SORBS Insanity
jlewis at lewis.org
jlewis at lewis.org
Thu Apr 15 03:38:09 UTC 2004
On Wed, 14 Apr 2004, Jeremy Kister wrote:
> telling them they were mistaken. Finding no documentation on how they
> deem networks "dynamic" or "static" I changed my rDNS scheme from
> ppp-64-115-x-x to 64-115-x-x Note to all: "ppp" in no way signifies
> dial-up; we run ppp over almost every circuit we have -- from dialup to
> OC12, to Ethernet and ATM.
I think you'll find it's pretty commonly assumed (not just by certain
DNSBLs) that "script generated" DNS is dynamic. Prepending it with ppp-
makes the assumption seem to be even more of a slam dunk. Just to pick an
example, dummy-smtpd assumes that any host that matches
/\d{1,3}.\d{1,3}.\d{1,3}/ is "dynamic host with with script-generated rDNS
name". I think the feeling is, "if you care enough about the system that
it should be a legitimate mail server, it ought to have 'unique' rDNS."
rDNS matching what it HELO's as is nice too.
> I also stated how all of our network was scanned twice a day for open-relay
> mail servers. Being a bigish ISP, we are _huge_ on our abuse policies, and
> our abuse bucket [usually] has only memories of tumbleweed blowing by.
Irrelevant. Unless you're doing full port scans, you're not going to find
the open proxies. Open relays are old school for spamming. Open and
stealth proxies are the current methods. Are you looking for HTTP Connect
proxies on 65506, 6588, 48669, etc.? How about the socks5 proxy on
64.115.63.248:35762, which BTW is
static-64-115-63-248.isp.broadviewnet.net.
> 2. that to prevent further hysteria, I had changed the reverse dns from
> ppp-64-115-x-x to static-64-115-x-x and dynamic-64-115-x-x,
> respectively.
That's better than the original. Would you really expect people in
today's spam overrun climate to accept email from a system identified as
ppp-64-115-x-x.isp.broadviewnet.net? I don't know about you, but that
just screams dialup to me. 64-115-x-x.isp.broadviewnet.net isn't much
better.
> 3. their blindness was very unprofessional, deeming SORBS a Worthless
> Project ran by Ignorant Half-Wits
Your thinking that won't change the minds of thousands of systems blocking
millions of spams with their list.
> As of this date I have not received a response from anyone at sorbs, and do
> not expect one. Our support crew is overwhelmed with upset customers who
> cant send email to their associates. Our only response to them is that we
> have tried to resolve the issue, but could not, and that the remote ISP
> should stop using sorbs.
Did it occur to you to setup reverse DNS to match forward DNS? Are these
customers running DNS that says "our MX records are
64-115-x-x.isp.broadviewnet.net and 64-115-x-y.isp.broadviewnet.net"? I
really doubt it. Having them smarthost their mail through your server
(it's not 64-115-x-x.isp.broadviewnet.net too, is it?) would also be a
no-brainer immediate solution until you can work things out with SORBS.
----------------------------------------------------------------------
Jon Lewis *jlewis at lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the NANOG
mailing list