Slashdot Mirror

← Back to Stories (view on slashdot.org)

Overcoming MAPS Reverse-Lookup Oppression?

Posted by Cliff on from the all-servers-do-not-have-proper-reverse-lookups dept.

ArghBlarg asks: "Imagine the following scenario: you're the volunteer admin for a small, non-profit site for a few local artists and musicians. You run your web site and SMTP server out of your laundry room, via cable broadband. The broadband provider doesn't mind, as you only get a few hits a day; you keep your system secure and were only rooted once, over 4 years ago (hey, it happens). Your site has never, ever (to your knowledge) relayed spam. On the whole you've been an exemplary netizen. One day, some email you send bounces because your ISP's entire netblock has been placed on the MAPS DUL. True, your server's IP isn't technically static (though it hasn't changed in 12 months); because your domain is embedded within the broadband provider's larger IP block, reverse lookups don't give your domain name, rather that of the provider (with a huge number prefixed as the hostname). Hence you're considered a rogue SMTP node and blocked by MAPS. I've emailed MAPS but they won't agree to whitelist me. I have a proper MX record for my SMTP server, under my domain name. What can I do? Is there any way to make my legitimate domain take precedence in reverse-lookups, so I don't show up as being part of a spam-friendly network?" "Please don't bother suggesting that I ask my provider to give me a static IP outside the affected block -- they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.

What have you done to get your domain, running on a pseudo-static IP, out from under the thumb of the spam block lists? While I wholeheartedly support the efforts of the MAPS people and others like them to stamp out the vermin that are spammers, our domain has become collateral damage in the war!"

5 of 97 comments (clear)

  1. Talk to your provider.... by Evanrude · · Score: 1, Interesting

    I have had this happen on more than one occasion. I have *5* static IPs on a co-located server. Each time, I contact the ISP and they see to the removal of the netblock(s) that are listed on the MAPS lists.

    If your ISP is unwilling to have their own netblocks removed from MAPS lists, then you need to consider a new ISP.

    --

    ~.Evanrude
  2. You have a few options by petard · · Score: 2, Interesting

    1. (You sound like you tried this one) Convince MAPS not to blacklist you. This is unlikely to happen if you're only in the DUL.

    2. Convince the people you wish to exchange mail with (who presumably want your mail) to either
    a. Stop using MAPS
    b. Stop using the DUL
    c. Add your server to a local whitelist

    Note that gaining control over your reverse DNS listing will not help; DUL is based on netblocks.

    3. Get a better ISP. There are options out there that will do what you want, and not all are prohibitively expensive. If you ISP's options are, switch. I've been very happy with speakeasy. They are available to most of the US. If you get one of their very reasonably priced (multiple) static IP packages, you will not be on the DUL. What's better, they will set your reverse DNS to whatever you wish so long as you own the domain in question. Their TOS are also very nice, explicitly permitting you to run your own servers so long as you don't disrupt the network. (They do permit running spam, porn, and irc if it's part of a public irc network, as those tend to disrupt service more often than they don't.) Speakeasy is not the only option... there are other similar ones, but I haven't tried any of them.

    4. (As others have said) Use a smarthost for your mail. Receive incoming mail on your own server but configure your outgoing mail to relay through your ISP's gateway. This is trivial with most MTAs. See your documentation for details.

    5. Complain to your ISP, and tell them that you're willing to switch if they can't get you onto a netblock that isn't blacklisted. It might work. Their cost to acquire a new customer is relatively high, so they should be interested in accomodating you. Don't just go based on their written policy, though. Talk to a real person, preferably one who would feel the pain of lost revenue.

    --
    .sig: file not found
  3. Re:Relay through ISP by Fweeky · · Score: 2, Interesting

    Plus you tend to loose things like TLS, and of course being a single node for all mail for an ISP can make them a little slow and unreliable.

