Jump to content

My ISP isn't using reverse DNS for its DSL servers


amenex

Recommended Posts

My own emails started ending up in my Held Mail folder the other day, and so I started investigating. It turns out that there were three reasons that the dynamic IP address of my DSL server is listed on the dnsbl.sorbs.net blocklist: (1) Sending emails to a spamtrap address; (2) Open socks proxy; and (3) Using dynamic IP addresses without reverse DNS. They charge extra for static IP addresses ... but that's blackmail, as all I need for my server's IP address not to cause my emails to get blocked by users of the dnsbl.sorbs.net blocklist is for the canonical name of that server to be obtainable by WhoIs (if I understand this link: http://www.dnsstuff.com/info/revdns.htm).

However, when I look up my current IP address in Domain Dossier I get this result:

> canonical name h-74-0-115-202.phlapafg.dynamic.covad.net

But when I do a TraceRoute, here is what results:

> traceroute to 74.0.115.202 (74.0.115.202), 64 hops max, 44 byte packets

... snippage ...

> 11 phlapa4lrs1-covad-2-1.wcg.net (65.77.115.86) 10.216 ms 10.241 ms 10.888 ms

> 12 * * *

Looking in Domain Dossier for phlapa4lrs1-covad-2-1.wcg.net results in:

> lookup failed phlapa4lrs1-covad-2-1.wcg.net Could not find an IP address for this domain name.

But doing the reverse on 65.77.115.86 works just fine.

Is the point of the third reason for my ISP's listing in dnsbl.sorbs.net that TraceRoute doesn't complete ?

How is it that Domain Dossier can find the canonical name from the IP address but not the IP address from the canonical name ... isn't that the opposite problem ? Is it a great deal of trouble for an ISP to set up reverse DNS service ?

amenex

Link to comment
Share on other sites

The term "DSL Server" doesn't seem to make much sense.

Are you running your own mailserver on a DSL line? If that is the case, you will almost certainly need to have static IP addresses, otherwise you will have problems sending to servers that check PTR Records.

Or are you referring to the ISPs SMTP mail server that you use for outgoing email?

Link to comment
Share on other sites

Nothing here offering up a Tutorial, instructios, etc. Thus this is not seen as a "How to use ..." entry on this Forum.

Howver, due to the multitude of issues raised and asked about, it doesn't fit any ot the other specific SpamCop.net tool sections either. Therefore, this is being moved to the Lounge area.

Link to comment
Share on other sites

I'm actually of the thought that there's some confusion in the mix here, starting with why is "my IP address" being the item under research?

What needs to be seen is the "header lines" of the e-mail in question, specifically the 'disposition' line (though others may then be imnportant' .....

This all may be an e-mail account configuration issue (white/black-listing perhaps) .. but 'we' need to see the right data to even guess at that ...

Link to comment
Share on other sites

The term "DSL Server" doesn't seem to make much sense.

Are you running your own mailserver on a DSL line? If that is the case, you will almost certainly need to have static IP addresses, otherwise you will have problems sending to servers that check PTR Records.

Or are you referring to the ISPs SMTP mail server that you use for outgoing email?

I'm just a DSL customer trying to run a small business ... and it's not cool to be showing up on a blocklist. No, I am not running a server. I'm using a SmoothWall.org hardware firewall, so it's unlikely that there's a server chugging away secretly in the background. And my LinkSYS router (also a firewall) isn't blinking unless I ask for stuff to come in or choose to upload stuff. Yes, it's the outgoing mail that's getting flagged, whether I send it through Webmail Service A ... or another webmail service B ... or SpamCop.net's webmail service C. However I send the email, it still all goes through the DSL server.

Link to comment
Share on other sites

I'm actually of the thought that there's some confusion in the mix here, starting with why is "my IP address" being the item under research?

What needs to be seen is the "header lines" of the e-mail in question, specifically the 'disposition' line (though others may then be imnportant' .....

This all may be an e-mail account configuration issue (white/black-listing perhaps) .. but 'we' need to see the right data to even guess at that ...

