Slashdot Mirror

← Back to Stories (view on slashdot.org)

Overcoming MAPS Reverse-Lookup Oppression?

Posted by Cliff on from the all-servers-do-not-have-proper-reverse-lookups dept.

ArghBlarg asks: "Imagine the following scenario: you're the volunteer admin for a small, non-profit site for a few local artists and musicians. You run your web site and SMTP server out of your laundry room, via cable broadband. The broadband provider doesn't mind, as you only get a few hits a day; you keep your system secure and were only rooted once, over 4 years ago (hey, it happens). Your site has never, ever (to your knowledge) relayed spam. On the whole you've been an exemplary netizen. One day, some email you send bounces because your ISP's entire netblock has been placed on the MAPS DUL. True, your server's IP isn't technically static (though it hasn't changed in 12 months); because your domain is embedded within the broadband provider's larger IP block, reverse lookups don't give your domain name, rather that of the provider (with a huge number prefixed as the hostname). Hence you're considered a rogue SMTP node and blocked by MAPS. I've emailed MAPS but they won't agree to whitelist me. I have a proper MX record for my SMTP server, under my domain name. What can I do? Is there any way to make my legitimate domain take precedence in reverse-lookups, so I don't show up as being part of a spam-friendly network?" "Please don't bother suggesting that I ask my provider to give me a static IP outside the affected block -- they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.

What have you done to get your domain, running on a pseudo-static IP, out from under the thumb of the spam block lists? While I wholeheartedly support the efforts of the MAPS people and others like them to stamp out the vermin that are spammers, our domain has become collateral damage in the war!"

15 of 97 comments (clear)

  1. Relay through ISP by crow · · Score: 5, Informative

    You should configure your SMTP server to relay all mail through the ISP's SMTP server. Then people will receive the mail from the ISP, not from you, and presumably they won't be blacklisting the official SMTP server for the ISP (or else you have a bigger problem).

    1. Re:Relay through ISP by Saganaga · · Score: 3, Informative

      I second this recommendation. This is exactly what I do for my home email server (on Roadrunner cable) and my church's email server (on Onvoy DSL). Both email servers are using QMail.

      The only possible negative I see to relaying through your ISP's SMTP server is that it introduces another possible point of failure, but that seems to be an acceptable tradeoff.

  2. Use SmartHost by FattMattP · · Score: 4, Informative
    What can I do?
    Easy. You just need to configure your MTA to relay your outgoing mail through your ISPs SMTP server. In Sendmail this would look like the following in sendmail.mc

    define(`SMART_HOST',`smtp.myisp.com')dnl

    of course it'll be different if you're using another MTA. MAPS DUL (dialup up list) is doing what it's supposed to do. It's listing dynamic address ranges such as cable modems, DSL lines, and dialup numbers. A lot of spam can come from these so people choose to use them to block email that isn't coming from the ISPs mail servers.

    --
    Prevent email address forgery. Publish SPF records for y
  3. Well by The-Bus · · Score: 3, Insightful

    Why not run email and webhosting separately? Email could always be run through a provider (Flames Burn seems to be focusing on helping independent musicians). Yes, you're small and non-profit but I'm sure your time could be better used than dealing with hassles like these. Pay for the hosting, then spend your time on other stuff for this organization. From the looks of it, and the needs you have, this may be a simpler solution. Of course, I'm not supremely technically versed, and it sort of goes against the hacker mentality leaving this problem unsolved...

    That's my EUR 0.016414 anyways.

    --

    Small potatoes make the steak look bigger.

  4. Well DUH... by stienman · · Score: 3, Insightful

    Please don't bother suggesting that I ask my provider to give me a static IP outside the affected block -- they won't, not without upgrading to a MUCH more expensive package which gives me no benefit for a small-traffic server like this.

    Then you are stuck between a rock and a hard place. You are using a residential class line for business class use. MAPS is right to block residential lines because of all the zombie relay servers that virus writers are including in their payloads now.

    Either pay for a business class connection, or use the SMTP server your provider gives you.

    It's not the "open internet" that you'd like to see. Live within the limitations this simple, dumb network provides.

    Besides, do you honestly expect MAPS to whitelist a dynamic IP? MAPS is not the problem, PEBKAC.

    -Adam

    1. Re:Well DUH... by Anonymous Coward · · Score: 3, Funny

      tell them that some ISPs use a list to block incoming email from certain IP addresses that match certain criteria, and that unfortunately your IP address matches that criteria. That puts the onus on the receiver of the email to either figure out a solution, or lose the customer who wanted to receive the email.
      Lemme get this straight. They're supposed to complain each time they don't receive an email. And they would know when this is happening exactly how?

      That's like taking class attendence by asking everyone who isn't there today to please raise their hands.

    2. Re:Well DUH... by squiggleslash · · Score: 4, Interesting
      The "you must use the ISP's smarthost" thing has a number of consequences which you happily ignore by using the tired and frequently abused "It's only a small minority" argument.

      The first is that this method of "spam prevention" provides pretty much no spam prevention whatsoever. Insofar as it provides any protection, it's from a small minority of unsecured open relays present in older operating systems, which happens to be an extremely specific bug and a very easy issue to deal with.

      The second is that this method makes configurationless email impossible. You HAVE to configure your MTA to point at a specific smarthost. You HAVE to change this if you use a different ISP. And if you regularly use more than one ISP, then you have to reconfigure every time you connect.

      The third is that the "small minority" argument is bogus to begin with. Point at any activity on the Internet and you can claim it's a small minority. Slashdot, for instance, regularly causes problems for websites by linking to them. Only a "small minority" read Slashdot. Therefore it is legitimate to block Slashdot. You can work on it to any degree. The World Wide Web would never have gotten off the ground if the "small minority" people had decided to block it as a bandwidth waster from the beginning.

