Slashdot Mirror
Why Are We on E-mail Blacklists?
LogicallyRogue asks: "I run an email server for a small webhosting company. We've crawled all around the email server to make it as secure as possible: tightened Sendmail's security, POP Before SMTP, denying non-authenticated relaying, using SpamCop DNS blacklist, etc. However, with all this in place, every few months, it seems that we have been blacklisted by some ISP somewhere. This month it was AOL. We had no warning, and we don't know why we were blacklisted. All the information we have is a single URL. We visit all the DNS blacklist services we can to be sure we are not on any of them. We send emails to the postmasters inquiring for more information (like perhaps a reason or copy of the email that made the ISP blacklist us) - however, those are usually bounced back because we are blacklisted. We've tried calling the Blacklisting ISP tech support - and usually get the stunned I-have-no-clue-what-you-are-talking-about silence.
Have any other Slashdot readers experienced similar problems with blacklisting and the big ISPs?"
This isn't a customer support issue as much as it is a your-server-is-being-over-anal-and-you-probably-wa nt-to-know-about-it issue. Email postmaster@host, if that doesn't work, submit them to postmaster.rfc-ignorant.org and call their NOC.
Help us build a better map!
AOL does this all the time. Comcast was blacklisted by aol a while back, sending to AOL addresses would bounce. (!) The problem was fixed very quickly, and comcast is a VERY large ISP. Just call again, keep bugging them, and hope for the best.
Usually has to do with overzealous abuse people :)
that are heavily overworked accidentally concluding
that a forged return address is a guilty party.
The other common cause is running any older versions
of netscape's shitty email server software.
I have no idea why so many people fork out so much
money for this single-threaded piece of crap. It's
like having an open-relay that you close 9 billion
times, but the latch is broken.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
From the spam-l list:
Where I work, we have that problem frequently. Often, it's a result of an overzealous spam list that decides that because the spammer forged headers that make it look like mail passed through one of our machines, mail MUST HAVE come through that machine, so we should be blocked.
Call the ISP and ask which spam filtering or RBL services they use. The first-level drone won't know, but if you explain that you're being blocked and you need this information to fix the problem, you'll probably get transferred or get a call back from someone who -does- know. You'll probably discover that their filtering was overzealous.
Sometimes, you'll run into a knee-jerk admin who unconditionally believes anything the RBL tells them. It's best just to write off this ISP -- you won't convince them that you weren't sending spam. Put a custom "ISP admin is an idiot" bounce message in for that domain so that your users know why the mail didn't get through, then move on.
Of course, this assumes that you're already actively handling open relays and abuse on your end. That's part of the job, and you should check carefully to ensure that your setup is okay before contacting anyone.
Forward, retransmit, or republish anything I say here. Just don't misquote me.
..and as such, shouldn't be relied upon as a "oh this is definately for rejection". My firm uses an RBL as a plug in to SpamAssassin. Just being in the RBL by itself isn't enough to get rejected, but it bumps up the score a bit. Unfortunately, because RBL's are easy to slave and use, too many people rely on them, when the use is now limited. Limited by the fact that the 'big' spammers are incredibly clever these days. Having said all that, it wouldn't surprise me if AOL started blocking addresses with the '@' symbol... ;)
Lee
--
'I love spam. Come get me.'
This is too bad. Some people would say that blacklistings are necessary because they help keep the spamming down. And the spamming need to be kept down because most peoples inboxes would be too filled with spam to be useable. But when big companies like AOL starts blocking mail servers out of the blue, it kinda defeats the purpose.
Here you are complaining that you are being blacklisted, but at the same time you are blacklisting loads of other people.
Instant karma's gonna get you.
None are more hopelessly enslaved than those who falsely believe they are free. Johann Wolfgang von Goethe.
AOL also requires that your R-DNS matches what you claim your domain name to be. Do you have your PTR records in order? If you're on DSL (or dial-up) that can be difficult or impossible, depending on your provider.
I also question AOL's explanation of 'open relay.' They say that, if someone not on your network can connect to port 25 on your server, then you're an open relay. This entirely ignores POP-before-SMTP, IMAP-before-SMTP, and SMTP AUTH, which is what we use.
They may be better about it than their simple explanation; I only filled out their webform last night, so I don't have my results in yet. My solution was to hard-code the MX record for AOL.com to actually be my ISP's SMTP server, so mail to AOL gets relayed from a more legitimate-seeming source.
