Monday, April 16, 2007
home servers blocked because of "generic" reverse DNS
My server refused Michael's email. He's running a server at home on a phone company DSL line with a static IP address. "What's this about? Can I not send you mail because I have SBC DSL?"
Not exactly. It's because he's sending directly from a residential SBC DSL line with a "generic" name in reverse DNS.
Legitimate email senders just about always have a pointer record in the in-addr.arpa domain. The name in it suggests it's actually supposed to be sending mail. Picking a couple at random out of this morning's email:
Take a look at amybiehl's network neighbors.
$ whi -v 66.159.220 132 141
132.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-132.dslextreme.com.
133.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-133.dslextreme.com.
134.220.159.66.in-addr.arpa domain name pointer alexsoo.net.
135.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-135.dslextreme.com.
136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org.
137.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-137.dslextreme.com.
138.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-138.dslextreme.com.
139.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-139.dslextreme.com.
140.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-140.dslextreme.com.
It's pretty easy to see which are the servers and which are just generic residential lines. Michael's email was refused because his server's pointer resource record name adsl-68-124-123-45.dsl.pltn13.pacbell.net matched the regular expression
Your MTA probably has a routing table where you can relay out to certain domains and send directly by default. I can show you how to do it in Qmail and Postfix. I've noticed about a dozen domains that block amybiehl, and I route to those through my server off of Speakeasy
(Edit, July '08: I've moved from Speakeasy's T-1 to colocation at Got.net.)
You'll find this kind of preemptive blocking will only get more common. I'm kind of surprised you haven't hit it already. Some pretty large networks have been using this technique for years. DSL Extreme charged me $20 to install a custom PTR name. Sonic and Speakeasy did it for free.
The "see greens.org/delist" in my server's rejection message was supposed to lead you to my whitelist request form. Someone submits that form about once a month. (Not counting the crackers who shove junk into it every day. They're looking for leaky forms they can exploit to send spam.)
Not exactly. It's because he's sending directly from a residential SBC DSL line with a "generic" name in reverse DNS.
| $ host -t ptr 68.124.123.45 #(not his real address) 45.123.124.68.in-addr.arpa domain name pointer adsl-68-124-123-45.dsl.pltn13.pacbell.net. |
Legitimate email senders just about always have a pointer record in the in-addr.arpa domain. The name in it suggests it's actually supposed to be sending mail. Picking a couple at random out of this morning's email:
| $ host 204.13.164.18 18.164.13.204.in-addr.arpa domain name pointer mx1.riseup.net. $ host 66.159.220.136 136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org. |
Take a look at amybiehl's network neighbors.
$ whi -v 66.159.220 132 141
132.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-132.dslextreme.com.
133.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-133.dslextreme.com.
134.220.159.66.in-addr.arpa domain name pointer alexsoo.net.
135.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-135.dslextreme.com.
136.220.159.66.in-addr.arpa domain name pointer amybiehl.greens.org.
137.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-137.dslextreme.com.
138.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-138.dslextreme.com.
139.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-139.dslextreme.com.
140.220.159.66.in-addr.arpa domain name pointer netblock-66-159-220-140.dslextreme.com.
It's pretty easy to see which are the servers and which are just generic residential lines. Michael's email was refused because his server's pointer resource record name adsl-68-124-123-45.dsl.pltn13.pacbell.net matched the regular expression
/^(adsl|ppp)-.*.(dsl|dialup)\..*\.pacbell\.net$/which stops an amazing amount of spam without any content analysis. SBC/Ameritech/Snet/AT&T/Pacbell generics are in the top twenty spam sources world wide. They claim to be "rolling out" port 25 blocking, but there are glaciers that move faster. I'll whitelist your PTR name, but I doubt many admins would bother. If you're gonna run a server in the middle of a block that's 99.99% Microsoft-DSL-residential spam zombies you're eventually gonna have to ask SBC for a non-generic name in rDNS. Or send through the SMTP relays SBC provides.
Your MTA probably has a routing table where you can relay out to certain domains and send directly by default. I can show you how to do it in Qmail and Postfix. I've noticed about a dozen domains that block amybiehl, and I route to those through my server off of Speakeasy
(Edit, July '08: I've moved from Speakeasy's T-1 to colocation at Got.net.)
You'll find this kind of preemptive blocking will only get more common. I'm kind of surprised you haven't hit it already. Some pretty large networks have been using this technique for years. DSL Extreme charged me $20 to install a custom PTR name. Sonic and Speakeasy did it for free.
The "see greens.org/delist" in my server's rejection message was supposed to lead you to my whitelist request form. Someone submits that form about once a month. (Not counting the crackers who shove junk into it every day. They're looking for leaky forms they can exploit to send spam.)
