Author: Tony Godshall Date: To: Matthew Byng-Maddick CC: exim-list Subject: Re: [exim] Please help with getting out of RBL hell
Hi, everyone.
I'd like to apologize to Daevid Vincent for hijacking his
thread. I meant to just chime in with my experiences that
appeared to me to be related to his issues, but it looks
like the conversation has veered considerably.
According to Matthew Byng-Maddick, > On Sat, Dec 03, 2005 at 10:48:08AM -0800, Tony Godshall wrote:
> > According to Matthew Byng-Maddick,
> >> On Fri, Dec 02, 2005 at 11:25:08PM -0800, Tony Godshall wrote:
> >>> According to Jason W.,
> >>>> Welcome to the reality of life.. If you decide to live in a
> >>>> neighborhood known for crime, don't be surprised if you're labeled a
> >>>> criminal at some point...
> >>> Sorry to say this, but you sound like one of those cops in
> >>> the suburban white neighborhood who blocked, with shotguns,
> >>> the refugees fleeing New Orleans ...
> >> This isn't really a helpful statement. Once upon a time, it did happen like
> >> that. The current situation is a response to the unbelievably high volumes
> >> of crap emitted from these unsecured and un-virus-checked 24/7-connected
> >> home PCs...
> > I respectfully submit that a machine running *nix with
> > proper DNS and SPF should not be lumped in with "unsecured
> > and un-virus-checked". I don't get what IP-checking gets
> > you that DNS/SPF-checking doesn't. Are you arguing that it
> > takes a lot more CPU?
>
> Where does SPF come into the equation? As has already been pointed out to
> you in this thread, SPF is one of the first things that spammers set up
> these days. If it has proper DNS, that to me means:
> - it HELOs as something which looks up to its name
> - looking up the reverse for its IP address yields an A/AAAA record which
> looks up to that IP address.
> (preferably the two things are the same, too...)
Really? DNS and SPF set up for infected zombies? That's
new to me. But I'm no long-time mail admin...
> I don't care what the machine is running, I've seen plenty of Unix open
> relays in my time...
Indeed. But that's generally a misconfig issue, not a "unsecured
and un-virus-checked 24/7-connected home PCs..." issue.
> If that machine has "dsl" "cable" or some variant of the least significant
> parts of the IP address in its reverse lookup name, then I reserve the
> right to tell it where it can go...
Yeah, that's fine I guess- market forces will have their way.
> >> ... This is not racism, this is reality, more's the pity. > > Indeed I did not say it *was*, I just said the arguments are
> > similar. In this case it might be called "corporatism"- that
> > only large organizations with the resources to buy the "right
> > kind" of connections may host domains. > So, me, the hobbyist, is weird for having "the resources to buy the right
> kind of connection". I don't think that's true. This is a bogus argument.
> These days, vhosts are cheap and reliable, co-los are not terribly much
> more, and you'll get proper mailhosting on that.
It's also nice to have my machine under my, the hobbyist's,
direct control.
> >> This discussion has been had to death many times. I'm afraid that if you
> >> want to host your domain on a residential cable/dsl line, then you have
> >> to live with the consequences... > > Well, my machine is in my residence, but it's the extra-special
> > "small business" plan that has the static IP address. Where do
> > you draw the line? > When you show me that there's a proper audit trail from me reporting abuse
> from your machine to your ISP taking appropriate actions, and where there's
> a sufficiently small number of abuses that this is actually useful. Until
> then, live with the consequences. Noone suggested that small businesses were
> any more able to manage a mail system.
There's nothing inherent that makes a small business more
or less able to manage a domain than a large telco. Some
admins are there by compentence and can do their jobs, and
some are constrained by insane adminstrative policy, and
some are there by seniority or buttkissing ability.
> >> If your IP is dynamic, forget it, as there's little to
> >> no traceability that I have, ... > > My IP is not dynamic, but it may well be in the middle of a
> > dynamic block. Those who block me on this basis are f**kin
> > corporatists ;-P
>
> I see. I would prefer to call them "sensible", actually, for the overspec
> reasons that I've stated above. I'm sorry, but if it really matters to you
> then you're going to have to set up a virtual machine with some provider
> and host your mail there. When you connect, I'm not going to do p0f to find
> out what you're running (actually, I may soon, but that's another story),
> so to be honest, it doesn't really matter to me whether you're running
> windows or a unix-like or even something completely crazy like VMS. You've
> come from a cable/dsl block, and therefore you are >99% likely to be a
> compromised windows machine spewing crap to me. Please explain why I should
> spend the CPU resources to hold the mail conversation with you on that
> basis?
Yes, you've made that argument. I guess my smiley failed.
> >> if it's static, that's a bit better, but why should I trust
> >> you any more than the compromised windows boxes on either side
> >> of you by IP?
> > Uh, because my DNS records point to it. I haven't seen any
> > virus or worm that can do that.
>
> You appear not to know very much about running large mail systems, but
> you may find that like the split in any sensible size of DNS resolvers
> and DNS authority servers, it is often sensible to split inbound MX and
> outbound relays. What does your DNS pointing to your domain mean, not
> a lot, unfortunately...
Indeed, that's why I'm here. To learn. I think the compromised
windows boxes you are worrying about on the cable/dsl blocks
are generally *not* in DNS, but you seem to be contradicting
that above.
> > Well, like you say, the discussion here doesn't matter much.
> > The market will takes its toll, both on ISPs that overblock
> > and on ISPs that undersecure. Some people are learning that
> > there are advantages to having your e-mail separate from
> > your pipe, which makes it easier to switch and harder for
> > ISPs to hold people by intertia.
>
> Yes, indeed. The number of people using various webmail systems as their
> primary mail makes that obvious. ISPs that overblock will lose customers
> who think they know better. ISPs that undersecure will find themselves
> unable to talk to most of the internet.
Wow. We agree on something.
> I'm actually considering starting
> to block by AS number, too, so any ISP that advertises itself as
> "spam-friendly" based in china can't do anything.