On Wed, 6 Oct 2004, Jon Bertrand wrote:
In the course of doing business with "Company X" we received a bounce
saying they no longer accept mail from us. Digging deeper brought this
fairly extreme reponse:
[quote]
Company X has implemented a number of anti-spam measures that
require adherence to standards and best practices with regards to the
sending server and message content.
One of the measures is to block direct-MX connections from dsl, cable
and dial-up networks. In your case, the reverse DNS entry for your
server's IP address is "h-66-166-42-108.dnvtco56.covad.net". We block
all connections from ".covad.net". This does not effect the normal
Covad mail servers.
This is not unusual and unfortunetly every ISP that does PTR blocking
of dialup and dynamicly assigned dsl ips (and about 20% of ISPs do now
and this is increasing) does it in their own way and often relay on
multiple regex expressions to decide what is dialup and dsl ptr
designation, obviously this has its misses and particularly for dsl
it may not be clear if this is residential-class dynamic dsl or
business static dsl ip.
The better solution is to have standard that allows ISPs to specify which
of their ips should and should not be used for outgoing email. The best
is to use SPF records for this purpose adding them with new "PTR" scope
to name pointed by ip PTR. The only way we can convice ISPs to do it
however is if we provide a standard for it and if they knew that
number of mail providers are now checking these PTR records as part of
UnifiedSPF system.
There are a couple easy solutions to this blocking. The first is to
relay through your ISP's server. If your server is connected with a
Static IP address, your ISP may be willing to update the reverse DNS
entry for that IP to specify that it is your mail server. The second
solution is ideal, but not always available.
Lets be clear - this depends on AUP of your ISP. Your ISP may not actually
allow you to run mail server on your residential DSL line and if that is
so - you should respect their policies or you risk being found out and
that they will terminate service entirely. If they do allow running mail
server and you have statitic ips, most ISPs will change reverse dns name
per your request to their tech support.
If you have any other questions, please do not hesitate to contact an
administrator via email at emailhelp(_at_)udlp(_dot_)com(_dot_) That address
is not
subject to the blocking.
[/quote]
My initial reaction was
1) SPF + Reputation Based System beats "just shut off all DSL."
Email reputation technologies are right now at the very very beginning of
development stage. It maybe some time before we agree on standards for
reputation that are acceptable to everybody.
2) Relay - no way, it just complicates things
Depends how large you are. If you run personal mail server just for
yourself, this would probably be easier then anything else.
Remember the ISP is there to help you and to provide you service that
your paying for and relaying email from their customers is part of
such service (this is what they do for all other customers do not run
their own mail server).
3) Change the DNS - wow, is this a common thing to do?
Yes.
So, is this a common thing? Is this idea gaining ground?
Yes.
In a world with spf1 what's a good reponse to this?
The correct response is to bring ISPs into this picture and have ISPs by
means of SPF records designate which of their ips are in fact used by
dialup and dynamic dsl clients that are not supposed to send email. If ISP
does not work well with their customers, UnifiedSPF should provide way to
override the PTR scope by means of other SPF scope records.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net