VerizonWireless.com Mail Blacklists

It appears VerizonWireless.com has some rather aggressive mail filters.
Verizon.net's blocking of Europe, Asia, Africa... well, everything but
North America has made some headlines and even some lawsuits. Anyone
know if VerizonWireless.com and Verizon.net are independent operations
from an SMTP point of view? Verizon.net has,

  http://verizon.net/whitelist

And I haven't found an equivalent for VerizonWireless.com. And given
the differences in Verizon.net's and VerizonWireless.com's MX setup,
I doubt they use common resources.

Anyone here ever get off of their blacklist or even know what they are
using? Even though we have accounts with them, I haven't been successful
in getting through to clueful help *shock*.

FWIW, it really looks like an IP-based blacklist. From our main mail
server to any of their MX hosts, the 25/tcp connection completes, but
then their server drops the connection, no banner, no nothing. I get
a banner and can send mail to their servers from other IP addresses
outside of that network. My guess is that they're using SPEWS? We're
collateral damage in a SPEWS block.

Crist Clark wrote:

It appears VerizonWireless.com has some rather aggressive mail filters.
Verizon.net's blocking of Europe, Asia, Africa... well, everything but
North America has made some headlines and even some lawsuits. Anyone
know if VerizonWireless.com and Verizon.net are independent operations
from an SMTP point of view? Verizon.net has,

    http://verizon.net/whitelist

And I haven't found an equivalent for VerizonWireless.com. And given
the differences in Verizon.net's and VerizonWireless.com's MX setup,
I doubt they use common resources.

They're different companies. I'm pretty sure they have different server farms and corporate policies. Verizon owns 100% of Verizon.net and only 55% of Verizon Wireless.

But that's not to say they don't share information.

I'm going to forward this to an acquaintance I have at Verizon.net and see what he says.

FWIW, it really looks like an IP-based blacklist. From our main mail
server to any of their MX hosts, the 25/tcp connection completes, but
then their server drops the connection, no banner, no nothing. I get
a banner and can send mail to their servers from other IP addresses
outside of that network. My guess is that they're using SPEWS? We're
collateral damage in a SPEWS block.

I'll find out for you (hopefully).

Following up to my own post

I'm going to forward this to an acquaintance I have at Verizon.net and see what he says.

Mail's been sent. Don't know how busy my friend is, but he should be able to get back to me relatively quickly.

They're different companies. I'm pretty sure they have
different server farms and corporate policies. Verizon owns
100% of Verizon.net and only 55% of Verizon Wireless.

When I left Verizon.net abuse/security last year they were NOT sharing mail
systems/resources or
anti-spam measures with VZW

-Dennis

Mad props out to Mr. John Bittenbender who got me in contact with
someone at VZW who was quick and helpful getting this fixed.

Apparently, VZW did decide that our IAP as a whole originated too
much spam and just blocked the whole thing. I don't know if they
made their filters more precise or whitelisted our subnet, but
mail to verizonewireless.com works for us now.

Personally, I feel verizonwireless.com can filter whatever they want,
BUT should stick to SMTP standards. Dropping connections with no
SMTP banner, no error code is a Bad Thing. Give me a hint of why
you don't like me with an error message and fail hard so outgoing
messages don't sit queued up for days before my users get failure
messages. And of course, if you're gonna block wide swaths of
Internet, you should have mechanisms in place for your help desk
to deal with blocked senders, customer and non-customers alike.
But as usual, once you penetrate the front line of help desk drones,
the real technical people are professional and helpful.

Crist Clark wrote:

Verizon is hopelessly clueless when it comes to mail system operations
and mail filters -- as evidenced by their ongoing decision to deliberately
provide anonymizing spam support and DoS attack services to anyone clever
enough to use them via their abusive "callback" system, and by their total
failure to to address the torrent of spam emanating from their own network.

Which is a roundabout way of saying that it's probably best to a find a
way to work around whatever stupidity they're inflicting on you, as it's
very unlikely that anyone at Verizon is capable of even comprehending
the problem, let alone taking steps to correct it.