Here are three sets of recent pertinent header lines:

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 207.103.0.40 207.103.0.35 207.103.0.35 207.103.0.35 207.103.0.141 67.100.131.74

X-SpamCop-Disposition: Blocked dnsbl.sorbs.net

(67.100.131.74 is an "Open SOCKS Proxy Server" as well as "Dynamic IP Space")

X-SpamCop-Checked: 192.168.1.103 207.69.195.98 207.69.195.26 209.86.89.63

X-SpamCop-Disposition: Blocked dnsbl.sorbs.net

(209.86.89.63 is in a database of "servers sending to spamtrap addresses")

X-SpamCop-Checked: 192.168.1.103 207.69.195.98 207.69.195.29 216.154.195.36 192.168.1.20 74.0.115.202

X-SpamCop-Whitelisted: amenex

(74.0.115.202 is "Dynamic IP Space")

As Earthlink/Covad have about 1000 servers between them, if I persuade them to install (is that the right term ?) reverse DNS service, I'll go from have zero chance of getting an untainted server to a finite chance, given that "Open SOCKS Proxy Server" and "server sending to spamtrap addresses" probably don't apply to 100% of the IP addresses in their net ranges.

Link to comment
Share on other sites

As it appears you simply skipped over my previous posts ... I'll try again. I agree with Telerin, your terminology isn't working. U will repeat, looking "your own IP address, using a trace-route an looking up the imeediate upstream connection simply doesn't apply to why your incoming e-mail has issues.

The game playing of "service A" and service B" and stuff from somewhere else isn't helping anyone in trying to do any research for you.

Edit .. OK see that a response was provided while I was typing this up .... Thanks.

Link to comment
Share on other sites

... snioppage ... your own IP address, using a trace-route an looking up the imeediate upstream connection simply doesn't apply to why your incoming e-mail has issues. ... snippage ... Edit .. OK see that a response was provided while I was typing this up .... Thanks.

There seems to be a diode in the lookup process. Domain Dossier has no trouble associating a canonical name with the IP address of one of Covad's servers ... but TraceRoute can't find that name, because Covad hasn't set up reverse DNS. There seems to be a step missing ... and Domain Dossier uses that step. If Domain Dossier has access to that key step, can't Earthlink/Covad access it, too ?

Here's what happens when I use the canonical name of that server:

traceroute to h-74-0-115-202.phlapafg.dynamic.covad.net (74.0.115.202), 64 hops max, 44 byte packets

... snippage ...

11 phlapa4lrs1-covad-2-1.wcg.net (65.77.115.86) 11.073 ms 10.666 ms 10.697 ms

12 * * *

13 * * *

... snippage ...

So TraceRoute gets just as far whether I ask for the route to the server by its IP address or by the canonical name. And if I try to acces that server myself, using venkman's java scri_pt Debugger, I get nothing. If I do the same thing with my website server's canonical name, I get an index file saying that there's no website configured at that address (because mine is one of about a thousand on that server). You might guess that my website's server isn't on the dnsbl.sorbs.net blocklist !

Link to comment
Share on other sites

You should look into other options.

We block all dynamic IP's on our servers as most ISP's do now. Also, not setting up your equipment properly and leaving an open proxy to be abused is not a good business decision. If you want to run a mail server then you should do it properly. This looks very reckless.

HTH HAND

Link to comment
Share on other sites

telnet 74.0.115.202 25 .. took ages, but finally responded with "cannot open a connection" ?????

09/22/06 17:52:01 Slow traceroute 74.0.115.202

Trace 74.0.115.202 ...

64.200.89.122 RTT: 40ms TTL:192 (hrndva1wcx3-pos4-0-oc192.wcg.net bogus rDNS: host not found [authoritative])

64.200.240.46 RTT: 41ms TTL:192 (phlapa1wcx1-pos9-0.wcg.net bogus rDNS: host not found [authoritative])

65.77.115.86 RTT: 41ms TTL:192 (phlapa4lrs1-covad-2-1.wcg.net bogus rDNS: host not found [authoritative])

* * * failed

74.0.115.202 RTT: 69ms TTL:241 (h-74-0-115-202.phlapafg.dynamic.covad.net ok)

different tools, different results ....

