AOL blocking MailScanner messages!

John Rudd jrudd at UCSC.EDU
Fri Dec 5 20:51:53 GMT 2003


Steve Thomas wrote:
>
> On Thu, Dec 04, 2003 at 11:36:24PM -0800, John Rudd is rumored to have said:
> >
> > 1) So why can't you route all of your outgoing mail through your ISP?
>
> We don't want or need to. We pay for business class service and run all our own services. The only outside services we rely on are the root DNS servers.
>
> > (I know, some people do, and some people don't ... I don't, but my
> > reverse DNS works, so I don't need to ... but, that IS what you're
> > supposed to be doing, so if you're having problems, why not do what
> > you're supposed to be doing instead?)
>
> We're not having problems - I simply pointed out a scenario that is entire possible.

And the questions are framed within that senario.  If you're not having
problems in real life, then answer the questions from within the
scenario (ie. as if you were having the problem).


> And why is relaying through our ISP what we're "supposed to be doing"??!! I thought that what we were "supposed to be doing" is using our Internet connection in any way that pleases us as long as we're not violating our ISPs TOS or breaking any laws.


That's one way to look at it.

Another is that you're using IP addresses that belong to your ISP, and
with the current state of the net many people don't want to receive
direct mail connections from end-customers on low end connections (ie.
where you don't have enough fixed infrastructure in place that you
control everything INCLUDING your reverse DNS).  It's not just that they
might be spammers (low end -> non-permanent -> the spammer's "ISP
account of the day"), it's that they might legitimate end users who
might be hosting the latest open-proxy trojan that has turned their
workstation into a spam relay.

Rather than play those whack-a-mole games, you simply block all of those
addresses.  For some, that means blocking DUL lists, for some they
expand that to include DSL customers.  And another good way to catch
those people is to target people whose reverse DNS isn't propperly set
up ... because in many cases, it's not set up propperly because they
don't control it, because they don't own the network address block.  So,
make those people relay through their ISP, and you don't have to deal
with all of those head-aches and potential-whack-a-mole's.

It's simple, effective, and doesn't place an unreasonable burden upon
the mail senders.

> > 2) If you don't control the in-addr for your IP block, then presumably
> > it's your ISP's -- so make them fix their in-addr allocation.  The
> > problem isn't that the in-addr information has to match your mail
> > domain, it just has to _exist_ (mail always comes from hosts that don't
> > match the mail domain indicated).  If it doesn't, and it's not your
> > block to host on your DNS server, then your ISP isn't doing their job.
> > Make them fix it, or switch to an ISP that isn't broken.
>
> Again, it's not broken. I only posed a hypothetical scenario.

And, again, answer it from within the hypothetical scenario.

If you were having the problem, and you didn't control your in-addr
block, then it's presumably your ISP's block, so why can't you make them
fix it or move to a different ISP if they're not responsible enough to
fix it?

> > 3) If they wont fix it, then ask them to delegate those addresses to
> > you with NS records (which can be done on a per-IP addr basis, it
> > doesn't have to be done in full class-C blocks).
>
> I think it's pretty clear at this point that you either didn't read or didn't understand my original message.

It doesn't fit the very specific case you gave of "what if RR hadn't..",
but it does fit the general problem.  Just because you don't own the
block doesn't mean you can't ask your ISP to delegate the specific
in-addr addresses to you so that you can manage them yourself.  That
WOULD fix the problem for some of the people who have reverse DNS
problems.


>
> Steve
>
> > On Dec 4, 2003, at 5:01 PM, Steve Thomas wrote:
> >
> > >
> > > On Thu, Dec 04, 2003 at 06:37:34PM -0600, Mike Kercher is rumored to
> > > have said:
> > >>
> > >> If not, admins on the other end need to get off their ass and make
> > >> their
> > >> networking correct, complete and in compliance with the RFC's.
> > >
> > > I've only been skimming this thread, so this may have been stated
> > > already. If so, I apologize...
> > >
> > > You're forgetting that reverse dns is a totally different animal than
> > > forward, and that just about anyone with less than a /24 (and many
> > > with a /24 or larger) don't have the reverse zones delegated to their
> > > servers. If I own foo.com, I can easily create any forward entry in
> > > the foo.com domain, but making something in the in-addr.arpa domain
> > > point to mailserver.foo.com is not nearly as easy.
> > >
> > > As a for instance, the machine I'm sending this message from is on a
> > > RoadRunner network. We've got a block of addresses allocated to us and
> > > despite repeated assurances that they would delegate the in-addr.arpa
> > > zone for our netblock to our dns server, it's never happened. Now if
> > > RR managed to have a corrupt zone file, forgot to generate PTR records
> > > for our netblock or for some other reason wasn't on the ball, I'd be
> > > "an admin who was sitting on my ass not making my network correct"? I
> > > think not. My dns server is properly configured to serve requests for
> > > the /28 we've been allocated but RR is still in control of the zone.
> > >
> > > Then there's network outages, software failures, fiber cuts, DDoS
> > > attacks, etc, etc to consider. You'll reject mail just because the DNS
> > > server serving the in-addr.arpa zone for the connecting machine is
> > > unreachable?
> > >
> > > I can see adding a warning header or something innocuous like that,
> > > but outright rejecting mail from machines without RDNS properly
> > > configured is overkill, IMHO.
> > >
> > >
> > > Steve
> > >
> > >
> > > --
> > > "Blessed is the man, who having nothing to say, abstains from giving
> > > wordy evidence of the fact."
> > > - George Eliot (1819-1880)
>
> --
> "Don't be so humble - you are not that great."
> - Golda Meir (1898-1978) to a visiting diplomat



More information about the MailScanner mailing list