It sounds like you've done an admirable job securing YOUR system. What about your USERS?
There are far too many morons who run what I call "Spammer@Home" (a play upon Seti@Home) - software that downloads a list of addresses from a spammer, then uses direct-to-MX from the luser's machine to send spam. Thus spammers get around blacklists.
So the luser on your system pisses off the world, and gets your netblock blacklisted. If you catch them, you can terminate them (or at least their account) and maybe get back, but....
Now, I know this is an unpopular suggestion with many SlashTrollBots, but have you considered blocking outbound SMTP from your customers? You can always allow the customers with a real need out (they just have to let you know), but by default block SMTP to anyplace other than your server (or better still, redirect it to your server).
The average user will not notice if they cannot send directly to other servers. If you redirect to your server, programs that do direct-to-MX will still work - you will just have a chance to check the mail (or at least log it). And anybody too 31337 to use your mail server can call you and ask you to change the settings to allow them out.
(Sits back to watch the morons bitch about this...)
www.eFax.com are spammers
Heh, one would expect www.rfc-ignorant.org to be compliant with Internet standards. It's, however, not when it comes to HTML at least...
the computer is online
i am not at it
what a waste of ressources
This is a real problem. Many blacklists are far to eager to list an IP without real evidence of spamming.
openrbl.org is useful for looking up your host and trying to figure out what blacklists you are on. But it is still fairly difficult to track down. Our server is listed on three blacklists there even though we have a static IP and have never emitted a single spam address. Sigh.
The other problem I've found is that when a bounce arrives from another server that says you are blacklisted, you can't email them to find out what list they use!
Our mail server does not use any blacklists, which is a shame because we get quite a bit of spam. But we are a business and I cannot take the risk of a client email bouncing, especially if they are innocent and the blacklist is wrong.
What I'd like is a SMTP front end that uses blacklists to determine the likelyhood of the site as a spam source, and delay spam messages for a day or so. The idea being that many mass email programs cannot keep retrying for that long.
Are you using any sort of IP address that has been flagged by a provider as a dynamic IP address? AOL refuses email from ALL dynamic IP based servers... which kind of sucks for a lot of people that run their own servers.
Let me try to understand this.
While far too many people are willing to jump into Grassy Knoll theories at the drop of a hat that are unsubstantiated, and my theory is unsubstantiated, it nevertheless remains true that foot-dragging on resolving this particular issue will serve to help the larger ISP grow larger at the expense of the smaller ISP.
"Provided by the management for your protection."
When asked why the company is implementing this policy, Bob Harvey, AOL's Minister of Information, said that they had determined that 70% of the emails coming from those IP's was Spam, and the remaining 30% didn't look very important to him anyway.
With all the renewed focus on fighting SPAM it has occurred to me that this could be a good business opportunity. It seems that small business could use someone who could not only help them to nail down mail servers but also someone who has experience with getting issues like being blacklisted resolved. A combination techie and advocate who knew who to call to get issues resolved quickly. Someone who has contacts throughout the industry. Anyone interested?
Did this remind anyone else of the onion 'statshot' feature.
Top-ten reasons: Why are we on e-mail blacklists?
1 - Poor social skills cause instant dislike in anyone we communicate with
2 - Cursed by bequest of Nigerian Uncle's Viagra stockpile
3 - Was unaware that neighbours were advertising us as "live nerd-cam!"
4 - this is slashdot?????
5 - profit!
AOL also requires that your R-DNS matches what you claim your domain name to be.
This is a violation of RFC 2821.
They say that, if someone not on your network can connect to port 25 on your server, then you're an open relay.
I highly doubt that - if so, it would eliminate ALL ISPs who use the same server for inbound as for outbound mail. Which is 90% of small ISPs.
Do you have any links to back up your claims? I find it incredibly hard to believe that techs that are capable of keeping a network the size of AOL's running would be this stupid.
