Slashdot Mirror
Overcoming MAPS Reverse-Lookup Oppression?
ArghBlarg asks: "Imagine the following scenario: you're the volunteer admin for a small, non-profit site for a few local artists and musicians. You run your web site and SMTP server out of your laundry room, via cable broadband. The broadband provider doesn't mind, as you only get a few hits a day; you keep your system secure and were only rooted once, over 4 years ago (hey, it happens). Your site has never, ever (to your knowledge) relayed spam. On the whole you've been an exemplary netizen. One day, some email you send bounces because your ISP's entire netblock has been placed on the MAPS DUL. True, your server's IP isn't technically static (though it hasn't changed in 12 months); because your domain is embedded within the broadband provider's larger IP block, reverse lookups don't give your domain name, rather that of the provider (with a huge number prefixed as the hostname). Hence you're considered a rogue SMTP node and blocked by MAPS. I've emailed MAPS but they won't agree to whitelist me. I have a proper MX record for my SMTP server, under my domain name. What can I do? Is there any way to make my legitimate domain take precedence in reverse-lookups, so I don't show up as being part of a spam-friendly network?"
"Please don't bother suggesting that I ask my provider to give me a static IP outside the affected block -- they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.
What have you done to get your domain, running on a pseudo-static IP, out from under the thumb of the spam block lists? While I wholeheartedly support the efforts of the MAPS people and others like them to stamp out the vermin that are spammers, our domain has become collateral damage in the war!"
What have you done to get your domain, running on a pseudo-static IP, out from under the thumb of the spam block lists? While I wholeheartedly support the efforts of the MAPS people and others like them to stamp out the vermin that are spammers, our domain has become collateral damage in the war!"
That indeed sux.
:(.
But appart from changing isp, im not sure what else you can do
Im not to hot on the whole issue, but could some kinda mail forwarding work? Im guessing it wouldn't but its just a suggestion.
Good luck with it all.
- http://www.milkme.co.uk
You should configure your SMTP server to relay all mail through the ISP's SMTP server. Then people will receive the mail from the ISP, not from you, and presumably they won't be blacklisting the official SMTP server for the ISP (or else you have a bigger problem).
Move to a service provider who takes action against open relay SMTPs. Once enough people move from that provider they will eliminate their spam problem.
I have had this happen on more than one occasion. I have *5* static IPs on a co-located server. Each time, I contact the ISP and they see to the removal of the netblock(s) that are listed on the MAPS lists.
If your ISP is unwilling to have their own netblocks removed from MAPS lists, then you need to consider a new ISP.
~.Evanrude
define(`SMART_HOST',`smtp.myisp.com')dnl
of course it'll be different if you're using another MTA. MAPS DUL (dialup up list) is doing what it's supposed to do. It's listing dynamic address ranges such as cable modems, DSL lines, and dialup numbers. A lot of spam can come from these so people choose to use them to block email that isn't coming from the ISPs mail servers.
Prevent email address forgery. Publish SPF records for y
Why not run email and webhosting separately? Email could always be run through a provider (Flames Burn seems to be focusing on helping independent musicians). Yes, you're small and non-profit but I'm sure your time could be better used than dealing with hassles like these. Pay for the hosting, then spend your time on other stuff for this organization. From the looks of it, and the needs you have, this may be a simpler solution. Of course, I'm not supremely technically versed, and it sort of goes against the hacker mentality leaving this problem unsolved...
That's my EUR 0.016414 anyways.
Small potatoes make the steak look bigger.
given that it's the ISP, or perhaps their upstream provider that owns the rights to those IP blocks, there's little to nothing that you yourself can do, other than complain to your ISP to get things done. As prevoius posters stated, perhaps you should find a more friendly ISP that cares about it's customers.
Life is full of disappointments. "End to end" is dead. You're going to have to suck it up and pay for commercial Internet connectivity in order to get out of the ghetto. Where I live, business-class cable connections start at around USD 175 per month. If you're lucky, your commercial ISP might even let you update the reverse DNS entries for your IP allocations.
I'm proud of my Northern Tibetian Heritage
Please don't bother suggesting that I ask my provider to give me a static IP outside the affected block -- they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.
Then you are stuck between a rock and a hard place. You are using a residential class line for business class use. MAPS is right to block residential lines because of all the zombie relay servers that virus writers are including in their payloads now.
Either pay for a business class connection, or use the SMTP server your provider gives you.
It's not the "open internet" that you'd like to see. Live within the limitations this simple, dumb network provides.
Besides, do you honestly expect MAPS to whitelist a dynamic IP? MAPS is not the problem, PEBKAC.
-Adam
You being on the DUL is a good thing. It means less spam from your entire netblock.
This is where you learn to relay your outgoing mail through your upstream provider. You should of course continue to be the MX for your domain for all other purposes.
