Re: [exim] Please help with getting out of RBL hell

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Matthew Byng-Maddick
Date:  
À: exim-list
Sujet: Re: [exim] Please help with getting out of RBL hell
On Sat, Dec 03, 2005 at 10:48:08AM -0800, Tony Godshall wrote:
> According to Matthew Byng-Maddick,
>> On Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
>>> According to Jason W.,
>>>> Welcome to the reality of life.. If you decide to live in a
>>>> neighborhood known for crime, don't be surprised if you're labeled a
>>>> criminal at some point...
>>> Sorry to say this, but you sound like one of those cops in
>>> the suburban white neighborhood who blocked, with shotguns,
>>> the refugees fleeing New Orleans ...
>> This isn't really a helpful statement. Once upon a time, it did happen like
>> that. The current situation is a response to the unbelievably high volumes
>> of crap emitted from these unsecured and un-virus-checked 24/7-connected
>> home PCs...
> I respectfully submit that a machine running *nix with
> proper DNS and SPF should not be lumped in with "unsecured
> and un-virus-checked". I don't get what IP-checking gets
> you that DNS/SPF-checking doesn't. Are you arguing that it
> takes a lot more CPU?


Where does SPF come into the equation? As has already been pointed out to
you in this thread, SPF is one of the first things that spammers set up
these days. If it has proper DNS, that to me means:
- it HELOs as something which looks up to its name
- looking up the reverse for its IP address yields an A/AAAA record which
looks up to that IP address.
(preferably the two things are the same, too...)

I don't care what the machine is running, I've seen plenty of Unix open
relays in my time...

If that machine has "dsl" "cable" or some variant of the least significant
parts of the IP address in its reverse lookup name, then I reserve the
right to tell it where it can go...

>> ... This is not racism, this is reality, more's the pity.
> Indeed I did not say it *was*, I just said the arguments are
> similar. In this case it might be called "corporatism"- that
> only large organizations with the resources to buy the "right
> kind" of connections may host domains.


So, me, the hobbyist, is weird for having "the resources to buy the right
kind of connection". I don't think that's true. This is a bogus argument.
These days, vhosts are cheap and reliable, co-los are not terribly much
more, and you'll get proper mailhosting on that.

>> This discussion has been had to death many times. I'm afraid that if you
>> want to host your domain on a residential cable/dsl line, then you have
>> to live with the consequences...
> Well, my machine is in my residence, but it's the extra-special
> "small business" plan that has the static IP address. Where do
> you draw the line?


When you show me that there's a proper audit trail from me reporting abuse
from your machine to your ISP taking appropriate actions, and where there's
a sufficiently small number of abuses that this is actually useful. Until
then, live with the consequences. Noone suggested that small businesses were
any more able to manage a mail system.

>> If your IP is dynamic, forget it, as there's little to
>> no traceability that I have, ...
> My IP is not dynamic, but it may well be in the middle of a
> dynamic block. Those who block me on this basis are f**kin
> corporatists ;-P


I see. I would prefer to call them "sensible", actually, for the overspec
reasons that I've stated above. I'm sorry, but if it really matters to you
then you're going to have to set up a virtual machine with some provider
and host your mail there. When you connect, I'm not going to do p0f to find
out what you're running (actually, I may soon, but that's another story),
so to be honest, it doesn't really matter to me whether you're running
windows or a unix-like or even something completely crazy like VMS. You've
come from a cable/dsl block, and therefore you are >99% likely to be a
compromised windows machine spewing crap to me. Please explain why I should
spend the CPU resources to hold the mail conversation with you on that
basis?

>> if it's static, that's a bit better, but why should I trust
>> you any more than the compromised windows boxes on either side
>> of you by IP?
> Uh, because my DNS records point to it. I haven't seen any
> virus or worm that can do that.


You appear not to know very much about running large mail systems, but
you may find that like the split in any sensible size of DNS resolvers
and DNS authority servers, it is often sensible to split inbound MX and
outbound relays. What does your DNS pointing to your domain mean, not
a lot, unfortunately...

> Well, like you say, the discussion here doesn't matter much.
> The market will takes its toll, both on ISPs that overblock
> and on ISPs that undersecure. Some people are learning that
> there are advantages to having your e-mail separate from
> your pipe, which makes it easier to switch and harder for
> ISPs to hold people by intertia.


Yes, indeed. The number of people using various webmail systems as their
primary mail makes that obvious. ISPs that overblock will lose customers
who think they know better. ISPs that undersecure will find themselves
unable to talk to most of the internet. I'm actually considering starting
to block by AS number, too, so any ISP that advertises itself as
"spam-friendly" based in china can't do anything.

Cheers

MBM

-- 
Matthew Byng-Maddick          <mbm@???>           http://colondot.net/
                      (Please use this address to reply)