I'm not sure what you're trying to show with the three different 'disposition' items ...

67.100.131.74 - Covad

209.86.89.63 - Earthlink

74.0.115.202 - Covad (you .. but still undefined as how your IP address is tagged as an e-mail source)

Just noting that the first two IP addresses were blocked by a SORBS listing .... beginning to appear as if the situation might be resolved by changing your filtering selections .. as it appears you have somehow managed to get associated with multiple 'bad' e-mail servers/providers ....

Link to comment
Share on other sites

I'm using the DSL service provided by Earthlink. Earthlink webmail came along as part of the deal.

My actual connection is served by Covad (owned in turn by Earthlink). When I send an email through the Earthlink webmail, that server gets flagged as already described. When I send an email through my Voicenet webmail account, the Covad server is part of the chain and so that email gets flagged because of the tainted Covad server. If I switch off my DSL modem, wait a while, and switch back on, I get another server in a different netblock, and that server causes the email to get flagged. All because I use the dnsbl.sorbs.net blocklist to block spam in my SpamCop.net webmail. That's not what's bothering me. It's that my emails are getting flagged (and possibly blocked) by my customers' spam filters, at least the ones also using the dnsbl.sorbs.net blocklist. For my cc's to myself to end up in my Inbox, I have to whitelist all my email addresses' otherwise, they end up in SpamCop's Held Mail.

I agree that Earthlink/Covad aren't running their email servers responsibly. Cluelessly seems to be more to the point.

I am not running these webmail servers - I am just a customer sending emails one at a time, with as many as three cc's to other parties, and I'm trying to find a knowledgable person at my ISP. The reason for my questions to SpamCop is that I want to know what is possible (reverse DNS ?). If reverse DNS is a no sweat process for Domain Dossier, then why can't Earthlink/Covad do the same ? As far as I can tell, they only have 1000 of these dynamic servers between them (Covad: 67.100.130.0-67.100.131.255; Earthlink: 74.0.114.0-74.0.115.255). Those are the netblocks to which I find my DSL connection made most of the time. If I do not shut off my DSL modem, then the IP address stays the same for the entire time I'm connected.

Link to comment
Share on other sites

From the top; How do you get "rDNS is the problem" while showing the examples of;

(67.100.131.74 is an "Open SOCKS Proxy Server" as well as "Dynamic IP Space")

(209.86.89.63 is in a database of "servers sending to spamtrap addresses")

(74.0.115.202 is "Dynamic IP Space")

It appears that what you really want is the data found at http://www.us.sorbs.net/faq/dul.shtml ...

I believe that most here seem to be as baffled as I in trying to determine why "your IP address" is involved .. but without seeing headers of one (or more) of your outgoing e-mails, this is going to remain a mystery.

Link to comment
Share on other sites

The "webmail servers" aren't in dynamic space...they should be stable servers that virtually never change their IP addresses, and which have reverse DNS and all the other features of properly-configured email systems. The IP that your own DSL connection happens to grab is in dynamic space, and you're not likely to get those IPs configured to look like stable email servers.

But, the solution is indeed fairly simple.....change your SpamCop email blacklist settings, eliminating the use of dnsbl.sorbs.net. I did that a long time ago and it hasn't negatively affected my filtering. As a test, I just logged into SpamCop webmail and sent a mesage to another of my addresses. I then ran that message through the SC spam parsing form, and instead of identifying the SpamCop server as being the "message source," the parser decided that it was my current broadband IP, which is indeed listed in SORBS.

However, when I logged into the webmail on my own VPS-hosted domain and then did the same thing, the parser decided that the web server was actually the message source, and therefore not listed in SORBS.

So, let's try another...a free Yahoo mail acccount...running the message through the parser yields my own broadband IP as the source, so once again, I'd have a "SORBS problem" if I were using that blacklist in my preferences. (BTW, this is yet another bit of proof that Yahoo is properly formatting mail sent from its system...see the mega-topics in the Blocklist Help forum) I just checked my SC email whitelist, and out of the many addresses I use, I've only got an AOL address on there. I've not had to whitelist any of the domains I own/manage, my SpamCop address, or even my Yahoo address.

