Server/mail/naming setup theory

Mon Apr 19 17:54:01 EDT 2004

Dan Jenkins wrote:
>> I've also configured my mail server at work to block incoming mail 
>> from adsl, cable, and dial-up IPs and host names. This is because all 
>> of the mail that we receive from those domains is spam. 
> 
> 
> ;-) Including mine? And Derek's? (Of course, ours goes through the list 
> before getting to you.)

Well, this is at my day job. I have my own mail server at home where I 
get mail from GNHLUG. At work I block incoming connections from a list 
of domains. I maintain this list manually. I use exim, so it's a file 
using a wildcardlsearch. It matches on partial names, i.e 
*.client2.attbi.com. I also have a separate, smaller list of IP numbers. 
Something only gets added to these lists after it has been used to send 
us spam. It drops the connection at HELO with a message of 550 Access 
Denied.

As I mentioned, I haven't found the time to set up anti-spam measures at 
home.

> 
>> When a machine connects to send us mail, our mail server does a 
>> reverse DNS look up on their IP. It ignores what is sent in the HELO, 
>> unless the other machine is sending our own IP or host name in the 
>> HELO, in which case the connection is rejected.
> 
> 
> Do you just verify that there is a reverse DNS? Or do you verify that 
> the reverse matches the forward? I'm curious.

It does a reverse lookup on the sending IP, and not what they give us in 
HELO. It also does a sender verify. Seems my rules aren't so stringent 
that machines with no host name get dropped. I've checked and mail gets 
through even if a reverse lookup fails.

> 
> When I started trying to block spam that way a few years ago, I had to 
> remove that as being too aggressive. I found that most reverse DNS 
> didn't map to their forward hostname. I also found that, at that time, 
> many mail servers had hostnames which didn't resolve, or had no reverse 
> DNS. This was from companies like Kollsman Instrument, Fidelity 
> Investments, PSNH, etc. Out of the 15 members of the board of directors 
> of a non-profit whom I ran the mail server for, 11 of them were unable 
> to send email after blocking spam that way. (Whether this is a comment 
> on the actual content of the board is another matter. ;-) I had to drop 
> that level of spam blocking for the board to communicate with the 
> non-profit's CEO. It is always a trade-off between blocking spam or 
> losing a potential sale or important email. Most of my clients are more 
> concerned about the latter than the former - of course, while still 
> complaining about spam. (I had a client who almost lost a $50,000 deal 
> due to a single missed email.)
> 

When I first switched us to exim from sendmail, I forgot just how 
pedantic exim can be. We weren't getting mail from one of our vendors 
because their mail server had an illegal character in its name. Seems 
Microsoft allows one to configure host names that are illegal according 
to published standards for Internet naming conventions. I had to allow 
this character specifically in HELO in order for us to get their mail. 
Ironically, it's a company that does most of our networking, and their 
mail admin. fails to see that it's a problem that their mail server has 
an invalid host name.

I've noticed that a lot of the ube software is very poorly written. Our 
mail server refuses a lot of connections on the simple basis of the 
client not following SMTP.