Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Hostile Email Landscape (liminality.xyz)

Posted by Soulskill on from the collateral-damage-in-the-war-on-spam dept.

An anonymous reader writes: As we consolidate on just a few major email services, it becomes more and more difficult to launch your own mail server. From the article: "Email perfectly embodies the spirit of the internet: independent mail hosts exchanging messages, no host more or less important than any other. Joining the network is as easy as installing Sendmail and slapping on an MX record. At least, that used to be the case. If you were to launch a new mail server right now, many networks would simply refuse to speak to you. The problem: reputation. ... Earlier this year I moved my personal email from Google Apps to a self-hosted server, with hopes of launching a paid mail service à la Fastmail on the same infrastructure. ... I had no issues sending to other servers running Postfix or Exim; SpamAssassin happily gave me a 0.0 score, but most big services and corporate mail servers were rejecting my mail, or flagging it as spam: Outlook.com accepted my email, but discarded it. GMail flagged me as spam. MimeCast put my mail into a perpetual greylist. Corporate networks using Microsoft's Online Exchange Protection bounced my mail."

20 of 217 comments (clear)

  1. Don't Know How You Made That Conclusion by 0xG · · Score: 4, Informative

    I run a small email system ~2500 users and don't have your problems...

    --
    A pox on web designers who feel that window.innerWidth == screen.availWidth
    1. Re:Don't Know How You Made That Conclusion by beelsebob · · Score: 5, Informative

      More likely, the original poster simply has his DNS misconfigured in some weird way, and doesn't know it.

    2. Re:Don't Know How You Made That Conclusion by Anonymous Coward · · Score: 5, Informative

      I second that emotion. Current *big* players are trying to limit spam and phishing, and require a few ducks in a row before you stop getting caught in their filters. I suspect proper analysis of the configurations and logs would pinpoint the issue. DNS would be a quick start but the problem could be in a few places depending on what mail implementation he's using. On another note, is it possible OPs domain has been used for spam/phishing in the past? The UNI I work has dealt with blacklists in the past and it was merely a case of spoofing and those adding us to blacklists didn't do their diligence in tacking it down properly. *Posted anon as to not get fired*

    3. Re:Don't Know How You Made That Conclusion by acoustix · · Score: 4, Informative

      I run a small email system ~2500 users and don't have your problems...

      You probably have a dedicated/static IP and it isn't tainted from others who have used it before you.

      For people trying to run their own email server at home it can be a real pain. ISP's blocking 25 and 587. DHCP means that your IP pool has a bad reputation. Etc...

      --
      "A plan fiendishly clever in its intricacies"- Homer Simpson
    4. Re: Don't Know How You Made That Conclusion by Anonymous Coward · · Score: 4, Informative

      Probably no SPF or TXT records

    5. Re:Don't Know How You Made That Conclusion by MyFirstNameIsPaul · · Score: 4, Informative

      You need to go to their stupid new Postmaster service and 'fix' the 'issues'. I observed the exact same behavior for mail servers that hadn't changed a DNS record or even IP address in years roughly around the same time they launched this new 'service'. Coincidence? I think not.

      --

      I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.

    6. Re:Don't Know How You Made That Conclusion by bsdasym · · Score: 3, Informative

      I'm with you here. OP sounds like just being paranoid and probably is not quite properly setup. I setup a new domain last month with it's own self-hosted email and had no problems at all getting email through to any of the major providers. To avoid trouble, you need at a minimum:
      - An IP address in a block that doesn't already have a terrible reputation.
      - Working, correct reverse DNS that matches the SMTP banner.
      - Working, correct forward DNS for the MX records that also matches the SMTP banner.
      - Correct SPF/TXT records covering your mailserver, even if you know SPF is stupid.
      - A mailserver not configured as an open relay (duh).

      With all this in place, I have had no problems getting through on a system with a domain and mail handling less than a week old.

    7. Re:Don't Know How You Made That Conclusion by Anonymous Coward · · Score: 5, Informative

      +1
      Rejections in my experience have nearly always always been related to the PTR record needs to be pointing to the domain actually sending the email, not the domain name in the email address. My limited understanding is this:

      So if my email address matt@example.com uses mail.isp.com on port 25 to send email then the PTR needs for the ip address isp,com sends from needs to say mail.isp.com... not example.com as you might expect.

      when isp.com talks to another smtp server it will be asked to id itself. The server should reply with its FQDN and it is this that the PTR record for the servers id needs to point to . Even if that server hosts hundreds of websites and email accounts.

      I believe most VPS hosts allow this to be changed to whatever you want if you are given a fixed ip address. If they don't allow this to be changed then problems will occur and if you are handling emails you need to check before signing up. The PTR record is not applicable to a domain but to an IP address. You can only have one PTR record for an IP address.

      That is if my memory serves correctly. When I set up email servers, I always seem to forget this until I do sending tests to yahoo and other big boys. Then I set it properly and things behave.

      Other problems happen if using microsoft exchange and the srv fields in txt records for the dns are not set exactly right. Though I don't have to fiddle with this for obvious reasons.

       

    8. Re: Don't Know How You Made That Conclusion by slasher999 · · Score: 4, Informative

      Missing spf records were the first thing I thought of as well. That isn't a silver bullet by any means but can certainly help your ratings while you are new and building a reputation.

