Why Are We on E-mail Blacklists? 118
LogicallyRogue asks: "I run an email server for a small webhosting company. We've crawled all around the email server to make it as secure as possible: tightened Sendmail's security, POP Before SMTP, denying non-authenticated relaying, using SpamCop DNS blacklist, etc. However, with all this in place, every few months, it seems that we have been blacklisted by some ISP somewhere. This month it was AOL. We had no warning, and we don't know why we were blacklisted. All the information we have is a single URL. We visit all the DNS blacklist services we can to be sure we are not on any of them. We send emails to the postmasters inquiring for more information (like perhaps a reason or copy of the email that made the ISP blacklist us) - however, those are usually bounced back because we are blacklisted. We've tried calling the Blacklisting ISP tech support - and usually get the stunned I-have-no-clue-what-you-are-talking-about silence.
Have any other Slashdot readers experienced similar problems with blacklisting and the big ISPs?"
You called the wrong people (Score:4, Informative)
Re:(OT) www.rfc-ignorant.org (Score:1)
The last HTML version to be an RFC standard was HTML 2.0 (RFC 1866), so by that way of thinking, practially every site on the internet is violating RFC standards.
Re:(OT) www.rfc-ignorant.org (Score:2)
Blacklist them all!
Re:You called the wrong people (Score:2, Interesting)
Re:You called the wrong people (Score:2)
Sounds a bit unlikely. (Score:1)
If your domain is 10 years old that would normally make it *less* likely to be on any spam lists, because you should theoretically be a known entity.
However, you are registered with a
Real postmasters are quite easily able to tell the difference between forged addresses and real SMTP relays; so, if you are commonly blacklisted you are probably a spammer. If you just get lots of mail from angry end-users, you
Re:Sounds a bit unlikely. (Score:1)
Re:Sounds a bit unlikely. (Score:1)
Are you saying that these emails are sourced from outside your domain, or that your customers are sending them? It's still not clear to me. Who is the ISP of this person that "buys a spam program and clicks on run"?
If spam emails are bouncing into *your* queues, it sounds like your domain is the source of the spam. (That's the only way the situation you describe could happen to my mailservers.) What are the source
Re:Sounds a bit unlikely. (Score:1)
1 - spammer sends e-mail from IP a.b.c.d with the spam program and signs the e-mail as @mandic.com.br ( is changed by the spam program for every email)
Note that the IP a.b.c.d (DSL) is blocked on my MX cluster.
2 - hotmail, for instance (who I cannot block) receives this e-mail and bounces it to? (me
Is this clearer now?
Re:Sounds a bit unlikely. (Score:2)
When hotmail rejects a message, it bounces to the IP address that sourced the message. Mailers do not use the human address information.
Here, look at this mail header info from a spam I intercep
This is absolutely ridiculous (Score:1)
- @oracle.com.br
- @sun.com.br
- @amcham.com.br (american chamber of commerce)
are sources of spam?
I think you are mistaken about how e-mail works. The bounce goes to the "MAIL FROM:" part of the SMTP connection.
Anyways, thanks for the advice.
Re:This is absolutely ridiculous (Score:1)
But this is what I mean about your problems sounding dodgy; in the first message you said YOUR domain was blacklisted, not your parent domain (and I have found the domain you mentioned in at least one blacklist).
There are other things in your posts that don't make sense to me.
I'll repeat my question: Who is sourcing the spam, and who is their ISP? You ref
Re:This is absolutely ridiculous (Score:1)
Nope.
"how can a "triple-bounce" happen in a properly configured mailserver?"
MAIL FROM: inexistent-1@domain
RCPT TO: inexistent-2@domain
will make qmail say
triple bounce: discarding
it's properly configured, but still consumes CPU time..
Basically, the thing is, people blacklist domains when they should blacklist e-mails, or blacklist ips. Blocking an entire domain is very, very bad practice. What happens is
OK, I see a problem. (Score:1)
I reject all mail from unresolvable domains. You can't talk to us if you are not in the global DNS.
I don't accept incoming mail with a RFC822 target address that does not specify a valid user in my domain, and I don't accept outgoing mail from IP addresses outside my domain. If I did either of these things, I'd be an open relay.
I don't accept outgoing mail with a RFC822 source address that does not specify a valid user in my domain. If I did, my users could spoof their addresses and become spammers.
If
Re:OK, I see a problem. (Score:1)
Anyways, I applied that "patch". TKS a LOT!