We had a simular problem at the Web Hosting company where I work. Our clients are permitted to setup blanket email forwards to a selected address, that is all email to @ are forwarded without filtering to .. Some of them use AOL accounts, so they end up with SPAM forwarded to them (they asked to get everything so they get EVERYTHING). AOL has a "feature" that permits you to click "this is spam" when you delete it. This generates a SPAM complaint. AOL only looks at the last place that the email was delivered from for these complaints. Enough complaints and that server gets black-listed. So we have our customers getting us listed, even though our servers are NOT open relays, open proxies, require SMTP Auth and that we have a very anti-spam policy as part of our TOS. We have now instituted a policy of not permitting this kind of forwards to AOL accounts. BTW we have re-submitted our servers for testing at http://postmaster.info.aol.com and have been de-listed.
If you do this (redirect port 25 to your mailserver) and use some kind of e-mail filter there (Razor, maybe, combined with Bayesian filter, or whatever makes your clock tick) rejecting what seems to be spam then... voila... nobody will spam from your netblock again and you are free from blacklists!!!
Been there, done that. Some guy running a mailing list will call you saying all the list's email are being rejected, you adjust the filters and go for another cup of Brazilian coffee.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Usually, these blacklists are ignored by the rest of the world, but if AOL was trying to cut down on spam, they may have bought a questionable blacklist
Big ISPs can use the current backlash against spam to further their goals to push small providers out of the market. How? They simply blacklist small ISPs.
When small a ISP's customers get their mail bounced, they immediately complain. Since the ISP can't do anything about it, they will lose customers who can't email their friends who use AOL.
"You spoony bard!" -Tellah
...and we ended up on it also. Had to make a call to their hostmaster in VA, and 120 seconds later it was fixed. I was repeatedly assured that the issue was in no way related to anything particular on my end... they just screwed up while implementing something yesterday morning.
- SBB
help me i've cloned myself and can't remember which one I am
So easy to use, no wonder it's #1!
sulli
RTFJ.
I've found that a lot of users will use email aliases/forwarders to forward all their email to an AOL inbox. They do this for the convience of reading all their email in a single inbox, since AOL wouldn't setup email aliases/forwards (or do they?) they have the email forwarded to AOL.
Since all of their email is forwarded, this includes the SPAM that they receive. These clients then report the spam... but since it was forwarded from your server, guess who AOL blocks?
AOL has a really bad system for spam. You can reprot spam that is of any vintage, months or years ago.. and they will count it against you; blacklists are automatically applied, there is no human intervention.
I've had clients with exploitable formmail scripts installed, upon receipt of a complaint the formmail scripts were immediately removed; however, not before thousands of emails were sent to AOL accounts. It took over a month before reports stopped getting filed and we stopped getting blacklisted; regardless of the complaints being over a month obsolete.
Recently we switched a large set of servers to another netblock (yeah, I know sucks). We discovered after that the previous netblock owner had gotten themselves on a bunch of black-lists. Maybe that has something to do with it.
There is a phone number to call... (let me grab it) 703.265.4670. If you call that number, you talk to some actually intelligent and customer service minded AOL people. They will give you a call ticket number if not solve the issue right on the phone, and will follow through (read: call you back) if they can't solve it right away. Miami University got blocked recently, we solved it in this manner. Hope this helps!
I haven't posted in so long, my sig is out of date.
it is possible that a spammer is sending spam with @yourdomain.ext and some phony name. I'm not sure this is dns hijacking, but it is in a sense identity theft. At this stage of the game, your email address is slowly becoming your 'second phone number'. With the current push to make phone numbers transferrable between cell phone companies, how long will it be before people want to move between states and have the same thing or email addresses.
Only 'flamers' flame!
Does slashdot hate my posts?
Eh??? Oh Well.
here's their official press release on the matter (from a couple months ago):
This incident appears to have begun when AOL misinterpreted an ordinary commercial spam, from an unknown source, as having come from the University of Oxford. A brief technical examination of the message would have revealed that it had neither originated at Oxford nor passed through any University server.
When the University contacted AOL, through a priority help line for ISPs, AOL denied that any blocking was in place, but said that the queue of problems was such that it would take at least 3 days before they could even begin investigation. In the event, it was about 7 days.
The University, which is not a customer of AOL, responded quickly in bringing this problem to AOL's attention. We would urge AOL customers to contact the company direct if they are dissatisfied with the service they are receiving.
--
My favorite Starbucks T-mobile hotspot got blacklisted by Slashdot once... it got fixed really quickly though, thanks /.
Post your IP range and the sites blocking you, someone will tell you what the problem is.
Does either of your providers use SMTPS (SMTP over SSL - port 465)? This would solve the authentiction problem quite handily.
