cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic IP Blocking

pwebb
Grafter
Posts: 65
Registered: ‎05-04-2007

Re: Dynamic IP Blocking

Hi everyone, it's my first posting (but not my first read!) on the Community site although anyone who also uses PUG will know who I am from there, for those who don't a quick introduction from me before I go into the Dynamic IP blocking issue.
I've been at PlusNet now for just over 18 months and took over responsibility for the whole team around 6 months ago. Prior to joining PlusNet I worked for BT and was responsible for the design of their Broadband network. I've been working with Broadband technologies since before the launch of ADSL in the UK in 2000, so I've seen most things!
Firstly, let me explain exactly what we've implemented so that everyone understands what we've done and why we've done it.
On Monday this week, we rolled a set of changes to a single machine in our secondary inbound e-mail cluster (MXLast), then on Tuesday we rolled it to the whole of the secondary cluster; finally it was rolled to the primary cluster (MXCore) on Thursday. These included a number of performance improvement changes as well as a change to the way we deal with dynamic IP addresses.
These changes mean that we now scrape the inbound e-mail logs for all messages and check to see if the forward and reverse DNS match and also that the IP address is not in a dynamic range. If the sending machine has a DNS issue or is on a dynamic range we add that range into a database and then blacklist mail coming from that IP or range of IPs.
We are not the first ISP nor do I think we will we be the last who are being forced to implement this type of blacklisting due to the number of bots sending e-mails from infected machines.
As an example of the impact of these changes, we receive 1,600 connection requests per second per inbound e-mail server (there are 22 in total!). Prior to this change we were blocking around 50% of these connections via RBLs and existing checks. Once this rolled out, we were blocking 75% of these connections, of which a tiny proportion are legitimate.
It is the tiny proportion of legitimate ones that are causing the concern for us all at the moment and we are doing our best to make sure that these are sorted out as quickly as possible by whitelisting them on request.
This is one of the reasons that we chose to implement the blocking ourselves as it means that we have full control over whitelisting the addresses and these are being turned around within 24 hours. If you need to have an address whitelisted, it's simply a case of sending an e-mail to abuse@plus.net with either the e-mail headers of the servers IP address and it will be added.
The abuse mailbox is being monitored and requests are being dealt with over the weekend so there will not be a delay there.
I'm sorry that this has caused more inconvenience than we'd have liked, but I hope that you will agree this is a necessary piece of work to combat the spam problem that is growing bigger all of the time.
If anyone has any questions please feel free to post them and I'll make sure I do my best to answer them.
Phil
Peter_Vaughan
Grafter
Posts: 14,469
Registered: ‎30-07-2007

Re: Dynamic IP Blocking

Quote from: astarsolutions
Quote
I can't use a smarthost (BT) or any relay mail server

Why can't you?

Because BT will not allow me to use their mail servers for sending mail for domains they have no knowledge of and in the past it has taken weeks to convince BT to accept 1 domain for another client, let alone 20!
This is not an option for me.
zubel
Community Veteran
Posts: 3,793
Thanks: 4
Registered: ‎08-06-2007

Re: Dynamic IP Blocking

I reiterate that I do believe that Plusnet have taken a necessary step, however I feel that the method used to roll it out was flawed.
With community assistance, this could have been made much simpler.  Phil, your explanation is comprehensive but I personally would have appreciated some advance notice of it.
As has already been noted, both AOL and Hotmail already implemented this some time ago.  If all ISP's implemented this methodn then spam would reduce dramatically.
With email being a particular bone of contention at the moment, it would have been well advised to involve the community in some fashion.  Please, please, please take that under advisement.  It is difficult to be able to advocate your position abd defend it when all the changes are very cloak and dagger.
That being said, I sincerely hope that this is the start of a more resilient and reliable email platform for Plusnet customers to enjoy
B.
MrToast
Grafter
Posts: 550
Registered: ‎31-07-2007

Re: Dynamic IP Blocking

Setting a policy for accepting email which can be objectively defined seems like a great step forward. Only accepting connections from bone-fide mail servers should exclude SPAM but for any attack on said servers or their otherwise legitimate users.
This has to be better than the vague and ever shifting content filtering.
The question remains though as to the quality of the implementation of any such policy.

Quote from: pwebb

These changes mean that we now scrape the inbound e-mail logs for all messages and check to see if the forward and reverse DNS match and also that the IP address is not in a dynamic range. If the sending machine has a DNS issue or is on a dynamic range we add that range into a database and then blacklist mail coming from that IP or range of IPs.

