Slashdot Mirror

Once this and other rogue nations and ISPs behave in a responsible manner, perhaps they can rejoin the club. Now back to our regular programming :-) . . .

Hurricane Electric are possibly not the best of choices to use. They are, by repute, a big spam-friendly hosting outfit and appear to be widely blacklisted, SPEWS blacklist (NB: thats just one spews record that lists HE.net space) quite a bit of their space, the SBL has a few listings for them, they're also listed by blackhole.us.

So, when considering Hurricane.net bear in mind you may well have problems with email being rejected and even complete blackholing of connectivity to/from some sites.

Hurricane Electric are possibly not the best of choices to use. They are, by repute, a big spam-friendly hosting outfit and appear to be widely blacklisted, SPEWS blacklist (NB: thats just one spews record that lists HE.net space) quite a bit of their space, the SBL has a few listings for them, they're also listed by blackhole.us.

So, when considering Hurricane.net bear in mind you may well have problems with email being rejected and even complete blackholing of connectivity to/from some sites.

It covers other countries too, as well as some ISPs (including certain ones that don't give a damn like wannadoo and interbusiness.it)

UUNet does harbor spammers. As long as UUNet believes you'll stay despite spammers, they will continue to harbor spammers and the spammers will continue to abuse other people's mail servers.

The blacklists that list all of a whole country or a whole ISP are not the same thing as SPEWS. SPEWS doesn't do that kind of thing. You must be referring to http://www.blackholes.us/.

I must admit to having less of a problem with DNSBLs than other types of RBL such as the open relays

It is not clear to me what you mean by this. "DNSBL" is the generic term for any DNS-based Blackhole List. "RBL" is a trademark of MAPS, Inc., for a particular DNSBL which they operate. Different DNSBLs have different criteria for what they list.

For instance, some list only open relays, e.g. ORDB. Some list only open proxies, e.g. Blitzed OPM. Some list IP addresses which have sent spam to particular detectors. Some list IP addresses which belong to repeat spammers, e.g. SBL. Some list IP addresses allocated to particular countries or ISPs, such as the blackholes.us lists.

There's as great a diversity of DNSBLs as there is of opinions as to how to run a DNSBL.

You semiaddress the issue of accountability but not of secrecy. It's a fact that most services keep their lists secret until affectively revealed by dropped emails.

I'm not sure what you are claiming here. Do you mean that most mail sites do not tell their users which DNSBLs (if any) they are using? Or do you mean that DNSBLs do not disclose what IP addresses they list?

If the former, I agree that this can be a problem, particularly if the mail sites in question are ISPs. ISPs should disclose their mail filtration policies to their users; it's also nice (but by no means ethically necessary) if they give their users choice as to which filters apply to their individual mail. For other mail sites, such as corporations or research institutions (my workplace is one of the latter) it may be unnecessary given the site policies.

If you mean that DNSBLs don't disclose which addresses they list -- well, this is certainly the case for some DNSBLs, and certainly isn't for others. SPEWS, for instance, publishes their entire list in a text file (warning: long!). Many others do likewise. Some permit DNS zone transfers, so your nameserver can automatically download a full copy of the list and you don't have to query them constantly.

Any of the DNSBLs which I would recommend have clearly stated policies as to how addresses get on the list, and how they can get off. It is certainly the case that some mail operators use DNSBLs that I would not recommend. (Nobody, I say nobody, claims that your mail site should use every DNSBL out there, or that you should use them indiscriminately.) That is, I fear, their problem.

As an aside, I have personal experience of spending months trying to get a false entry in the DUL corrected.

Yes, there are badly operated DNSBLs. Yes, it's unfortunate that some sites use badly operated DNSBLs. That is a problem with the badly operated DNSBLs and not with DNSBLs in general. Please do not tar Steve Linford (operator of Spamhaus SBL) with the Paul Vixie brush.