I know other people have mentioned this, but seriously... No cable or DSL clients should be pretending to be a full-on mail hub. Just use the smtp resources of your upstream provider.
I had to waste alot of time with ORBS because my company's upstream provider had a larger netblock that we were a part of blacklisted. The people I emailed were quite obnoxious and rude, despite the fact that our servers were secure and never relayed a thing.
And for what? I still see a ton of spam, despite the fact that my ISP uses MAPS.
Conformity is the jailer of freedom and enemy of growth. -JFK
Go sign up for an account with one of the inexpensive web hosts out there. For a few dollars per month you can point your web site's MX record thataway and run your email through their SMTP.
For a small (volume-dependent) fee DynDNS.org will relay outbound mail for you with the 'MailHop Outbound' service. They will also relay inbound mail to your server (on a high port, if need be because of your ISP) with 'MailHop Relay'.
At this point, you'd probably want your DNS hosted through them, as well. On the plus side, this would give your domain a complete and consistent appearance, IP-wise. I believe at this point, you may even be able to add SPF records to your DNS entry as well. (Though I'm not sure if they do the correct thing outbound for SPF.)
The whole shebang would probably still come to less than $100/yr.
The living have better things to do than to continue hating the dead.
Is that what the Internet has become? Forget free speech and the ability to be an independant voice? It's not like that would even make an impact on spam, since most of it comes from China anyway. What exactly constitutes a "full on mail hub" and someone "pretending to be a full on mail hub", and who are you to make that distinction?
1. (You sound like you tried this one) Convince MAPS not to blacklist you. This is unlikely to happen if you're only in the DUL.
2. Convince the people you wish to exchange mail with (who presumably want your mail) to either
a. Stop using MAPS
b. Stop using the DUL
c. Add your server to a local whitelist
Note that gaining control over your reverse DNS listing will not help; DUL is based on netblocks.
3. Get a better ISP. There are options out there that will do what you want, and not all are prohibitively expensive. If you ISP's options are, switch. I've been very happy with speakeasy. They are available to most of the US. If you get one of their very reasonably priced (multiple) static IP packages, you will not be on the DUL. What's better, they will set your reverse DNS to whatever you wish so long as you own the domain in question. Their TOS are also very nice, explicitly permitting you to run your own servers so long as you don't disrupt the network. (They do permit running spam, porn, and irc if it's part of a public irc network, as those tend to disrupt service more often than they don't.) Speakeasy is not the only option... there are other similar ones, but I haven't tried any of them.
4. (As others have said) Use a smarthost for your mail. Receive incoming mail on your own server but configure your outgoing mail to relay through your ISP's gateway. This is trivial with most MTAs. See your documentation for details.
5. Complain to your ISP, and tell them that you're willing to switch if they can't get you onto a netblock that isn't blacklisted. It might work. Their cost to acquire a new customer is relatively high, so they should be interested in accomodating you. Don't just go based on their written policy, though. Talk to a real person, preferably one who would feel the pain of lost revenue.
.sig: file not found
... that only large businesses should be allowed to run mail servers that can send e-mail.
Glad to see so many people here who are interested in maintaining a free system.
-Rusty
You never know...
I don't use MAPS, but do blacklist residental Internet connections, so when people in your situation send me email (as the postmaster for a domain diluged with spam), I offer to whitelist them until I get SPF-based whitelisting implemented. If I am the first to add that technology to sendmail, you'll see a post on sendmail newsgroup.
I can see you have been told the politically correct answer to this situation: "Suck it up, do it for the common good."
But if you are a true American, one question has not yet been answered. What's in it for me? How can I get rich off of this? How do I make them pay?
The answer is simple. Sue Em!
Chances are if you are posting this, you reside within the United States. This makes things more difficult, but not impossible, we just have to be more clever. Our first direction we must look toward in this time of opportunity is toward The Courts. Unfortunately this course will not serve us well. Nothing MAPS does is inherently illegal. Even worse, they have developed a significant volume of caselog to show your average judge that they have a right to do what they do and you have no right to complain. So unless you happen to have a friendly state law or lawmaker in you back pocket (not likely for an indie band) the courts will not likely be of use to you.
Luckily here in the grand old USA, the Courts aren't the only places to extract money from people you don't like. Are you or any of the band members from Canada or Mexico? Can your latino drummer fake a mexican accent? If so then you can demand compensation under Section 7 of the NAFTA Treaty, the expatriation clause. While normally this clause only applies to government regulation, there have been complaints brought forth against psudo-governmental entities (such as industry trade groups and sanctioning bodies) which you could argue the MAPS organization is one of. From there, it's up to them to prove the rules don't apply to them or else you get money. Nothing could be simpler.