---Rsk

Not to belabor the obvious, but Verizon Wireless and Verizon are
different companies with different management and separate
infrastructure. VZW is a joint venture between VZ and Vodaphone.

VZW recently confirmed that their mail system is separate from VZ's,
and whatever mistakes they may make, they're not VZ's.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.

Interesting rant, if one that I've heard before often enough, given
some spam-l posters' current obsession with "outscatter"

Anyway, you're ranting about Verizon. The OP has a problem with
Verizon Wireless, which seems a completely separate outfit, with a
different mail farm, different admins and postmasters (and different
corporate hierarchy upto a point - certainly different wrt operational
issues)

If you have operational rants about Verizon Wireless, fine. Else,
please leave the ranting for rants sake for spam-l or nanae. Makes
interesting reading there I guess, but I dont see much use for it on
nanog.

-srs

Okay, fine -- and a look at DNS seems to back this up (unless I'm
missing something). And I've no desire to lay VZ's mistakes at VZW's
feet, or vice versa -- but that still leaves whoever-is-affected (like
the orginal poster or anyone else out there) to deal with the issues.
And the lack of participation by VZ and VZW in the leading applicable
forum (i.e. Spam-L) isn't helping. At least some of the other folks
are engaged in dialogue with their peers, even if what they're saying
isn't to everyone's liking.

(As to Verizon itself, since three different people pointed out the
relative lack of SBL listings: keep in mind that SBL listings are put
in place for very specific reasons, and aren't the only indicator of
spam. Other DNSBLs and RHSBLs, e.g. the CBL, use different criteria
and thus provide different measurements (if you will) of spam. So,
to give a sample data point, in the last week alone, there have been
315 spam attempts directed at *just this address* from 194 different
IP addresses (list attached) that belong to VZ. Have I reported them?
Of *course* not. What would be the point in that?)

---Rsk

verizon.week (11.2 KB)

<snip evidence of astounding lack of clue of VZ's customers>

Zombies I expect; what's worse is that they're /obviously/ not even
doing the most basic checks:

Received: from verizon.net ([63.24.130.230])

(63.24.130.230 is 1Cust742.an1.nyc41.da.uu.net, HELO'd as 'verizon.net'
and VZ still relayed it)

Received: from verizon.net ([68.130.237.39])

(68.130.237.39 is 1Cust39.tnt26.mia5.da.uu.net, HELO'd as 'verizon.net'
and VZ still relayed it)

Received: from verizon.net ([68.130.237.35])

(68.130.237.35 is 1Cust35.tnt26.mia5.da.uu.net, HELO'd as 'verizon.net'
and VZ still relayed it)

Received: from verizon.net ([65.34.38.26])

(65.34.38.26 is c-65-34-38-26.hsd1.fl.comcast.net, HELO'd as 'verizon.net'
and VZ still relayed it)

Received: from verizon.net ([65.34.184.15])

(65.34.184.15 is c-65-34-184-15.hsd1.fl.comcast.net, etc.)

IOW, VZ isn't even checking to see if a zombie'd host is forging its
own domain into HELO, regardless of whether it comes from Comcast or
UUNet, and as long as the forged sender has a verizon.net address, and
the recipient hasn't blocked VZ's silly callback system, the message
is relayed. Thanks, Verizon. We can hear you now.

The other half of this is if you are on VZ's network and try to send mail through their system, you cannot unless you have a "verizon.net" from address. Or at least that was the case when my friend with VZ DSL tried to send e-mail through VZ from her personal domain.

Patrick W. Gilmore wrote:

IOW, VZ isn't even checking to see if a zombie'd host is forging its
own domain into HELO, regardless of whether it comes from Comcast or
UUNet, and as long as the forged sender has a verizon.net address, and
the recipient hasn't blocked VZ's silly callback system, the message
is relayed. Thanks, Verizon. We can hear you now.

