Server/mail/naming setup theory
Jason Stephenson
jason at sigio.com
Mon Apr 19 17:54:01 EDT 2004
Dan Jenkins wrote:
>> I've also configured my mail server at work to block incoming mail
>> from adsl, cable, and dial-up IPs and host names. This is because all
>> of the mail that we receive from those domains is spam.
>
>
> ;-) Including mine? And Derek's? (Of course, ours goes through the list
> before getting to you.)
Well, this is at my day job. I have my own mail server at home where I
get mail from GNHLUG. At work I block incoming connections from a list
of domains. I maintain this list manually. I use exim, so it's a file
using a wildcardlsearch. It matches on partial names, i.e
*.client2.attbi.com. I also have a separate, smaller list of IP numbers.
Something only gets added to these lists after it has been used to send
us spam. It drops the connection at HELO with a message of 550 Access
Denied.
As I mentioned, I haven't found the time to set up anti-spam measures at
home.
>
>> When a machine connects to send us mail, our mail server does a
>> reverse DNS look up on their IP. It ignores what is sent in the HELO,
>> unless the other machine is sending our own IP or host name in the
>> HELO, in which case the connection is rejected.
>
>
> Do you just verify that there is a reverse DNS? Or do you verify that
> the reverse matches the forward? I'm curious.
It does a reverse lookup on the sending IP, and not what they give us in
HELO. It also does a sender verify. Seems my rules aren't so stringent
that machines with no host name get dropped. I've checked and mail gets
through even if a reverse lookup fails.
>
> When I started trying to block spam that way a few years ago, I had to
> remove that as being too aggressive. I found that most reverse DNS
> didn't map to their forward hostname. I also found that, at that time,
> many mail servers had hostnames which didn't resolve, or had no reverse
> DNS. This was from companies like Kollsman Instrument, Fidelity
> Investments, PSNH, etc. Out of the 15 members of the board of directors
> of a non-profit whom I ran the mail server for, 11 of them were unable
> to send email after blocking spam that way. (Whether this is a comment
> on the actual content of the board is another matter. ;-) I had to drop
> that level of spam blocking for the board to communicate with the
> non-profit's CEO. It is always a trade-off between blocking spam or
> losing a potential sale or important email. Most of my clients are more
> concerned about the latter than the former - of course, while still
> complaining about spam. (I had a client who almost lost a $50,000 deal
> due to a single missed email.)
>
When I first switched us to exim from sendmail, I forgot just how
pedantic exim can be. We weren't getting mail from one of our vendors
because their mail server had an illegal character in its name. Seems
Microsoft allows one to configure host names that are illegal according
to published standards for Internet naming conventions. I had to allow
this character specifically in HELO in order for us to get their mail.
Ironically, it's a company that does most of our networking, and their
mail admin. fails to see that it's a problem that their mail server has
an invalid host name.
I've noticed that a lot of the ube software is very poorly written. Our
mail server refuses a lot of connections on the simple basis of the
client not following SMTP.
More information about the gnhlug-discuss
mailing list