Re:You called the wrong people (Score:2, Interesting)
With 30 Million subscribers AOL receives a deluge of spam and must act to protect the integrity of their systems and subscriber base. As far as I am aware AOL does not subscribe to any outside filters reasons being the lack of
Happens all the time... (Score:1)
Re:Happens all the time... (Score:1)
That's nothing, AOL blocked RoadRunner (and vice-versa) not too long ago. If they're blacklisting parts of their own company, there's no hope for the rest of us.
Re:Happens all the time How to solve AOL blacklist (Score:5, Informative)
The root cause of this.... (Score:2)
that are heavily overworked accidentally concluding
that a forged return address is a guilty party.
The other common cause is running any older versions
of netscape's shitty email server software.
I have no idea why so many people fork out so much
money for this single-threaded piece of crap. It's
like having an open-relay that you close 9 billion
times, but the latch is broken.
Re:The root cause of this.... (Score:3, Interesting)
Sometims they just get confused between the attacking and defending system.
I have a program which scans http connects for nimda style probes of my server (given that I don't have a 'live' website, or even a real dns address that points at my box, I know that 95%+ of connects are bogus to begin with, but I filter for obvious attacks anyways).
At the height of
AOL fucked up (Score:2, Informative)
From the spam-l list:
In other news . . . (Score:5, Funny)
When asked why the company is implementing this policy, Bob Harvey, AOL's Minister of Information, said that they had determined that 70% of the emails coming from those IP's was Spam, and the remaining 30% didn't look very important to him anyway.
New! AOL 8.0 Rejecting Addresses Beginning with 8! (Score:5, Funny)
So easy to use, no wonder it's #1!
Re:In other news . . . (Score:1)
How the crap does THAT happen? (Score:2)
Sounds like someone was being a bit happy with the wildcards. Why not just block *.*.*.*, that will block ALL the spam?
Just wonddering, but when you say anything starting with a 6, does that mean 6.*.*.*, or 6*.*.*.* ?
overzealous spam lists (Score:5, Informative)
Call the ISP and ask which spam filtering or RBL services they use. The first-level drone won't know, but if you explain that you're being blocked and you need this information to fix the problem, you'll probably get transferred or get a call back from someone who -does- know. You'll probably discover that their filtering was overzealous.
Sometimes, you'll run into a knee-jerk admin who unconditionally believes anything the RBL tells them. It's best just to write off this ISP -- you won't convince them that you weren't sending spam. Put a custom "ISP admin is an idiot" bounce message in for that domain so that your users know why the mail didn't get through, then move on.
Of course, this assumes that you're already actively handling open relays and abuse on your end. That's part of the job, and you should check carefully to ensure that your setup is okay before contacting anyone.
Re:overzealous spam lists (Score:2)
Slighty off-topic, but still... this reminds me of one of my pet peeves. One or two of my older email addresses have been used in forged headers (To: field, namely) to make it appear that I, not some anonymous dickwad spammer, sent the spam. Consequently, not only do I get bou
Re:overzealous spam lists (Score:3, Interesting)
1. The sending server would generate a CONTENT KEY based on the contents of a specific message, including the subject, date, from, to, and CC fields, as well as the body. The algorithm to generate this key would be public in nature.
2. A PRIVATE KEY would be used in conjunction with t
Re:overzealous spam lists (Score:1, Funny)
From field spoofing (Score:1)
Re:overzealous spam lists (Score:1)
This would at least cut down on the domain spoofing that currently goes on - and - puts the preference of whether to accept spoo
Re:overzealous spam lists (Score:2)
Some big companies go as far as "the inbound mail subnet" and "the outbound mail subnet".
Re:overzealous spam lists (Score:1)
Since the MX record is used for inbound mail... it would be kind of silly to hijack them to authenticate outbound mail for a domain
1) Require that the IP address of the server that is sending the mail match an IP address of a record in that domain's DNS (e.g. you'd have to create A records for all of your outbound mail servers). Easy, fits within today's DNS without m
Re:overzealous spam lists (Score:2)
RBL's aren't perfect... (Score:5, Interesting)
Re:RBL's aren't perfect... (Score:2)
Dosen't affect me.
-- {bd-home-comp.no-ip.org, maine.rr.com, users.sf.net}!bdonlan
Re:RBL's aren't perfect... (Score:1)
> > the '@' symbol...
> Dosen't affect me.
Oooh, you have an old-fashioned bangpath address?
Re:RBL's aren't perfect... (Score:1)
Too bad (Score:1)
I find it ironic. (Score:5, Insightful)
Instant karma's gonna get you.
Re:I find it ironic. (Score:2, Informative)
I probably shouldn't complain for your very point. However - when we get complaints that our customers emailboxes are jammed full of 'Viagra' and 'Wanna see my webcam' email messages - you have to do SOMETHING! We've tried SpamAssassin - that didn't get everything. We've tried SpamCop - that doesn't get everything. The combination seems to work fairly well.