So:

  • How do you accurately determine which IP's are dynamic?
    How do you keep up with all the changes. The internet has a lot of address ranges and their allocation and usage is being updated all the while?
    Do you age blocked IP's when 'genuine' DNS problems are addressed?
    Why do you think that your 'go it alone' approach will be more accurate than sharing the load with others such as the Spamhaus PBL?



By comparison the Spamhaus PBL is updated every 15 minutes and offers a self service IP removal tool for those who find their relay’s IP address is included.
Oh, and ahy didn't you make the changes clear before implementation?
pwebb
Grafter
Posts: 65
Registered: ‎05-04-2007

Re: Dynamic IP Blocking

Ok, to answer your questions.....

-How do you accurately determine which IP's are dynamic?
-- I will have a look at the Change Control and the code changes and tell you everything that we check as there are a number of things that we look at.
-How do you keep up with all the changes. The internet has a lot of address ranges and their allocation and usage is being updated all the while?
-- We are continually monitoring the logs to look for occurrences of valid e-mail being blacklisted. Also, it is not a common occurrence for a dynamic range to be changed to a static one.
- Do you age blocked IP's when 'genuine' DNS problems are addressed?
-- We will whitelist any IP address if an e-mail is sent to abuse@plus.net even if the IP is in a range found to be dynamic as it is possible that it really is a static and the set-up is not fully compliant. If someone is willing to take the time to e-mail us to be whitelisted, it's unlikely they are a spammer. If they do turn out to be a spammer, we have other safeguards in place to monitor volume of messages from IP addresses etc.
- Why do you think that your 'go it alone' approach will be more accurate than sharing the load with others such as the Spamhaus PBL?
-- For the reason I gave above, by doing it ourselves (which I believe most people do) we have total flexibility to whitelist even though Spamhaus may not as it does not conform their policy.
- Oh, and ahy didn't you make the changes clear before implementation?
-- We did put some comms out http://community.plus.net/comms/2007/09/11/upcoming-email-platform-changes/ however on reflection these were far too vague and we should have been more explicit about the changes. This is definitely something I will make sure we do better next time. The reason that we were not more explicit in our comms is that the type of blocking we have implemented was already in place before although to a lesser extend and we did not expect the level of legitimate mail being caught due to dynamic addressing or DNS issues.
Phil
astarsolutions
Grafter
Posts: 393
Registered: ‎26-07-2007

Re: Dynamic IP Blocking

Quote
Because BT will not allow me to use their mail servers for sending mail for domains they have no knowledge of and in the past it has taken weeks to convince BT to accept 1 domain for another client, let alone 20!

Why don't you use Plusnets relay server, that's what I use and I have never had a problem.
LiamM
Grafter
Posts: 5,636
Registered: ‎12-08-2007

Re: Dynamic IP Blocking

Because the box in question is on a BT Business Broadband line, and you need to be on a PlusNet connection to use relay (or RIN).
SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: Dynamic IP Blocking

Rejecting email from dynamic IPs will work for a while until the spammers realise that using basic email servers on each PC doesn't work as dynamic IPs are blocked and simply decide to use the ISPs email server as a conduit.
I run 5 domains from one server here pushing out through the plusnet email servers... works fine for me.
Incoming comes via JTN (which at the moment doesn't reject dynamic IPs) and forwards to my plusnet email box (which I have on SMTP forward - which is great because if a cat shuts my server down then my mail pools up on the plusnet servers and I can then just kick it when I get back on line)
mikeb
Rising Star
Posts: 463
Thanks: 15
Registered: ‎10-06-2007

Re: Dynamic IP Blocking

Quote from: astarsolutions
This work was announced, at least as far back as a week

Erhm, sort of ... but the work that was actually announced was for IMPROVEMENTS to existing processes and not the widening of the scope of mandatory filtering on receipt to include these new processes.  The associated blog entry contains the comment "We currently reject mail from senders with no reverse DNS ..." (and goes on to discuss the improvements being made) which is the first time I have seen any reference to such a process - although I do accept that I may have missed an announcement or whatever.  However, requests for further details and an approximate date for when the processes were first introduced into service have not received any response to date. 
In fact reports of a number of strange issues over recent days/weeks/months that are perhaps most likely be down to these new processes have received comments implying no changes whatsoever have been made and the issue is almost certainly nothing whatsoever to do with PN.  In addition, the spam data which I have been collecting and analysing over the last several months shows many strange and unexplained deviations from what could reasonably be expected and most (if not all of them) correspond to mail system maintenance and/or periods of complaints of missing mail from other users.  PN repeatedly decline to make sensible comment or answer questions.  Why the need for 'mushroom' treatment from an 'open and honest' service provider if all is above board and there is nothing to hide or no seemingly incessant and largely unannounced tweaking going on behind the scenes ?