    The best solution is probably to get your own server on a static IP and smarthost through that; since it's entirely under your control you know it's not going to get some handy config change which breaks your mail, nor is it likely to go away for hours on end while it's broken/fixed/upgraded without warning.

  4. Re:Well DUH... by squiggleslash · · Score: 4, Interesting
    The "you must use the ISP's smarthost" thing has a number of consequences which you happily ignore by using the tired and frequently abused "It's only a small minority" argument.

    The first is that this method of "spam prevention" provides pretty much no spam prevention whatsoever. Insofar as it provides any protection, it's from a small minority of unsecured open relays present in older operating systems, which happens to be an extremely specific bug and a very easy issue to deal with.

    The second is that this method makes configurationless email impossible. You HAVE to configure your MTA to point at a specific smarthost. You HAVE to change this if you use a different ISP. And if you regularly use more than one ISP, then you have to reconfigure every time you connect.

    The third is that the "small minority" argument is bogus to begin with. Point at any activity on the Internet and you can claim it's a small minority. Slashdot, for instance, regularly causes problems for websites by linking to them. Only a "small minority" read Slashdot. Therefore it is legitimate to block Slashdot. You can work on it to any degree. The World Wide Web would never have gotten off the ground if the "small minority" people had decided to block it as a bandwidth waster from the beginning.

    The fourth is that hacks like this undermine the integrity of the email infrastructure. By frequently imposing arbitrary rules, you guarantee the failure of legitimate email. You force system administrators and end users to frequently make minor and unnecessary changes to the configuration of their systems.

    The fifth is that better anti-spam systems exist, but ISPs lack the will and desire to operate them. Blacklists are an easy way out, their proven ineffectiveness is testament to the stubborness and power-tripping of the groups that operate and subscribe to them. We have more spam on our systems now than ever before.

    Yes, SMTP email wasn't designed to cope with the spam phenominem, but this isn't helping. Solutions need to be sane, they need to block spam or spammers, and not block on an arbitrary "well, a spammer might use this" basis. There's been far too much support for things that do not work, it's time to switch to things that do.

    Oh, and I'm an expert. I do know what I'm talking about. I operate my own SMTP servers, wouldn't touch an ISP that doesn't let me, and thanks to that pretty much never receive spam (perhaps once per organization I've done business with at most.) We could eliminate spam tomorrow if ISPs had the guts to implement the systems needed. Unfortunately, they don't.

    --
    You are not alone. This is not normal. None of this is normal.
  5. Re:Well DUH... by Anonymous Coward · · Score: 1, Interesting
    Over 70% of all spam comes from dynamic IP addresses.
    So the ISP would lie?
    The 'criteria' in question is a dynamic address - since you asked us to do something about spam, and since there is no valid reason why a dynamically assigned address needs to talk directly to our mail server, we do block connections from them.
    So the ISP is stupid too? Or can neither you nor the ISP really think of a single reason why a machine might be configured to send email directly?
    If the client had correctly configured their mail server (instead of simply making excuses), you wouldn't have noticed a problem."
    The client has correctly configured their mail server. It follows the RFCs. It sends email to the destination. They've simply not followed arbitrary rules imposed by the idiot (if you're really to be believed and they really cannot possibly comprehend of a single reason why a machine might want to talk to their mail server directly if they're on a dynamic IP) receiving ISP.
    Considering the fact that the first part of that statement is *provably* false (and the second is - at best - debatable), what do you hope to accomplish by crying about it here?
    The first part of that statement is provably correct. A dynamic IP address is not in any shape or form a signifier of spam. Anyone who suggests it is is an idiot. I've sent email from dynamic IP addresses before. Are you saying that it was spam?

    Or is this a "well, we sometimes get email from dynamic IP addresses that's spam therefore it's legitimate" argument? In which case, why are you bothering to receive SMTP at all? After all, 100% of emailed spam is sent via SMTP!

    It's idiots like you that are breaking the Internet. Use systems that identify spam, not systems that are implemented for the sake of it.