ACL Email Rejection

gm4jjj · ‎30-07-2007

I wonder if this is the reason I have not been getting any mail from one of my lists that I subscribe to?

VileReynard · ‎01-09-2007

Quote from: Bob
Quote from: axisofevil
It's all going to go belly-up again

Got to admire your optimism!
Seriously though, don't speak too soon as I'm sure this really isn't going to have a lot of negative impact at all...

Famous last words...

"In The Beginning Was The Word, And The Word Was Aardvark."

TheChallenger · ‎05-10-2007

Quote from: Bob

" It does mean that in rare instances legitimate email the customer is used to receiving will also be rejected.
"
"In a nutshell I do not see this causing much upheaval at all."

Not much!!! I'm losing ALL my emails, since I use a third party anti-spam provider that doesn't allow rDNS to stop them being harvested etc. It is an awesome service that means I might just have to swap from PlusNET, I NEED MY EMAILS!
How can I fix this NOW (my antispam provider forwards all my mail to postbox@username.plus.com)?

MikeWhitehead · ‎19-08-2007

If you're having major problems and no-one can help resolve it right now (i.e. if it is solely down to the ACL) then just redirect it to a GMail (or similar) account instead of your PlusNet account. At least that way you'll get the mail.

TheChallenger · ‎05-10-2007

Thanks, I've just done that, unfortunatley there are 33 email addresses that were forwarding as re-directs, (because I couldn't re-direct the cathcall), Just took me 45 mins....

TheChallenger · ‎05-10-2007

Quote from: Bob
Quote from: axisofevil
It's all going to go belly-up again

Got to admire your optimism!
Seriously though, don't speak too soon as I'm sure this really isn't going to have a lot of negative impact at all.

No, Just means I haven't had any of my emails from Thursday - This is a Major Negative Impact!

ed · ‎15-08-2007

I see you give users a link to Zone Alarm so you might also concider giving them a link to AVG Free (anti-virus) too.

bobpullen · ‎04-04-2007

Quote from: TheChallenger
Quote from: Bob

" It does mean that in rare instances legitimate email the customer is used to receiving will also be rejected.
"
"In a nutshell I do not see this causing much upheaval at all."

Not much!!! I'm losing ALL my emails, since I use a third party anti-spam provider that doesn't allow rDNS to stop them being harvested etc. It is an awesome service that means I might just have to swap from PlusNET, I NEED MY EMAILS!

What provider is this? They don't set up rDNS on their mail servers?!?
That seems a little daft to me in the way that they are a spam prevention outfit who are doing things that are likely to get the email sent through them recognised as spam!
From page 10 of the RFC here. Note in particular the last sentence:

Quote
Adding a host.
To add a new host to your zone files:
Edit the appropriate zone file for the domain the host is in.
Add an entry for each address of the host.
Optionally add CNAME, HINFO, WKS, and MX records.
Add the reverse IN-ADDR entry for each host address in the
appropriate zone files for each network the host in on.

If I were you I'd be looking at a different 3rd party mail supplier as opposed to moving your mail away from us.
Whilst this is obviously not good at all from your perspective, it's the first example I've seen since the changes were made where somebody's had a problem, so I'm still of the opinion that this will not (and hasn't) had any major negative impact.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

VileReynard · ‎01-09-2007

http://en.wikipedia.org/wiki/Reverse_DNS_lookup is very readable on this rDNS issue.
It includes a comment to say that "While most rDNS entries only have one PTR record, it is perfectly legal to have many different PTR records. Although it is perfectly legal having multiple PTR records for the same IP address it is generally not recommended, unless you have a specific need..."
How do PlusNet deal with this situation? I mean do they look at all of these PTR records - or just the first one?

"In The Beginning Was The Word, And The Word Was Aardvark."

bobpullen · ‎04-04-2007

We just make sure there is one. Doesn't matter what it is, how many there are, or if the forward and reverse entries match at the moment. There was further checking when this was in place but that's not the case now.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

TheChallenger · ‎05-10-2007

Bob,
Appreciate your help on this one, as now I'm a little confused as to the possible problem.
Advascan are a major anti-spam / hosted email provider for a large number of UK ISP's and companies (they are MessageLabs' main competitor and thorn in their side)
What confuses me is on this thread you said:

Quote from: Bob
Quote from: TheChallenger
Quote from: Bob

" It does mean that in rare instances legitimate email the customer is used to receiving will also be rejected.
"
"In a nutshell I do not see this causing much upheaval at all."