B T Plusnet, a bit kinda like P T Barnum ...

... but quite often appears to feature more clowns Tongue
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: Dynamic IP Blocking

Mike,
I've seen similar requests for information across numerous threads. Exactly what information are you after and I'll do my best to get it?
You probably haven't seen an announcement because mx blocking is something we've been doing for years.
Perhaps it's because we're now so 'open and honest' that the conversation is coming to fruition?

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: Dynamic IP Blocking

Whilst this AOL style blocking is not a problem for me (as a new customer my PlusNet address does not get much usage).
If I were to setup my own SMTP mail server (with a static ip address) and finger it every now and then would this solve the issue of PlusNet blocking email from those not on the approved list? Would I need to purchase a domain?
This would presumably increase the load on the email servers?
Since most PC's are on just a few major ISP's, won't the botnets simply try sending via a shortlist of smart hosts?
Result - user greatly annoyed; Spammer slightly irritated for a short while.

"In The Beginning Was The Word, And The Word Was Aardvark."

Peter_Vaughan
Grafter
Posts: 14,469
Registered: ‎30-07-2007

Re: Dynamic IP Blocking

If you setup your mail server to relay mail via relay.plus.net there will be no problem.
Even if you did set it up to use DNS to lookup the destination mail server, PNs webserver would no block your email because PN have added their own IP ranges to the whitelist.
pwebb
Grafter
Posts: 65
Registered: ‎05-04-2007

Re: Dynamic IP Blocking

Quote from: axisofevil
If I were to setup my own SMTP mail server (with a static ip address) and finger it every now and then would this solve the issue of PlusNet blocking email from those not on the approved list? Would I need to purchase a domain?
This would presumably increase the load on the email servers?
Since most PC's are on just a few major ISP's, won't the botnets simply try sending via a shortlist of smart hosts?
Result - user greatly annoyed; Spammer slightly irritated for a short while.

If you set-up your own e-mail server and still used your @username.plus.com it would still go via our servers and be subject to the filtering that we do. If you registered a domain you could point the MX records to your server and be in full control of what filtering is done. If you register a domain and point it towards your server we will not see any of your mail and it will therefore put no load on our servers.
If spammers start to modify their bots to use smarthosts and ISP relays, these will quickly become blacklisted on the RBLs and it will again be the responsibility of the ISP to implement spam protection on their relays.
We are in fact already working towards plans for this, and currently have daily reports produced of top senders through our relays. When we identify these we work with the affected customer to ensure that they do not have a bot or incorrectly configured mail server. Since we've been doing this, we've reduced the load on our outbound relays significantly.
The next thing that ISPs are going to have to do on their outbound relays is likely to implement spam detection rules similar to the inbound ones on un-authenticated SMTP connections. On authenticated ones we could pass these through un-altered. This has the benefit that with authentication, a spammer needs to have a username and password to be able to relay and continue to spam.
We are under no doubt that this is going to be an ongoing war and what we do today to help with the problem of spam will need to change and evolve as the spammers do.
Sitting back and doing nothing to tackle spam is not an option for any ISP these days!
Phil
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: Dynamic IP Blocking

But us civilians get caught in the cross-fire.
If an ISP is no longer just a service provider but becomes a content provider they will face the prospect of legal challenges on any content (emails).  They cannot say that the emails are simply passed on without examination in the manner of a telephone system.
Beware of what you wish for!

"In The Beginning Was The Word, And The Word Was Aardvark."

MikeWhitehead
Grafter
Posts: 748
Registered: ‎19-08-2007

Re: Dynamic IP Blocking

Quote from: axisofevil
They cannot say that the emails are simply passed on without examination in the manner of a telephone system.

Well, it's automated examination. You can have a bar on your telephone line so that outgoing calls can't be made to certain numbers, so outbound email control is a similar situation (if you want to use the telephone example). They are not filtering specific contents of an e-mail, but rather if the e-mail should be allowed to be sent or not.
War has casualties sadly Tongue Although hopefully these will be kept to an absolute minimum! Smiley