Do either of them use SMTP-AUTH?
If not, then perhaps rather than not paying attention to posts on Slashdot (had you BEEN paying attention you would have seen that I explicitly stated that the ISP should allow port 25 through IF THE CUSTOMER ASKS FOR IT) your time would be better spent trying to get your mail providers to adopt more recent means of preventing abuse.
www.eFax.com are spammers
Sounds like someone was being a bit happy with the wildcards. Why not just block *.*.*.*, that will block ALL the spam?
Just wonddering, but when you say anything starting with a 6, does that mean 6.*.*.*, or 6*.*.*.* ?
-Looking for a job as a materials chemist or multivariat
The unfortunate thing about this From field spoofing is that it hits hardest those who have produced most. I have built a dozen medium load sites and foolishly put my email in the metadata of the pages (which was a good thing at first since some people did contact me through it with legitimate reasons to contact me). Now anyone who visits those sites has my email on a page in their local cache and the viri find it and mail out more viri as if from me. Success is its own punishment I guess.
Last saturday, I discovered that the Class C that our mailservers at work are was blacklisted by earthlink for "Dynamic IPs or Open Relays". This class c happened to contain our Dialpool (only 30 IPs, we are a very small ISP). On monday I emailed them explianing that none of our mail servers were open relays, and the whole class c wasn't dialup (helpfuly providing or dialup IP range). They emailed me back 2 hours later explaing that the class c was blacklisted as dialup, and that they had corrected the problem. Pretty painless, really.
ROTFLMAO!!!!!!!!
You've got brains !
This is like a day old. Why can't you just leave it the fuck alone? Fuck you moderators. See you in Meta.
It's much faster to just filter out every email starting with "6" than it is to reverse-lookup all those pesky domains names.
Your post makes no sense.
.br domain to an IP in LACNIC's Class-A block, which seems a bit dodgy.
If your domain is 10 years old that would normally make it *less* likely to be on any spam lists, because you should theoretically be a known entity.
However, you are registered with a
Real postmasters are quite easily able to tell the difference between forged addresses and real SMTP relays; so, if you are commonly blacklisted you are probably a spammer. If you just get lots of mail from angry end-users, you have an enemy and you need to find and neutralise that enemy.
But in answer to your question (ignoring all the trollish inconsistencies in your post) you need to put as many humans as necessary on reading your postmaster mail. That's a cost of doing business for you... just like the post office has to handle all that mail addressed to the North Pole every Christmas. It's there, deal with it.
If you can't handle the Email, you need to close up shop and get a new domain name and IP address.
Sorry, but that's how the system is currently set up, and until the big ISPs get serious about policing their networks that's the way it will remain.
I live in Virginia, about 30 minutes from Dulles (where AOL is based). For $25, I'll go beat the crap out of their email admin.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Our network that you mentioned as blocked, is not "our" network. They blocked .com.br which is ridiculous. Seriously, they are blocking any e-mail comming from brazil. Do you really think that:
- @oracle.com.br
- @sun.com.br
- @amcham.com.br (american chamber of commerce)
are sources of spam?
I think you are mistaken about how e-mail works. The bounce goes to the "MAIL FROM:" part of the SMTP connection.
Anyways, thanks for the advice.
I reject all mail from unresolvable domains. You can't talk to us if you are not in the global DNS.
I don't accept incoming mail with a RFC822 target address that does not specify a valid user in my domain, and I don't accept outgoing mail from IP addresses outside my domain. If I did either of these things, I'd be an open relay.
I don't accept outgoing mail with a RFC822 source address that does not specify a valid user in my domain. If I did, my users could spoof their addresses and become spammers.
If a message is not sent either to or from one of my known users, all that happens (on my server) is that a line gets written to my SMTP error log, which is analyzed hourly to create a web page of mail use statistics. Nothing gets queued anywhere, because the message is rejected before the body gets transmitted.
I have no idea how to do all this in qmail. But if qmail can't handle it, you can use sendmail or postfix. Postfix has a secure design (like qmail) if you don't like old-fashioned code monoliths like sendmail. I use sendmail.
I agree that blocking high-level domains is a bad practice. But I block China and Korea anyway on two of my mailservers, because that reduces the spam burden and the users of those servers have no legitimate reason to email anyone in Asia.