    9. Re:Don't Know How You Made That Conclusion by houghi · · Score: 1, Informative

      Script kiddies. Even if the provider doesn't block ports, all email should be rightfully be blocked as there is no Reversed DNS. And by all things practical, a reversed DNS is only possible with a fixed IP.

      And that is only for outgoing email. Letting incoming email depend on a non-fixed IP could lead to serious problems. I could mean somebody else receives your email on your (previous) IP address.

      Also: if the provider leaver port 25 open for non-fixed IP addresses (we are unable to run an email server, because they do not get reversed IP) it opens the ports for a shitload of extra spam from people who have no idea on how to close their server as a relay server.

      I was a script kiddie, played with it to learn and now I don't have incoming mail and use my provider for outgoing mail.

      --
      Don't fight for your country, if your country does not fight for you.
    10. Re: Don't Know How You Made That Conclusion by MightyMartian · · Score: 4, Informative

      Missing SPF and possibility of being on one of the RBLs. I had that problem when we switched to a new ISP, and the address block we were given had ended up on Spamcop. It took a bit of doing, but within a day it was cleared up.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    11. Re: Don't Know How You Made That Conclusion by ttucker · · Score: 3, Informative

      Adding DKIM signatures helps a lot too.

    12. Re:Don't Know How You Made That Conclusion by ttucker · · Score: 3, Informative

      Having DKIM setup, and a legitimate signed TLS certificate helps some too.

    13. Re: Don't Know How You Made That Conclusion by AntiSol · · Score: 3, Informative

      yep, SPF and DKIM records make a big difference. Also a PTR record (so that your IP resolves to e.g hostname.yourdomain.com rather than youraccount.yourwebhost.com) helps.

    14. Re: Don't Know How You Made That Conclusion by postbigbang · · Score: 3, Informative

      Just having an .xyz TLD would be enough for me to bounce it. Without a single regret, I've bounced most of the new TLDs and for good reason: not a single message wasn't spam.

      Can't count the number of .eu messages that are caught up in this, as well as anything from .cn-- as we have zero business coming from China, ever. Same goes for a lot of other country TLDs..... the ISPs serving them up don't care if I send an abuse complaint, in fact, most bounce an abuse complaint.

      --
      ---- Teach Peace. It's Cheaper Than War.
    15. Re: Don't Know How You Made That Conclusion by mikael · · Score: 3, Informative

      That's not having your own email server unfortunately. Having the one true local email server is being able to send emails directly to other hosts. That works OK if you have a static commercial IP address. It will also work if you have a dynamic IP address and use your ISP's SENDMAIL, IMAP and POP3 servers. But if you try and send Email straight out from your dynamic IP address, it will get clobbered by various spam filters which filter out dynamic IP addresses (this range has been blocked due to past spam activity) based on registered domain ranges.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  2. Re:Do your due dilligence... by unrtst · · Score: 4, Informative

    ..and set up SPF entries and reverse DNS. Also make sure Postfix is locked down and not acting as an open relay. It really is not that hard, this article comes off as whiny "I can't do it, so the world is against me" at best.

    Did you even read the article? There's not much more than the summary, but there he does make note that reverse DNS and SPF records, among other things, were setup:

    I've done this before, ...: not on any blacklists, reverse DNS set up, SPF, DKIM and DMARC policies in place, etcetera. (Side note: mail-tester.com and Port25 are great for checking your setup.)

    The near-conclusion quote is his real point:

    ...from Microsoft's Postmaster Troubleshooting page:

    IPs not previously used to send email typically don’t have any reputation built up in our systems. As a result, emails from new IPs are more likely to experience deliverability issues. Once the IP has built a reputation for not sending spam, Outlook.com will typically allow for a better email delivery experience.

  3. Loose the .xyz TLD by JimMcc · · Score: 4, Informative

    My guess is that the problem lies in the fact that the OP is using a garbage TLD. I've configured our mail server to silently drop all traffic from many of the new garbage TLDs, including .xyz. It does wonders for cutting down the spam levels. Sadly it's just a new version of Whack-a-Mole. Neither I, nor any of my users, appear to have gotten a legitimate email from any other these domains. I'll bet if the OP were to use a more traditional TLD, like .com, .uk, etc. there wouldn't be problems.

  4. Re:Sorry, use a smarthost to give yourself a boost by tepples · · Score: 3, Informative

    Simple way to boost your reputation is to simply configure a smarthost to send outgoing mail securely.

    That boosts the smarthost's reputation, not yours, unless I'm missing something fundamental.

  5. Re:Settings to check: by tlambert · · Score: 1, Informative

    Read the article. Except for #1 and #5, he explicitly says he did all of these things.

    Do I trust him, or do I trust the contents of his DNS server. I think I'm going to go with the DNS server.

    dig -t MX geekmail.io
    geekmail.io. 899 IN MX 10 mail.geekmail.io.

    nslookup mail.geekmail.io
    Non-authoritative answer:
    Name: mail.geekmail.io
    Address: 139.162.197.129

    host 139.162.197.129
    129.197.162.139.in-addr.arpa domain name pointer geekmail.io. ----- OOPS