There you have it, a simple solution to your problem both short term and long term. Assuming that MAPS survives their major outflow of cash, you will now be able to afford professional internet connectivity free from MAPS blocking. If they don't survive, hey your free to send emails anyway and you get a tidy bundle of cash (a double victory).
irrespectfully submitted, with tounge firmly in cheekMinne-snow-da: Winter is comming...
Look at it this way:
;-)
/easier/ to send it from there. Any clue as to why? These systems are not perfect, but they do provide pressure.
* You route your outgoing IP traffic through your upstream provider.
* You should also route your outgoing SNMP traffic through your upstream provider.
Free Speech? You have *got* to be kidding me
You don't think sending your outgoing traffic upstream negates your ability to be an independant voice, do you? This isn't about running your own mail or being an independant voice, it's about routing traffic. *routing traffic*
This is basic networking-made-simple here.
By "full on mail hub" I mean relaying mail directly from your SMTP server to the To: domain's MX host. If you instead relay the mail to your upstream SMTP server, they can do that for you. You can still be the MX for your domain and recieve all of your mail directly.
Note that one of the reasons most of the spam comes from China is because it's
This isn't a DUL problem as such; it's a problem with it's users assuming that, since you're on the DUL, you must be a spammer, instead of just factoring that into some spam filtering heuristic.
:)
:)
Just set up your MTA to use a smarthost for sites which deny mail from you; whether you do that for all hosts or just those which suck is up to you and the capabilities of your MTA. There's not really a lot more you can do; the DUL is doing precisely what it's designed for -- it's the users which are taking "sending mail from a dynamic address range" == "spamming scumbag" which are causing the problem. You just have to route around the damage
In theory it should be possible to set up your MTA to take a rejection from a direct MX send and fall back automatically to a smarthost.. it's probably easier to just do it manually though -- it's not as if everyone is that stupid
For instance, FuitadNET offers a $5/mo package that includes DNS hosting, 3GB of Web Space, 25GB of bandwidth, and 100 e-mail addresses. You'll get better uptime than with a cable modem and shouldn't have to worry about MAPS or ORDB or whatever.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
There's obviously no real hinderance to free speech, but I just feel that responsible people should be allowed to run whatever servers they want to. The DIY nature of the internet is part of what makes it great, and running your own server is one of the best ways to learn configuration and administration skills.
There are ISPs like Speakeasy that let their customers run servers and even resell their bandwidth. I'd just rather switch to one of them than be complacent to yet another restriction the mainstream providers want put on our access to gain a little convenience on their end.
Absolutely NOBODY is preventing this guy from running whatever server he wants to.
Some people are, however, exercising their own rights to refuse to accept communications from him, for a reason that may or may not be reasonable, valid, or useful.
Vintage computer games and RPG books available. Email me if you're interested.
Absolutely NOBODY is preventing this guy from running whatever server he wants to. You're right. I was commenting on the grandparent's assertion that the best way to deal with the situation if you don't like it is to take the ISP's advice and just not send your own mail (without relaying through their servers). I think a better approach is to swithch to an ISP that gives a crap about your blacklist status, and might even help you get off it.
I have a static IP from Demon intenet who have always permitted folk to run their own mail servers, which I do; and I have the same problem for some mail recipients.
Business-class-service NOTHING!; its morons who use dont understand the stupid filtering they use and then can't get emails. So I don't buy ebay from them next time.
I'm thinking of poor road runner users here who only have once choice of ISP; shame they are half cut off from the internet by their cheap-skate ISP.
Demon internet give me a full blown internet service via ADSL. I get what I pay for and I went to Demon internet because of it.
No stupid rules on running servers at my end, no stupid rules about not VPN-ing to work, and a nice static IP address that reverse resolves to ME!
Only 25.00 or so per month.
Sam
blog.sam.liddicott.com
I've got a low-end VDS from JVDS, too, and am very impressed with the quality of the support, and with what I get in performance for my money.
He's not blacklisted. He's accurately listed as being a residential dynamic-assigned user.
The fact that some other mail servers choose not to accept his mail, based on that fact, has nothing to do with his ISP.
Vintage computer games and RPG books available. Email me if you're interested.
So I contacted my ISP's technical support, and they added reverse lookup support as standard on all their packages. Its nice to know that there are companies that'll go that extra mile. Note that I am a home user on f2s's cheapest subscription, and it took less than 24 hours from my enquiry to full support.
Games Workshop Petition
You're just collateral damage in the "War on Spam". I am too. Until people start realizing the amount of false-positives that spam filters catch, the carpet bombing will continue and still catch One company stopped really quickly when they found the spam filtering lost some email orders.
I'm surprised at how unsophisticated some SMTP servers are. They'll take my mail even when I have the wrong $HOSTNAME set. Yet if I'm on their DUL, bounces.