Yahoo are saying they operate an Internet email system, but when I tried sending stuff to my own account on Yahoo from my static IP Earthlink DSL connection, my computer spent 3 days trying to send it before giving up because the MX host was unreachable. That means that, for these purposes, that service they claimed to be providing didn't exist. And it didn't exist because someone between me and Yahoo - maybe Yahoo, maybe Earthlink - had blocked an email.

I'm a little bit confused here. The issue at hand is DNSBLs, but the usual use of DNSBLs cannot yield a "host unreachable" -- it yields an SMTP error message and possibly a bounced mail. It sounds to me more like your own ISP, Earthlink, was filtering outbound port-25 connections from client addresses, to keep its dialup and DSL users from being used as spammable open proxies or relays. A ham-handed policy, indeed, but a policy decision that it's Earthlink's to make -- and nothing to do with DNSBLs or other sites' spam filtering.

Oh, but ok, I could have gotten it through if, at that moment, I'd used Earthlink's SMTP relay, but (a) WHY?

Presumably, if they're filtering port 25, because that is how Earthlink has chosen to run their network. That is undoubtedly cheaper and easier for them, than it would be to chase down every damn user on their system with an open proxy, open relay, backdoor trojan, or other piece of crapware and kick them off.

Sure, they could do that. But your fees would be triple, and they would go out of business -- so you'd have to find a new ISP anyway.

The end result of this is that legit email is blocked, spam (very clearly) still gets through (I already know how to enlarge my penis thank you very much), and so it's fair for me to say that the measures sysadmins are taking to block spam are not working, that they're interfering with legitimate use, that they're not actually ever going to be effective anyway, that they interfere with the communication of unconnected third parties.

It strikes me as foolish to say that DNSBLs as a category don't work, when anyone who runs a professional mail site and uses them can tell that using the right DNSBLs does make a difference in spam load. My site, with ~1000 users, blocks 2000-3000 spam per day using DNSBLs, local IP blocklists, and some content filters for obvious spam signatures (e.g. "S.1618") and viruses. We also get maybe one false positive a month reported by our users, which we whitelist; we also give users the choice of opting-out of spam filtering entirely for their accounts. (The demand for this? A few Chinese researchers whose home institutions operate open relays.)

It is mail users, it's not mail administrators, and this seems to be a distinction many in the pro-block camp fail to understand.

Thing is, from what you've said, you aren't an ordinary mail user, so you don't get to make that call for the entire mail-using public. You're a network hobbyist, who's choosing to operate his own mail site on a network that has chosen not to support that kind of operation -- namely, an end-user ISP. If your ISP doesn't allow port 25 outbound, or tells other sites not to accept mail from its client addresses (which is what a DUL listing indicates), that doesn't mean you have a problem with other sites' spam filtering ... it means you have a problem with your ISP and its choices for how to minimize problems on its own network.

If you, a hobbyist, want business grade connectivity rather than end-user connectivity which is filtered to minimize abuse, then you need to go to an ISP and get a contract for that kind of connectivity. It will cost more. That you assumed that an end-user ISP would support your hobby -- at the expense of being unable to clamp down on abuse of their own systems -- indicates to me that you might need to think your plans through a bit more.

Actually, you've hit a major irony, because Verio refuses to continue selling John Gilmore internet access.

Gilmore wouldn't stop running his mail server as an open relay. He was warned repeatedly that his actions were in violation of Verio's AUP, and he flat-out refused to change things, even though there were other options to let his friends use his precious host from elsewhere without leaving the door wide open for any spammer to abuse it. As a result, every toad.com host I find goes onto my personal DNSBL forever. I don't have the time or energy needed to deal with machines wilfully configured to be insecure.

Verio already has a full DNSBL zone entry locked and loaded at blackholes.us. If and when they file their cartooneygram, it goes right into my sendmail configuration. So long forever, Verio; you can join Harris and all the others in the Eternal Bit Bucket.

I'll bet I'm not the only one who feels that way.

Where I work we used to be a Verio corporate customer. When I saw the direction they were apparently headed wrt letting spammers live in their space, I got us moved out of there. Glad I am that I did so!