Threading the senderbase reputation needle

Howdy,

Has anyone come up with a reverse DNS 'pattern' that one can employ that will prevent Senderbase from assigning a poor reputation to an entire /24 because they saw an email they didn't like from a single IP address?

We're an infrastructure provider, which means that we lease servers, etc to customers and everything we do uses static IPs.

Our current 'default (before the customer changes it)' is a x.x.x.x.static.domain.com, apparently Senderbase cannot look up CIDR boundaries in the RIR database (even though we spend a lot of time making sure that we publish the CIDR information) so they just assume that each 'offender' owns the entire /24 and they also consider any 'email' from the static.domain.com domain to be the 'same offender' (which is completely silly).

The other little annoyance about their system is that we assign CIDR blocks to users (almost always a /29) these CIDRs include IP addresses like the gateway address, the broadcast address, the network address, etc and the users may only use 2-3 of the IPs in the /29, but they expect us or the user to set a 'custom looking' reverse DNS on all of the IPs in the range. Originally, we were not putting any reverse DNS on our IPs until the customer requested it (or did it themselves via our system) but then we ran into problems with some RBLs that require reverse DNS on all IPs, and other RBLs that require matching forward and reverse DNS on all IPs.

I've contacted Senderbase for advice on what specifically we need to do but they've been vague at best and I have even asked them for examples of companies who 'meet their specifications' but I wasn't given any.

I'm considering doing something like customerXXXXX.static.domain.com but then I can see other problems with that also.

Any advice?

-Drew

Has anyone come up with a reverse DNS 'pattern' that one can employ that
will prevent Senderbase from assigning a poor reputation to an entire

/24

because they saw an email they didn't like from a single IP address?

We're an infrastructure provider, which means that we lease servers, etc
to customers and everything we do uses static IPs.

[...]

Any advice?

Since email reputation is now being based on the neighborhood theory you
must do one of the following:

Do one of the following (hopefully #1):

1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS
is matching forward and reverse DNS. Anything else is suspect...

2.) Set up a relay host and funnel all customers mail through it.

Side effects of each:

1.) Slightly more work on the front end (but hey, even AT&T will do this
for business DSL customers). People will know you have clue. The
technical staff at your customers will be happy and recommend you to their
peers (well, I guess this depends a bit on what kind of customers you
have).

2.) You have taken responsibility for all your customers' outbound mail
flows. You will need to scale an abuse desk and maintain effective
anti-spam policies (including customer education). If you don't run an
effective abuse desk (including blocking your own customers outbound mail
when necessary), you will be blacklisted eventually anyway. You could
charge extra for or outsource this ESP service.

~JasonG

Since email reputation is now being based on the neighborhood theory you
must do one of the following:

Do one of the following (hopefully #1):

1.) Provide custom reverse DNS for the customer. BCP for SMTP server DNS
is matching forward and reverse DNS. Anything else is suspect...

2.) Set up a relay host and funnel all customers mail through it.

Side effects of each:

1.) Slightly more work on the front end (but hey, even AT&T will do this
for business DSL customers). People will know you have clue. The
technical staff at your customers will be happy and recommend you to their
peers (well, I guess this depends a bit on what kind of customers you
have).

2.) You have taken responsibility for all your customers' outbound mail
flows. You will need to scale an abuse desk and maintain effective
anti-spam policies (including customer education). If you don't run an
effective abuse desk (including blocking your own customers outbound mail
when necessary), you will be blacklisted eventually anyway. You could
charge extra for or outsource this ESP service.

I think this discussion would be much better on the mailop list, but
the short answer here is "real mail servers have real, non-generic names
with matching forward/reverse DNS".

---Rsk

I used to work at a hosting company and we had a few solutions in
place. Whenever a client purchased a server or an additional block
of ip's, it was assigned the reverse dns related to the hostname of
their server. This even included example.com sometimes. The client
could then change it as they wish. Another option we had was an
outgoing spam filter setup with ASSP. This scrubbed all outgoing mail
for spam messages. Honestly the first option was good enough for most
people. About 99.95% of your clients assign a forward DNS for their
server/colo/virtualization products. Just make it a requirement that
they provide that before you turn up their service. This prevents
DUHLs from listing you for those generic RDNS names.

I think this discussion would be much better on the mailop list, but
the short answer here is "real mail servers have real, non-generic names
with matching forward/reverse DNS".