Perhaps it's easier for the big guys (ComCast, MSN, AOL, Earthlink) than for us small web hosting shops. We need a
Dial-up or residential IP blocks, too (Score:5, Informative)
AOL also requires that your R-DNS matches what you claim your domain name to be. Do you have your PTR records in order? If you're on DSL (or dial-up) that can be difficult or impossible, depending on your provider.
I also question AOL's explanation of 'open relay.' They say that, if someone not on your network can connect to port 25 on your server, then you're an open relay. This entirely ignores POP-before-SMTP, IMAP-before-SMTP, and SMTP AUTH, which is what we use.
They may be better about it than their simple explanation; I only filled out their webform last night, so I don't have my results in yet. My solution was to hard-code the MX record for AOL.com to actually be my ISP's SMTP server, so mail to AOL gets relayed from a more legitimate-seeming source.
Re:Dial-up or residential IP blocks, too (Score:5, Funny)
Wow, they're right! I'm completely spam free now!
Are you sure? (Score:2)
This is a violation of RFC 2821.
They say that, if someone not on your network can connect to port 25 on your server, then you're an open relay.
I highly doubt that - if so, it would eliminate ALL ISPs who use the same server for inbound as for outbound mail. Which is 90% of small ISPs.
Do you have any links to back up your claims? I find it incredibly hard to believe that techs that are capable of keeping a network the si
Re:Are you sure? (Score:2)
Then they should be listed on rfc-ignorant. Their page [aol.com] says
* AOL's mail servers may reject connections from IP addresses which have no reverse-DNS (PTR record assigned).
So, not that they have to match, although I thought I'd read that elsewhere, but that they MAY reject if there is NO rDNS.
Second point
Sorry - slightly mis-worded. Link [aol.com] from the link on the original post.
Quote:
The second way to test your server is to telnet to the IP address in question on por
Re:Are you sure? (Score:2)
OK, still in violation, but not as bad as you claimed..
telnet to the IP address in question on port 25 from a different Internet Service Provider and manually initiate an SMTP transaction. If you can send mail from yourself from the different ISP, your server is an open relay.
I don't see what the problem is with this - if you can do that, then you are an open relay.
Re:Are you sure? (Score:2)
The big things that tripped us up was the IP block list. We're supposedly 'dynamic' although we're not. The ISP doesn't differentiate their IP bloc
Re:Are you sure? (Score:1)
> which have no reverse-DNS
That's to keep out the Asian crap. Try this some time: select
ten pieces of Asian spam (the stuff with ideographic characters
in the subject line) at random. Look at the headers, and pick
out the IP address of the MTA that your ISP's mailserver received
the message from. Try to traceroute these addresses, with reverse
DNS lookups at every hop.
It's nothing if not consistent. You can watch the domain names
go west t
Re:Dial-up or residential IP blocks, too (Score:2)
This is totally untrue. If that were the case, they'd be blocking every site that used a single server for incoming and outgoing mail (thus requiring port 25 be open to anyone). They most certainly do not do this.
Re:Dial-up or residential IP blocks, too (Score:2)
Uhhm, I have another theory.
If people outside of my domain can connect to port 25 on my mail server, they are able to deliver mail to my domain, regardless of if they can relay or not.
There. How's that?
Something to consider: Spammer@Home.... (Score:5, Insightful)
There are far too many morons who run what I call "Spammer@Home" (a play upon Seti@Home) - software that downloads a list of addresses from a spammer, then uses direct-to-MX from the luser's machine to send spam. Thus spammers get around blacklists.
So the luser on your system pisses off the world, and gets your netblock blacklisted. If you catch them, you can terminate them (or at least their account) and maybe get back, but....
Now, I know this is an unpopular suggestion with many SlashTrollBots, but have you considered blocking outbound SMTP from your customers? You can always allow the customers with a real need out (they just have to let you know), but by default block SMTP to anyplace other than your server (or better still, redirect it to your server).
The average user will not notice if they cannot send directly to other servers. If you redirect to your server, programs that do direct-to-MX will still work - you will just have a chance to check the mail (or at least log it). And anybody too 31337 to use your mail server can call you and ask you to change the settings to allow them out.
(Sits back to watch the morons bitch about this...)
Re:Something to consider: Spammer@Home.... (Score:3, Insightful)
If you re-read the original post, you will notice that this is about a hosting provider.
Most hosted websites provide some sort of forum or feedback page or something that requires access to an SMTP server to send back replies or notifications or similar.