First one is free and isn't likely to happen: ask your ISP to add a reverse DNS record which matches your forward DNS mapping. They'll bitch and whine and say you technically have a dynamic IP and if you want a static to upgrade. Sucks.
Second option: find out if your ISP will allow you to relay your email out through their mail servers. Many will, some won't.
Third option costs $15/year but will work in all cases. Go to pobox.com and sign up for one of their life-time emails. Then configure your MTA to use SASL and to relay all outbound mail to pobox.com's mail servers. I've used this for a few months now and have to say I'm really happy with it.
I use Dynu's Email Store/Forward service for $20 a year.
:)
My ISP used to block incoming 25, and Dynu was my primary MX that could use ETRN to send to "alternate" ports, much like DynDNS.
Now that my ISP has come to their senses and has allowed me to run a mail server, it makes a great inexpensive failsafe in case of routing or power outages.
This is MUCH less than $100/yr
[DISCLAIMER: This post is a work of satire and should not be misconstrued as a holy text upon which to base a religion.]
What exactly constitutes a "full on mail hub" and someone "pretending to be a full on mail hub", and who are you to make that distinction?
A full on mail hub is somebody running a mail server on a connection where they are contractually allowed to run a mail server on that connection.
Nobody gets onto the MAPS DUL (dial up list) that easily. You have to be a netblock that has dynamic IP's (meaning that you can't receive mail anyway, as your IP could change) or has static IP's but has had your ISP confirm to MAPS that yes, your block is not allowed to run a mail server.
You pay for what you get. If you pay for a service that says "no mail servers" and then go an run a mail server, well, you get your ass blocked. You're operating outside your contract already, you're got no real right to bitch about this one.
Want to run a mail server? Buy your connection from someone that allows you to do so.
The internet ain't free, bub. You pay for your connection. In many cases, you can pay less if you use that connection for less. This is standard market economics at work. Most people don't use their connections for everything they can squeeze out of them, and so they get a bargain from their supplier. By trying to get that bargain while exceeding those limitations (in this case, not running a mail server is likely *explicitly* stated in your contract with the ISP), you're essentially being a jackass.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
If you don't want MAPS to hinder your mailability, well, just ignore them. MAPS is a pain in the ass for anyone with a [too-small-to-bribe-maps-admins]-sized e-business. You get MAPS bounces all the time for no apparent reason, they just hate everyone.
The main problem is that sometimes, one man's spam is another man's treasure. I don't think it is up to a central authority to tell me what I can and can't read. I much prefer the client-side flavors of spam filtering, such as bayesian filters (of which a distributed system exists under the name Cloudmark). At least that way the mail still gets around, it is just pre-sorted as Ham, Spam or Unsure. I usually just wipe the "spam"-flagged mail, then quickly peruse the Unsure and Ham folders. In this scenario I am free to read "spam" mail if it happens to be a false-positive, or maybe I'm just curious about Cialis =)
-Billco, Fnarg.com
they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.
It gives you a big benefit, you get to send email to people.
You can get a hosting account for $4 a month in numberous places that will give you 150-250MB space, 15GB of transfers, unlimited email accounts, mysql, postresql, and even unlimited domains within that account (you read that right).
I'd love to host stuff on my local machine, but cable is too slow, and its just a pain in the butt, its easier to pay someone.
Who would want an address like this:
. ca ble.mybroadba ndisp.com
joe.user@CPE000d42345c2g-CT014250031146.cpe.net
Short and to the point!
-Pete
spamhaus blocks whole class B's
This has hassled me to no end.
They are cavalier about it and will not modify their mechanism to be more specific.
In short they suck.
comment directly in my journal
I'm currently POSTing this from a host whose IP has been banned from /. The only crime I committed was inheriting somebody else's cable modem IP (they're semi-dynamic, just as in the story). Sure, I've emailed banned@slashdot.org, but I can't say I'm surprised that they never replied.
/. through a proxy at my university, just as the submitter is told to relay SMTP. IP addresses are a horrible method of access control that is easily circumventable* and yet leads to false-positives. Repeat after me: there is no correspondance between IP addresses and machines; any system that assumes otherwise is a bandaid.
/., I'd still be doing it through a mixmaster proxy or spoofing my IP.
In the meanwhile, I browse
Ultimately, if you actually care where packets came from, you should force the sender to digitally sign them.
* If I had done something bad to
Thus speaks the obligatory NANAE troll.
If you use your own SMTP server, you get rational standard 3-digit error responses when (eg) the recipient's email is invalid, mailbox full, whatever.
If you use a smarthost, the error response is wrapped up in a verbose email, so you have to implement automated handling, parsing, error code extraction, working out which email address it refer to, and all the rest.