The other half of this is if you are on VZ's network and try to send mail through their system, you cannot unless you have a "verizon.net" from address. Or at least that was the case when my friend with VZ DSL tried to send e-mail through VZ from her personal domain.

Assuming it does via their systems - most zombies have their own smtp engine from what I understand

Assuming it does via their systems - most zombies have their own smtp
engine from what I understand

Yes. Why would they need anything more than a broken SMTP engine that
has been ripped from one sample to another for over 8 years?

I'm exaggerating of course, but you get the picture.

Let's not go back to blocking port 25 again, but that's the only reason
why this would become obsolete so that other methods/attack vectors are
actually necessary.

  Gadi.

Zombies do both, but my comment wasn't about zombies, it was about users. If you are a user with a vanity domain trying to send e-mail "From: user@vanity.domain", you cannot through VZ's system. Despite the fact we have spent years telling people they have to use their local ISP's mail server to send mail out.

Does VZ support SMTP AUTH these days? (My info is over a year old.)

Zombies do both, but my comment wasn't about zombies, it was about
users. If you are a user with a vanity domain trying to send e-mail
"From: user@vanity.domain", you cannot through VZ's system. Despite
the fact we have spent years telling people they have to use their
local ISP's mail server to send mail out.

Does VZ support SMTP AUTH these days? (My info is over a year old.)

Verizon has many odd choices in their history, indeed. Still, how many
DSL users actually *need* to use an account other than that given to
them by their ISP?

I find this extreme measure quite a good step, and in the right direction.

There is no real reason why you should be able to email out with
bush@whitehouse.gov using Verizon's own servers.

If you are an advanced enough user to have your own vanity domain then
you are advanced enough to have your own SMTP server. If port 25 is
blocked, you can probably sort this out with your ISP (if said ISP is
responsive to your needs) and/or move an ISP.

I don't see how this doesn't sit well with telling people to use their
ISP's server? Our problem *is* the clueless majority.

^5 to Verizon.

  Gadi.

Zombies do both, but my comment wasn't about zombies, it was about
users. If you are a user with a vanity domain trying to send e-mail
"From: user@vanity.domain", you cannot through VZ's system. Despite
the fact we have spent years telling people they have to use their
local ISP's mail server to send mail out.

Does VZ support SMTP AUTH these days? (My info is over a year old.)

Verizon has many odd choices in their history, indeed. Still, how many
DSL users actually *need* to use an account other than that given to
them by their ISP?

Many thousands, perhaps 100s of thousands.

I find this extreme measure quite a good step, and in the right direction.

I do not.

There is no real reason why you should be able to email out with
bush@whitehouse.gov using Verizon's own servers.

Of course not. But "me@mydomain.com" is perfectly reasonable.

If you are an advanced enough user to have your own vanity domain then
you are advanced enough to have your own SMTP server. If port 25 is
blocked, you can probably sort this out with your ISP (if said ISP is
responsive to your needs) and/or move an ISP.

The example given in this thread proves you wrong. My friend had a vanity domain, did not have her own mail server.

But that's OK, we should tell people one thing (use your ISP's server to send mail) and do another (block them from sending mail through their ISP's server).

Makes the "clueless majority" much happier when even the "techies" can't figure out WTF they are supposed to do.

The example given in this thread proves you wrong. My friend had a
vanity domain, did not have her own mail server.

Okay, and why does she need to use Verizon's servers to send email from
her own vanity domain?
Unless I am missing something and Verizon gets paid for this?

But that's OK, we should tell people one thing (use your ISP's server
to send mail) and do another (block them from sending mail through
their ISP's server).

I believe you are exaggerating, like I usually like to do. My point is
the the vast.. vast.. clueless majority is a direct threat to Internet
survivability (ooh, big words). The 100s of thousands of clued users who
has a vanity domains can definitely find an easy way to send mail,
without using the provider's servers.

The cost of allowing these servers to stay "open" is extremely high, and
we are paying the price every day.