On average, I noticed that 85% of hosted sites require SMTP, so blocking ALL and then ALLOWING a subset will be a lo
Re:Something to consider: Spammer@Home.... (Score:4, Insightful)
I did something similar here-- all port 25 traffic that originates from behind our firewall must be bound for our mail server. This stops a lot of crappy ad ware and email viruses that pack their own SMTP engine.
I don't see a similar set up for a hosting provider as being unneccessarily restrictive. It might not do anything to keep your customers from spamming from your net block, but at least it would all be routed through your server, greatly increasing the chances you would detect it and stomp the perpetrator's guts out-- or whatever action you feel is appropriate.
Re:Something to consider: Spammer@Home.... (Score:3, Insightful)
A better solution (ie. one that's less likely to have a customer call your support desk) is to transparently proxy all outbound SMTP traffic to your server.
An extra step would be to do connection throttling, which would limit the damage caused by the "@home" spammer, or customers who set up an op
Re:Something to consider: Spammer@Home.... (Score:1)
So if you do this, make sure you inform your customers, not keep quite about it. Otherwise it's a good way to piss off the ones you want on your network, security concious informed users... fortunatly for you they exist. Informed users... wow.
Re:Something to consider: Spammer@Home.... (Score:2)
But, you know, it DOES! (Score:1)
Been there, done that. Some guy running a mailing list will call you saying all the list's email are being rejected, you adjust the filters and go for another cup of Brazilian coffee.
Re:Something to consider: Spammer@Home.... (Score:1)
That would be fair if it only applied to mail being delivered to them (after all, it's their disk space) but it's unacceptible for a required SMTP relay. Many of my users subscribe to Cox for home connections and have valid reasons to send email that is quite a bit larger. The result is that their broadband
Re:Something to consider: Spammer@Home.... (Score:2)
Unless that hosting provider has customers who want to use services like mine [vfemail.net]. Two advantages for the user are not having to worry about your current provider virus scanning/spam tagging your email, and you have a consistant email address no matter who your provider is.
So while I agree with your solution from an isp point of view, keep in mind that if you aren't providing the same services independant companies are
Re:Something to consider: Spammer@Home.... (Score:1)
Our customers rely upon us for SMTP/POP3. When ISP's kill outbound 25 - it makes it difficult.......
Re:Something to consider: Spammer@Home.... (Score:2)
What do you mean? Do you mean that you'll be hindered if you are no longer able to connect to a dialup user's port 25? Why on earth would you need to do that?
Or do you mean that you're trying to run an smtp server on an MSN account? T
Re:Something to consider: Spammer@Home.... (Score:1)
However, when ISPs that our clients use decide to block port 25 traffic, then our clients need to use the ISP's outbound SMTP server. No big deal - just a pain to deal with.
When ISPs block port 110 for POP3...well that's usually when the client throws their hands in the air, spouts so
Re:Something to consider: Spammer@Home.... (Score:2)
Re:Something to consider: Spammer@Home.... (Score:1)
Re:Something to consider: Spammer@Home.... (Score:3, Interesting)
Doesn't really have any negative impact on me and helps them control spam, so I'm happy with it.
Re:Something to consider: Spammer@Home.... (Score:1)
I have two accounts, one is yahoo DSL and the other is a hosting company for my email and web page (interland.com). Both require pop-before-smtp before allowing outgoing email. Exim is not easy to setup to do outgoing pop-before-smtp (o.k. I spent a whole weekend unsuccesfully working on it, no one on the exim-support mailing list had figured it out (or if they had they weren't saying)). My only solution was to send mail
Re:Something to consider: Spammer@Home.... (Score:2, Flamebait)
SMTP over SSL (Score:2)
Do either of them use SMTP-AUTH?
If not, then perhaps rather than not paying attention to posts on Slashdot (had you BEEN paying attention you would have seen that I explicitly stated that the ISP should allow port 25 through IF THE CUSTOMER ASKS FOR IT) your time would be better spent trying to get your mail providers to adopt more recent means of preventing abuse.
Re:Something to consider: Spammer@Home.... (Score:1)
Re:Something to consider: Spammer@Home.... (Score:2)
"Hmm. I've severed an artery. Oh well, I was going to die someday anyway, what's the point of trying to stop the bleeding now?"
True, you are suffering because of something not your fault, and that sucks. However, most GOOD blacklists will look at where the REAL sender is, not the faked headers - those blacklists won't list you because of these faked emails, but WILL list you if you
Re:Something to consider: Spammer@Home.... (Score:1)
Re:Something to consider: Spammer@Home.... (Score:2)
This IS the problem with some blacklists - you get people jumping the gun.
you ask? (Score:1)
openrbl.org is a useful tool (Score:3, Interesting)
openrbl.org is useful for looking up your host and trying to figure out what blacklists you are on. But it is still fairly difficult to track down. Our server is listed on three blacklists there even though we have a static IP and have never emitted a single spam address. Sigh.