Not much!!! I'm losing ALL my emails, since I use a third party anti-spam provider that doesn't allow rDNS to stop them being harvested etc. It is an awesome service that means I might just have to swap from PlusNET, I NEED MY EMAILS!

What provider is this? They don't set up rDNS on their mail servers?!?
That seems a little daft to me in the way that they are a spam prevention outfit who are doing things that are likely to get the email sent through them recognised as spam!
From page 10 of the RFC here. Note in particular the last sentence:
Quote
Adding a host.
To add a new host to your zone files:
Edit the appropriate zone file for the domain the host is in.
Add an entry for each address of the host.
Optionally add CNAME, HINFO, WKS, and MX records.
Add the reverse IN-ADDR entry for each host address in the
appropriate zone files for each network the host in on.

If I were you I'd be looking at a different 3rd party mail supplier as opposed to moving your mail away from us.
Whilst this is obviously not good at all from your perspective, it's the first example I've seen since the changes were made where somebody's had a problem, so I'm still of the opinion that this will not (and hasn't) had any major negative impact.

And a few minutes later on another thread, you said:

Quote from: Bob
Quote from: TheChallenger
I may have it wrong, can you check them then for me please , here is a header from an email earlier this week:
Received: from [217.72.243.41] (helo=uk.advascan.com)
by pih-sunmxcore09.plus.net with esmtp (PlusNet MXCore v2.00) id 1Icorv-00027s-Is
for postbox@username.plus.com; Tue, 02 Oct 2007 22:01:28 +0100

The server above should be fine. Whilst the forward and reverse DNS entries don't match, it does have rDNS configured:
C:\Users\Bobby>nslookup 217.72.243.41
Server:  pth-cdns01.plus.net
Address:  212.159.13.49:53
Name:    uk.advascan.com
Address:  217.72.243.41

So somethings somewhere isn't configured right, it seems to match your criteria has rDNS,

Quote
We just make sure there is one. Doesn't matter what it is, how many there are, or if the forward and reverse entries match at the moment.

So if its' not the rDNS then what's the problem???
I'm confused, you're insight is appreciated

MrToast · ‎31-07-2007

Well, I'm glad that you are taking the cautious route of only introducing one change at a time.
However, what happens if the rDNS lookup fails due to failure of the DNS server? Do you try again? Do you return a 5XX permanent error or a temporary one?

MrToast · ‎31-07-2007

Quote from: Bob
... we believe this is necessary to avoid more serious issues occurring over the coming days.

How much traffic is due to mail addressed to non-existent mailboxes?
At the moment no mail addressed to anyrandomaddress@account.plus.com generates a 5XX failure. At least not on my account. So presumably the message gets into the system and is processed up to some point.
Wouldn't making PN email RFC compliant in this area by returning errors for mail that won’t be delivered also reduce traffic / server load to some useful degree?

bobpullen · ‎04-04-2007

Quote from: MrToast
How much traffic is due to mail addressed to non-existent mailboxes?

About 1\5 of the email that hits the platform:

Quote
At the moment no mail addressed to anyrandomaddress@account.plus.com generates a 5XX failure. At least not on my account. So presumably the message gets into the system and is processed up to some point.

It is black holed.

Quote
Wouldn't making PN email RFC compliant in this area by returning errors for mail that won’t be delivered also reduce traffic / server load to some useful degree?

I don't think it would although I'd have to double check on that.

Quote from: TheChallenger
So if its' not the rDNS then what's the problem???
I'm confused, you're insight is appreciated

Did this start happening when we made the ACL changes?
You can PM me details of some of the email that hasn't arrived. The address sent from, the address sent to, what relay server they were sent through and at roughly what time and I can see if I can get one of our Net-Ops guys to check the logs at our side.
Basically though, the sending host in the examples you have provided has an rDNS entry so shouldn't be rejected based on the ACL configuration changes.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

SteveA · ‎17-06-2007

Quote from: Bob

About 1\5 of the email that hits the platform:

That doesn't suprise me. Spammers seem to be creating strange email addresses to send spam to and if you are unlucky enough for them to choose your domain as the reply address then its 99.9% certain that the reply address will be a made up address in your domain, so any delivery failures get bounced to those non-existent addresses.
Of course this is made worse by idiotic companies who insist on configuring their spam blockers to send email bounces saying "Your email was spam".