.

"Reverse *what*?"
   
So explain it to them in words of two syllables or less, where possible.
I recommend using "I am finding a new eye ess pee".

There's plenty of them out there that will welcome you, as well. When I call tech support, I never get the nonsense about rebooting my machine to fix things. In fact, I usually have someone on the line who has heard of Slackware and OpenBSD. You get what you pay for.

Because that's how things are today. You're a 1-in-50-million chance,
as far as I can tell from my mail server.
     

With that attitude you're never going to improve things ...
   
/My/ attitude? You're the one giving your money to a bunch of incompetents.

You know, it's just not that hard. I have what is termed "Business Class" SDSL, which may be pricier than the average geek wants to pay, but so what? If you want to be treated as _not one of the crowd_ of random clueless users, you need to differentiate yourself in a way that is simple for others, _not for yourself_. I have friends who have only one dedicated IP, but it's from an ISP that takes reverse seriously, and that will happily delegate to them, if desired.

It isn't everyone else's responsibility to cater to you, if you can't get even the simplest stuff (rdns) fixed. Oh, and mine isn't delegated to me, but I don't worry about it, since it has a nice rdns that I'm find with (and I like the anonymity when I browse elsewhere).

If that's the case, then you learn to rise above it with tunneling, IPSEC, VPN or any of a number of technologies that have been around for the past ten years. And yes, this requires a box on the outside. We're in the era of the $50 a month dedicated server, here. If you're trying to put a commercial grade service on a consumer grade line, deal with it.

This is getting really far off-topic at this point. We're clear people are of two opinions on things, and nobody's going to change their mind.

Anyone care to let it rest?

-Dan