The other problem I've found is that when a bounce arrives from another server that says you are blacklisted, you can't email them to find out what list they use!
Our mail server does not use any blacklists, which is a shame because we get quite a bit of spam. But we are a business and I cannot take the risk of a client email bouncing, especially if they are innocent and the blacklist is wrong.
What I'd like is a SMTP front end that uses blacklists to determine the likelyhood of the site as a spam source, and delay spam messages for a day or so. The idea being that many mass email programs cannot keep retrying for that long.
Re:openrbl.org is a useful tool (Score:2)
Why not use SpamAssassin [spamassassin.org]? I have the same situation here at work, and using SpamAssassin works like a champ. I use that along with Anomy [anomy.net]. SpamAssassin scans and scores the mail as being possible spam.
I currently specify a score of 6+ as spam. Then that mail gets sent th
AOL Blacklists dynamic IP's (Score:5, Informative)
Re:AOL Blacklists dynamic IP's (Score:1)
Re:AOL Blacklists dynamic IP's (Score:1)
Maybe I'm wearing a tinfoil hat, but I don't like the idea of my business or personal email going through my ISP's mail servers. Sure, there is no expectation of privacy in unencrypted email. Sure, Carnivore will sniff at it regardless. Its just that the fewer log files that record my activity, the happier I feel.
And, SPEWS has blacklisted my ISP. So, my ISP's SMTP server is just as blacklist
Re:AOL Blacklists dynamic IP's (Score:2)
Why?
No seriously... Why? Why should I use my ISP's mail server rather than running my own? So when one of their weekly server configuration screwups occurs, I can miss important messages? In my experience, actualy connectivity outages occur FAR less often, and for much shorter periods, than "Oh dear, server X has gone down, I guess we should mention i
Re:AOL Blacklists dynamic IP's (Score:2)
Incidental Consolidation (Score:5, Insightful)
Let me try to understand this.
While far too many people are willing to jump into Grassy Knoll theories at the drop of a hat that are unsubstantiated, and my theory is unsubstantiated, it nevertheless remains true that foot-dragging on resolving this particular issue will serve to help the larger ISP grow larger at the expense of the smaller ISP.
Re:Incidental Consolidation (Score:1)
Could be a new carreer path (Score:3, Interesting)
Onion statshot (Score:5, Funny)
Top-ten reasons: Why are we on e-mail blacklists?
1 - Poor social skills cause instant dislike in anyone we communicate with
2 - Cursed by bequest of Nigerian Uncle's Viagra stockpile
3 - Was unaware that neighbours were advertising us as "live nerd-cam!"
4 - this is slashdot?????
5 - profit!
AOL only looks one hop back (Score:5, Informative)
The next generation of competition killer! (Score:2)
When small a ISP's customers get their mail bounced, they immediately complain. Since the ISP can't do anything about it, they will lose customers who can't email their friends who use AOL.
AOL had a small screwup yesterday... (Score:2, Interesting)
- SBB
Check for forwarders. (Score:3, Informative)
Since all of their email is forwarded, this includes the SPAM that they receive. These clients then report the spam... but since it was forwarded from your server, guess who AOL blocks?
AOL has a really bad system for spam. You can reprot spam that is of any vintage, months or years ago.. and they will count it against you; blacklists are automatically applied, there is no human intervention.
I've had clients with exploitable formmail scripts installed, upon receipt of a complaint the formmail scripts were immediately removed; however, not before thousands of emails were sent to AOL accounts. It took over a month before reports stopped getting filed and we stopped getting blacklisted; regardless of the complaints being over a month obsolete.
Did you switch netblocks recently? (Score:2, Interesting)
Re:Did you switch netblocks recently? (Score:2)
dns hijacking or @domain.com (Score:2)
Reply from AOL customer support (Score:1)
Have you asked NANAE? (Score:4, Informative)
Post your IP range and the sites blocking you, someone will tell you what the problem is.
My experiance with being blacklisted (Score:1)
Virginia (Score:1)
Re:Virginia (Score:1)
"No! Bad Rogue, don't think such thoughts"
*...the thought of an email admin begging to un-blacklist me....*
"Evil Rogue! Don't be evil!"
*...the klickity-klackity sounds of being permanantly removed from AOL's blacklis...*
Music to my ears!!!
Logically,
--rogue