ACL Email Rejection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- Broadband
- :
- Re: ACL Email Rejection
- « Previous
- Next »
Re: ACL Email Rejection
07-10-2007 1:45 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob
Did this start happening when we made the ACL changes?
Bob, That's exactly the time I started 'losing' the mail, I contacted support at Advascan, and this morning I received my usual 200 emails, including those since Thursday.
Doing the same Reverse DNS search on www.dnsstuff.com, reveals that they appear to have switched the IP to 217.72.243.40 (although 217.72.243.41 still works)
So it is definitely related to the ACL changes, and being able to do an rDNS obviously is not enough....
All appears OK at present, this could easily be affecting others though that don't have as responsive a provider.
I'm just hoping I won't get a similar problem with other planned 'enhancements'
Re: ACL Email Rejection
08-10-2007 12:39 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
[217.72.243.40] --> "uk.advascan.com" --> [217.72.243.40] which is OK
but
[217.72.243.41] --> "uk.advascan.com" --> [217.72.243.40] which isn't OK
and is just one of many reasons why this kind of check is right old PITA in reality even if it might be technically wrong to have 'dodgy' looking DNS entries like that.
Having 'dodgy' looking DNS does not indicate a spammer it merely indicates either incompetence or a deliberate attempt to refer any attempted incoming connections elsewhere, such as to a website as this appear to be. I have seen way more than a few e-mail sender IPs that resolve to a website or some other more appropriate system which I believe was one reason why I had a fair old number of problems with lost mail when the double rDNS checks were active.
... wanders off to get a Lou Ferrigno haircut (but then again, maybe a wig would be more appropriate !), find a tin of green paint and muttering "don't make me angry, you wouldn't like me when I'm angry"
B T Plusnet, a bit kinda like P T Barnum ...
... but quite often appears to feature more clowns
Re: ACL Email Rejection
08-10-2007 8:27 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: mikeb Hmmmmm, I sure hope that doesn't mean PN have gone back to playing around with the bl**dy silly (IMHO) double rDNS checks again because the only oddity appears to be:
[217.72.243.40] --> "uk.advascan.com" --> [217.72.243.40] which is OK
but
[217.72.243.41] --> "uk.advascan.com" --> [217.72.243.40] which isn't OK
No Mike we haven't. As I've mentioned earlier in this thread the only thing we are doing is checking for the existence of an rDNS record. TheChallenger is reporting that they are now receiving all of their email. The reason it stopped is due to Advascan changing the IP of their mail server and neglecting to set rDNS up correctly (which they have now done if I'm reading things correctly). We're not checking that the reverse matches the forward at the moment.
Edit: It's worth me mentioning that we are deferring the stuff without rDNS with a 4xx server error. What this means is that the sending MTA should try and attempt delivery again. TheChallenger, this also means that you should see some of the email since Thursday start filtering in assuming Advascan's servers are set up to do this.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: ACL Email Rejection
08-10-2007 9:24 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob
The reason it stopped is due to Advascan changing the IP of their mail server and neglecting to set rDNS up correctly (which they have now done if I'm reading things correctly). We're not checking that the reverse matches the forward at the moment.
Edit: It's worth me mentioning that we are deferring the stuff without rDNS with a 4xx server error. What this means is that the sending MTA should try and attempt delivery again. TheChallenger, this also means that you should see some of the email since Thursday start filtering in assuming Advascan's servers are set up to do this.
Bob, earlier on you said that:
Quote The server above should be fine. Whilst the forward and reverse DNS entries don't match, it does have rDNS configured:
So how come all the mail only started arriving when they changed the ip to [217.72.243.40] so that rDNS and and forwrad DNS match, and that is the only change. How was it set up incorrectly before? What was stopping it then that makes it OK now since new emails sent through Advascan are now hardly delayed at all?
Re: ACL Email Rejection
08-10-2007 1:24 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: TheChallenger So how come all the mail only started arriving when they changed the ip to [217.72.243.40] so that rDNS and and forwrad DNS match, and that is the only change. How was it set up incorrectly before? What was stopping it then that makes it OK now since new emails sent through Advascan are now hardly delayed at all?