      The fourth is that hacks like this undermine the integrity of the email infrastructure. By frequently imposing arbitrary rules, you guarantee the failure of legitimate email. You force system administrators and end users to frequently make minor and unnecessary changes to the configuration of their systems.

      The fifth is that better anti-spam systems exist, but ISPs lack the will and desire to operate them. Blacklists are an easy way out, their proven ineffectiveness is testament to the stubborness and power-tripping of the groups that operate and subscribe to them. We have more spam on our systems now than ever before.

      Yes, SMTP email wasn't designed to cope with the spam phenominem, but this isn't helping. Solutions need to be sane, they need to block spam or spammers, and not block on an arbitrary "well, a spammer might use this" basis. There's been far too much support for things that do not work, it's time to switch to things that do.

      Oh, and I'm an expert. I do know what I'm talking about. I operate my own SMTP servers, wouldn't touch an ISP that doesn't let me, and thanks to that pretty much never receive spam (perhaps once per organization I've done business with at most.) We could eliminate spam tomorrow if ISPs had the guts to implement the systems needed. Unfortunately, they don't.

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:Well DUH... by drsmithy · · Score: 4, Insightful
      The first is that this method of "spam prevention" provides pretty much no spam prevention whatsoever. Insofar as it provides any protection, it's from a small minority of unsecured open relays present in older operating systems, which happens to be an extremely specific bug and a very easy issue to deal with.

      It's not just open relays, it's also all those machines that have been taken over by trojans with built-in SMTP engines.

  5. Learning the hard way, eh? by darksmurf · · Score: 3, Informative

    You being on the DUL is a good thing. It means less spam from your entire netblock.

    This is where you learn to relay your outgoing mail through your upstream provider. You should of course continue to be the MX for your domain for all other purposes.

    I know other people have mentioned this, but seriously... No cable or DSL clients should be pretending to be a full-on mail hub. Just use the smtp resources of your upstream provider.

  6. These "services" suck by duffbeer703 · · Score: 4, Insightful

    I had to waste alot of time with ORBS because my company's upstream provider had a larger netblock that we were a part of blacklisted. The people I emailed were quite obnoxious and rude, despite the fact that our servers were secure and never relayed a thing.

    And for what? I still see a ton of spam, despite the fact that my ISP uses MAPS.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  7. Use MailHop Outbound from DynDNS.org by dpilot · · Score: 3, Informative

    For a small (volume-dependent) fee DynDNS.org will relay outbound mail for you with the 'MailHop Outbound' service. They will also relay inbound mail to your server (on a high port, if need be because of your ISP) with 'MailHop Relay'.

    At this point, you'd probably want your DNS hosted through them, as well. On the plus side, this would give your domain a complete and consistent appearance, IP-wise. I believe at this point, you may even be able to add SPF records to your DNS entry as well. (Though I'm not sure if they do the correct thing outbound for SPF.)

    The whole shebang would probably still come to less than $100/yr.

    --
    The living have better things to do than to continue hating the dead.
  8. Well, it looks like the consensus is... by rusty0101 · · Score: 5, Insightful

    ... that only large businesses should be allowed to run mail servers that can send e-mail.

    Glad to see so many people here who are interested in maintaining a free system.

    -Rusty

    --
    You never know...
  9. Other alternatives. by Passman · · Score: 3, Funny

    I can see you have been told the politically correct answer to this situation: "Suck it up, do it for the common good."

    But if you are a true American, one question has not yet been answered. What's in it for me? How can I get rich off of this? How do I make them pay?

    The answer is simple. Sue Em!

    Chances are if you are posting this, you reside within the United States. This makes things more difficult, but not impossible, we just have to be more clever. Our first direction we must look toward in this time of opportunity is toward The Courts. Unfortunately this course will not serve us well. Nothing MAPS does is inherently illegal. Even worse, they have developed a significant volume of caselog to show your average judge that they have a right to do what they do and you have no right to complain. So unless you happen to have a friendly state law or lawmaker in you back pocket (not likely for an indie band) the courts will not likely be of use to you.

    Luckily here in the grand old USA, the Courts aren't the only places to extract money from people you don't like. Are you or any of the band members from Canada or Mexico? Can your latino drummer fake a mexican accent? If so then you can demand compensation under Section 7 of the NAFTA Treaty, the expatriation clause. While normally this clause only applies to government regulation, there have been complaints brought forth against psudo-governmental entities (such as industry trade groups and sanctioning bodies) which you could argue the MAPS organization is one of. From there, it's up to them to prove the rules don't apply to them or else you get money. Nothing could be simpler.

    There you have it, a simple solution to your problem both short term and long term. Assuming that MAPS survives their major outflow of cash, you will now be able to afford professional internet connectivity free from MAPS blocking. If they don't survive, hey your free to send emails anyway and you get a tidy bundle of cash (a double victory).

    irrespectfully submitted, with tounge firmly in cheek
    --
    Minne-snow-da: Winter is comming...
  10. Re:Only corps should be free to run their own mail by SuiteSisterMary · · Score: 3, Insightful
    but I just feel that responsible people should be allowed to run whatever servers they want to.

    Absolutely NOBODY is preventing this guy from running whatever server he wants to.

    Some people are, however, exercising their own rights to refuse to accept communications from him, for a reason that may or may not be reasonable, valid, or useful.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  11. Re:Only corps should be free to run their own mail by SuiteSisterMary · · Score: 3, Informative

    He's not blacklisted. He's accurately listed as being a residential dynamic-assigned user.

    The fact that some other mail servers choose not to accept his mail, based on that fact, has nothing to do with his ISP.

    --
    Vintage computer games and RPG books available. Email me if you're interested.