unwise filtering policy from cox.net

Fergie · November 21, 2007, 6:51am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eliot_Lear · November 21, 2007, 12:16pm

Hey Paul,

>> <abuse@cox.net>
>> (reason: 552 5.2.0 F77u1Y00B2ccxfT0000000 Message Refused. A
URL in
>> the content of your message was found on...uribl.com. For
resolution do
>> not contact Cox Communications, contact the block list
administrators.)
> An unfortunate limitation of the SMTP protocol is it initially only
> looks at the right-hand side of an address when connecting to a
> server to send e-mail, and not the left-hand side. [...]

Sure, it's an "unfortunate limitation", but I hardly think it's
an issue to hand-wave about and say "oh, well".

Suggestions?

Given what Sean wrote goes to the core of how mail is routed, you'd
pretty much need to overhaul how MX records work to get around this one,
or perhaps go back to try to resurrect something like a DNS MB record,
but that presumes that the problem can't easily be solved in other
ways. Sean demonstrated one such way (move the high volume stuff to its
own domain).

Eliot

Suresh_Ramasubramani · November 21, 2007, 12:28pm

Most mailservers do allow you to exempt specific addresses from filtering.

srs

Eliot_Lear · November 21, 2007, 12:51pm

Suresh Ramasubramanian wrote:

Most mailservers do allow you to exempt specific addresses from filtering.

On the LHS of the @ of a remote address? I think that was Sean's point.

Eliot

Suresh_Ramasubramani · November 21, 2007, 1:34pm

Er, that bounce was from cox's mta, spamfiltering email to abuse@cox.net

Rich_Kulawiec · November 21, 2007, 3:04pm

There are numerous techniques available for addressing this problem.
Which one(s) to use depends on the site's mail architecture, so I'm
not going to try to enumerate them all -- only to give a few examples.

Example 1: exempt abuse@ address from all anti-* processing; just deliver
it. All the MTA's I've worked with provide features to support this;
it's also sometimes necessary to make that exemption elsewhere (e.g.,
in programs called invoked as milters). Oh, and don't greylist it either.

Example 2: if using a multi-tier architecture (increasingly a good
idea, as it insulates internal traffic from the beating often inflicted
by external traffic) then re-route abuse@ mail to its own dedicated system
(using a mechanism like the sendmail virtual user table or equivalent).
Make that system something relatively impervious, and choose hardware
that can be replaced quickly at low cost. (My suggestion: OpenBSD
on a Sparc Ultra 2, and use mutt as the mail client. Keep a couple
of spares in the basement, they're dirt-cheap.)

---Rsk

herrin · November 21, 2007, 4:01pm

Standardize on abuse@abuse.domain.whatever? If an MX exists for
abuse.the-domain-you're-looking-for then send to that instead of to
abuse@the-main-domain?

Regards,
Bill Herrin