Makes the "clueless majority" much happier when even the "techies"
can't figure out WTF they are supposed to do.

That's the point, the clueless, vast, vast, majority is happy. They
don't care. They don't know there are 40 Trojan horses and 400 spyware
components installed on their quiet green desktop. All they know is that
their email account works. I know that they are threatening the
Internet. Clear and simple.

  Gadi.

The example given in this thread proves you wrong. My friend had a
vanity domain, did not have her own mail server.

Okay, and why does she need to use Verizon's servers to send email from
her own vanity domain?
Unless I am missing something and Verizon gets paid for this?

Yes, $50/month.

But that's OK, we should tell people one thing (use your ISP's server
to send mail) and do another (block them from sending mail through
their ISP's server).

I believe you are exaggerating, like I usually like to do. My point is
the the vast.. vast.. clueless majority is a direct threat to Internet
survivability (ooh, big words). The 100s of thousands of clued users who
has a vanity domains can definitely find an easy way to send mail,
without using the provider's servers.

No, 100s of 1000s of not-so-clued users have vanity domains. Have you checked how many domains are registered on a daily basis these days?

The cost of allowing these servers to stay "open" is extremely high, and
we are paying the price every day.

Who said "open"? There are lots of ways to keep spam from your network down.

If you have a mail server and allow it to send mail, it can be abused. All you can do is try to make it harder to abuse. One of the ways we (the collective "we" who run the Internet) have decided to do this is by forcing people to send outbound mail through their ISP's mail server, not through random open relays.

If the ISP wants to use SMTP AUTH or other mechanisms to lower abuse, that's fine. But to say "only allow ISP.net from addresses - but allow them from anywhere on the 'Net" is kinda ... silly.

That's the point, the clueless, vast, vast, majority is happy. They
don't care. They don't know there are 40 Trojan horses and 400 spyware
components installed on their quiet green desktop. All they know is that
their email account works. I know that they are threatening the
Internet. Clear and simple.

The solution presented here is not only not a solution, it is also a problem.

Yes, $50/month.

Then there is the problem. If she pays for the service of sending email
using the vanity domain through the ISP's servers, then it should be,
naturally, allowed.

No, 100s of 1000s of not-so-clued users have vanity domains. Have you
checked how many domains are registered on a daily basis these days?

Much like they pay for domains, and for hosting, or for iron, or for
bandwidth or whatever your cup of tea is, so should everyone else.
Nothing comes for free and the abuse vs. use ratio is not favorable.

Really, why should they be able to pay for domains and not arrange to
pay an extra buck or 20? Well, we all like freebies.

Who said "open"? There are lots of ways to keep spam from your network
down.

If you have a mail server and allow it to send mail, it can be abused.
All you can do is try to make it harder to abuse. One of the ways we
(the collective "we" who run the Internet) have decided to do this is
by forcing people to send outbound mail through their ISP's mail
server, not through random open relays.

Through _A_ mail server. Paid for or not is another issue, but the
service is still a service.

I get most of my domains hosted on friends' servers, that is still a
service even if I don't pay for it.

If the ISP wants to use SMTP AUTH or other mechanisms to lower abuse,
that's fine. But to say "only allow ISP.net from addresses - but allow
them from anywhere on the 'Net" is kinda ... silly.

No, it makes perfect sense but that is the one thing I fear we'll have
to agree to disagree on.

The solution presented here is not only not a solution, it is also a
problem.

Okay, then I suppose I don't understand the problem. How exactly do you
mean?

  Gadi.

If the ISP wants to use SMTP AUTH or other mechanisms to lower abuse,
that's fine. But to say "only allow ISP.net from addresses - but allow
them from anywhere on the 'Net" is kinda ... silly.

I think we are arguing the same side of the problem. I think I mis-read
this one sentence.

SMTP AUTH is a great thing, really, but not what it's cracked up to be
in the age of zombies. I am not saying that they should be allowed from
anywhere on the net, I argue quite the opposite.

  Gadi.