Slashdot Mirror
The Hostile Email Landscape (liminality.xyz)
An anonymous reader writes: As we consolidate on just a few major email services, it becomes more and more difficult to launch your own mail server. From the article: "Email perfectly embodies the spirit of the internet: independent mail hosts exchanging messages, no host more or less important than any other. Joining the network is as easy as installing Sendmail and slapping on an MX record. At least, that used to be the case. If you were to launch a new mail server right now, many networks would simply refuse to speak to you. The problem: reputation. ... Earlier this year I moved my personal email from Google Apps to a self-hosted server, with hopes of launching a paid mail service à la Fastmail on the same infrastructure. ... I had no issues sending to other servers running Postfix or Exim; SpamAssassin happily gave me a 0.0 score, but most big services and corporate mail servers were rejecting my mail, or flagging it as spam: Outlook.com accepted my email, but discarded it. GMail flagged me as spam. MimeCast put my mail into a perpetual greylist. Corporate networks using Microsoft's Online Exchange Protection bounced my mail."
Maybe your little email server is old enough to escape the now-current hostility?
... to this new Brave New Internet.
Fighting SPAM was easy since the beginning. In the early 2k years, most of the SPAM fighting techniques was already somewhat prototyped on the mailing lists I was following,
Now, 15 years later, I think I know why nobody did anything for a decade and a half - control. Now it's God Damn easy to drop someone from the mail system - you can render a company inoperative if it dare to run his own mail system.
And so, for "safety", you need to pay for some bug corporation to run it for you - while harvesting you mail on the process.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
IPs not previously used to send email typically don’t have any reputation built up in our systems. As a result, emails from new IPs are more likely to experience deliverability issues. Once the IP has built a reputation for not sending spam, Outlook.com will typically allow for a better email delivery experience.
Sounds like a Catch-22: "We won't accept accept email from a server until the new server until the server has successfully delivered lots of email."
Well, there's spam egg sausage and spam, that's not got much spam in it.
0. Previous RBL history for the IP address and the block
1. Not being an open relay for any amount of time while setting up
2. Reverse DNS
3. SPF
4. SMTP server host name 5. Retry delay not less than 1 hour. And e-mail starts running.
It's usually the case when the reverse lookup don't point back to the same domain/name as the server identifies itself with.
And it's the ISP that need to change the pointer from some generic name to a specific.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I run my own email server as well. But it's not as simple as an MX record. I use domainkeys and spf as well. None of the major services flag me as spam.
Agree. I run my own e-mail servers for a few domains and have no trouble at all. You need to be absolutely 100% sure that you aren't operating an open relay, or you'll be blacklisted immediately. You also need correctly configured STARTTLS with a valid certificate signed by a widely accepted root. Most relays will reject mail if STARTTLS is not used. Reverse DNS helps but isn't 100% essential. You want reverse DNS to resolve to something in the same domain. For example if people connect to the server as mail.domain.com but reverse DNS calls it srv1.domain.com that will be accepted by the vast majority of relays. If you want Google/Yahoo/Outlook to accept your mail you need DKIM signing, which involves generating key pairs, putting the public keys in DNS and configuring your mail server to sign messages. Correctly configured SPF improves your reputation, too.
Who in their right mind runs an email server without a static IP?
If you want news from today, you have to come back tomorrow.
Missing spf records were the first thing I thought of as well. That isn't a silver bullet by any means but can certainly help your ratings while you are new and building a reputation.
If his domain is the incredibly stupid http://liminality.xyz/ then yes, he is missing SPF records. Use mxtoolbox.com to check.
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
He's doing it wrong. Most probably he's not using SPF nor signing with domainkeys. That's expected today by most providers.
If he's especially naive he's operating an open relay, which will warrant him to be blacklisted FAST.
Another cause is, he could be operating his mail server from a "dialup" IP range, one declared as being assaigned to residential connectivity, which are usually blacklisted. I disagree with this practice, but that's how things go.
Also most providers now require TLS support. So you need to generate certificates(self signed is not enough, but your own unofficial CA is enough usually, but make sure you're not using SHA1).
Also, I happened to configure a mail server on a newly acquired IP from an hosting company a year ago or so and the IP they gave me was already tainted as being on a few blacklists. This can be solved too. I took the pain to discover which blacklists and followed their procedures to be taken out. Sometimes It was some automated procedure which just requested the server to be scanned again to make sure it follows best practices(as stated above). OOther times I had to politely ask and in one case even have the provider confirm the IP was actually reassigned.
After this I have not seen a single email being rejected as spam.
Operating mailservers could have been easy in the '80s and first half of the '90s when most mail server really were open relays and nobody cared, just because nobody was taking advantage of that. Nowadays it's become complicated because even the slightest misconfiguration will be attacked and exploited. It's in the general interest to request mail servers to be configured to a minimum standard that is getting relatively high, or we could really loose control of the email system.
There are several factors that I've seen with my mail server.
1) Do not try to work over a standard ISP service - one that assigns your IP dynamically - because most blacklists and major corporations blacklist dynamic IP pools
2) Don't host in any of those cheap virtual hosting services - many of them are also blacklisted
2) Setup DKIM signing (sendmail config and DNS record)
3) Setup SPF DNS record
Basically, one has to avoid running one's mail server someplace that is cheap because that is where the SPAMers put their mail servers as well (because they are cheap and easier to do anonymously).
SPF is stupid because everyone thinks its ok to use ~all instead of -all.
Every time I get one of those "here's the document you requested" infected emails, it's spoofed as coming from a domain that has an ~all.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016