I read that they had changed the IP of their mail server and neglected to set up rDNS in a timely fashion. Looks like I was mistaken
Are you saying that the two IP addresses (both 217.72.243.40 & 217.72.243.41) have always had rDNS entries? (or at least since Wednesday of last week?).
Edit: OK been doing some more digging today and it looks like we may have an issue. This is likely to be why the Advascan emails were getting rejected.
We have a fix but in the mean time we've rolled back the ACL changes to prevent any further email from getting delayed.
I'll update Service Status shortly and will continue to keep you posted.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: ACL Email Rejection
08-10-2007 10:02 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob Are you saying that the two IP addresses (both 217.72.243.40 & 217.72.243.41) have always had rDNS entries? (or at least since Wednesday of last week?).
Yep, that's right,
Bob, thanks for doing the digging, I have always trusted Advascan, they have a very good group of techies there (even wrote own antivirus stuff) keep digging, if you need a spade we'll lend you one
Re: ACL Email Rejection
09-10-2007 2:17 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Having said that, it appears there is some confirmed PN problem with the latest checks and it's all been taken out again. Just out of morbid curiosity, what was the problem BTW ?
... wanders off singing "You put your DNS checks in. You take your DNS checks out. In, out, in, out, shake it all about"
B T Plusnet, a bit kinda like P T Barnum ...
... but quite often appears to feature more clowns
Re: ACL Email Rejection
09-10-2007 3:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: mikeb Just out of morbid curiosity, what was the problem BTW ?
The problem was I stopped receiving all my email (it is all filtered by Advascan first) I forward (redirect) it out of PN and Adva forward it back in to different mailbox e.g username_scanned.
The challenge of IP's and rDNS is all documented above rDNS did respond, a forward DNS on the hostname gave a different IP (which is perfectly legitimate response ) a lot of ISP's do this, typically the forward DNS takes you to a website see above.
It's sorted for now.....
Re: ACL Email Rejection
09-10-2007 9:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob
Quote from: MrToast How much traffic is due to mail addressed to non-existent mailboxes?
About 1\5 of the email that hits the platform:
Thanks for including the pie chart.... but isn't that 1/5 BlackHole traffic?
Any estimates for random addresses landing in default 'catch-all' boxes?
Re: ACL Email Rejection
09-10-2007 10:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: TheChallenger
Quote from: mikeb Just out of morbid curiosity, what was the problem BTW ?
The problem was ...
That question was aimed in the PN direction rather yours, I should have made it a bit clearer so my apologies for that.
I was just wondering what the actual problem with the PN ACL was because simply testing for sender IP rDNS and accepting the transfer if found but rejecting it if missing doesn't sound like it should have caused any strange issues at all. Any more info available Bob ? Unless someone had a bit of 'ooops' moment and there is consequently a *very* embarrassed softy trying to hide under a desk somewhere in which case a simple will suffice !
B T Plusnet, a bit kinda like P T Barnum ...
... but quite often appears to feature more clowns
Re: ACL Email Rejection
10-10-2007 12:40 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Basically we looked at Exim just limiting the ACL checks to the rDNS checks. This was done on the back of the problem I raised following our discussions over on PUG.
A solution was suggested but it still did the forward and reverse matching. We reviewed this again and made some changes to the implementation that we believed stopped this from happening.
To cut a long story short, even with the changes in place, Exim still wanted to do the forward and reverse thing. The solution that was rolled out this morning doesn't rely entirely on Exim (we don't think this is possible now) and instead calls on an external process to do the host lookup.
Hopefully we've cracked it but please let us know if you spot anything awry. The new implementation passed a number of test conditions in the staging environment so hopefully all should be well.
Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Re: ACL Email Rejection
10-10-2007 2:10 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: Bob
Hopefully we've cracked it but please let us know if you spot anything awry. The new implementation passed a number of test conditions in the staging environment so hopefully all should be well.
Wouldn't it be a good idea to simply take an internal log of emails which would be potentially rejected by this process so that a back-end comparison could be made with the spam-checker?
Or perhaps the subject line could be marked in some way so that people would see which emails would be potentially rejected - for a week or two?
Email is PlusNet's bête noire - just an alpha test is probably insufficient.
Hope all goes well...
"In The Beginning Was The Word, And The Word Was Aardvark."
- « Previous
- Next »
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page