spf-discuss
[Top] [All Lists]

Re: Extreme times call for extreme measures?

2004-10-06 18:47:14

On Wed, 6 Oct 2004, Jon Bertrand wrote:

In the course of doing business with "Company X" we received a bounce 
saying they no longer accept mail from us.  Digging deeper brought this 
fairly extreme reponse:

[quote]
Company X has implemented a number of anti-spam measures that
require adherence to standards and best practices with regards to the
sending server and message content.

One of the measures is to block direct-MX connections from dsl, cable
and dial-up networks.  In your case, the reverse DNS entry for your
server's IP address is "h-66-166-42-108.dnvtco56.covad.net".  We block
all connections from ".covad.net".  This does not effect the normal
Covad mail servers.

This is not unusual and unfortunetly every ISP that does PTR blocking
of dialup and dynamicly assigned dsl ips (and about 20% of ISPs do now
and this is increasing) does it in their own way and often relay on 
multiple regex expressions to decide what is dialup and dsl ptr 
designation, obviously this has its misses and particularly for dsl
it may not be clear if this is residential-class dynamic dsl or 
business static dsl ip. 

The better solution is to have standard that allows ISPs to specify which
of their ips should and should not be used for outgoing email. The best
is to use SPF records for this purpose adding them with new "PTR" scope
to name pointed by ip PTR. The only way we can convice ISPs to do it 
however is if we provide a standard for it and if they knew that
number of mail providers are now checking these PTR records as part of
UnifiedSPF system.

There are a couple easy solutions to this blocking.  The first is to
relay through your ISP's server.  If your server is connected with a
Static IP address, your ISP may be willing to update the reverse DNS
entry for that IP to specify that it is your mail server.  The second
solution is ideal, but not always available.

Lets be clear - this depends on AUP of your ISP. Your ISP may not actually 
allow you to run mail server on your residential DSL line and if that is
so - you should respect their policies or you risk being found out and 
that they will terminate service entirely. If they do allow running mail
server and you have statitic ips, most ISPs will change reverse dns name
per your request to their tech support.

If you have any other questions, please do not hesitate to contact an
administrator via email at emailhelp(_at_)udlp(_dot_)com(_dot_)  That address 
is not
subject to the blocking.
[/quote]

My initial reaction was 

  1) SPF + Reputation Based System beats "just shut off all DSL."
Email reputation technologies are right now at the very very beginning of 
development stage. It maybe some time before we agree on standards for 
reputation that are acceptable to everybody.

  2) Relay - no way, it just complicates things
Depends how large you are. If you run personal mail server just for 
yourself, this would probably be easier then anything else. 

Remember the ISP is there to help you and to provide you service that
your paying for and relaying email from their customers is part of 
such service (this is what they do for all other customers do not run
their own mail server).

  3) Change the DNS - wow, is this a common thing to do?
Yes.
 
So, is this a common thing?  Is this idea gaining ground?
Yes.

In a world with spf1 what's a good reponse to this?

The correct response is to bring ISPs into this picture and have ISPs by
means of SPF records designate which of their ips are in fact used by 
dialup and dynamic dsl clients that are not supposed to send email. If ISP 
does not work well with their customers, UnifiedSPF should provide way to 
override the PTR scope by means of other SPF scope records.

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net