Its *very unlikely* that other people to whom you send mail will be using the SORBS list in this manner to reject your messages. The simple solution is for *you* to stop using SORBS and don't worry about it (I think).

(on edit) From the SORBS home page...they have "more recently made the move to pre-emptively list all dynamically allocated IP address space," which I suppose is OK if you are never going to get a message on which SpamCop decides that the "message source" is from that space....which I demonstrated above, I believe.

DT

Link to comment
Share on other sites

The "webmail servers" aren't in dynamic space...they should be stable servers that virtually never change their IP addresses, and which have reverse DNS and all the other features of properly-configured email systems. The IP that your own DSL connection happens to grab is in dynamic space, and you're not likely to get those IPs configured to look like stable email servers.

... snippage ...

However, when I logged into the webmail on my own VPS-hosted domain and then did the same thing, the parser decided that the web server was actually the message source, and therefore not listed in SORBS.

... more snippage ...

DT

DT has hit it on the nose - I sent myself a test email from my ISP's webmail service (Earthlink) and that sailed through without getting flagged. Here are the pertinent header lines:

> X-Originating-IP: 209.86.224.45

> X-SpamCop-Checked: 192.168.1.103 209.86.89.61 209.86.224.45 74.0.115.202

74.0.115.202 is my DSL server's address - what my PC's connected to.

209.86.224.45 is Earthlink's email server (elwamui-polski.atl.sa.earthlink.net).

Quoting SORBS (regarding 74.0.115.202):

Additional Information: [Covad Supplied list] Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment.

The first time I tried sending a test email through the Earthlink webmail interface, it got flagged by the dnsbl.sorbs.net blocklist, not for being dynamic, but for another reason (open SOCKS proxy) while my DSL modem was connected to a different netrange (67.100.131.74). That sort of problem can be fixed by reconnecting the DSL modem; when I tried looking up 67.100.131.73 instead of 67.100.131.74 the open SOCKS proxy flag did not come up. Therefore, even though I had used Earthlink's webmail interface (209.86.224.45) the email got flagged anyway because the routing went through that tainted DSL server (67.100.131.74).

I can live with an occasional bad day at Earthlink (such as that open SOCKS proxy) as it can be fixed by reconnecting the DSL modem. I was just reluctant to use the earthlink webmail interface as it had some quirky behavior early on. I'll give it another try now.

Thanks for your help.

amenex

Link to comment
Share on other sites

I was just reluctant to use the earthlink webmail interface as it had some quirky behavior early on. I'll give it another try now.
IIRC (from earlier in this topic), you're a SpamCop Email customer, right? If so, you can use the SpamCop webmail interface to send mail "From" as many identities as you care to define. However, from my previous message, you'll see that seems to result in your dynamic DSL IP being processed as the "message source" instead of the SpamCop server....at least that's what happened when I parsed a message I send out from SpamCop webmail.

DT

Link to comment
Share on other sites

However, from my previous message, you'll see that seems to result in your dynamic DSL IP being processed as the "message source" instead of the SpamCop server....at least that's what happened when I parsed a message I send out from SpamCop webmail.

This is true of a message being parsed for reporting, but remember that most bl configurations only look at the connecting server (the only information it has until it retrieves the body of the message. The spamcop email system looks at all the IP's to see if any are listed, but it also does not reject any email.

Link to comment
Share on other sites

This is true of a message being parsed for reporting, but remember that most bl configurations only look at the connecting server (the only information it has until it retrieves the body of the message. The spamcop email system looks at all the IP's to see if any are listed, but it also does not reject any email.
Excellent point...back to "spam school" for me. I suppose that I haven't been thinking of things from the POV of the receiving server.

However, are you sure that once a given server has "seen" the entire incoming message, including all of the "Received" lines (assuming that the connection is *not* directly from a single PC), that it *only* cares about the IP of the server that's delivering the message to it when it checks the info against BLs (whether cached or in real time)? When the SC email server receives messages for me, if the SA rating isn't past my threshhold, then it checks *all* of the IPs against the BLs which I have selected in my options. I realize that most other systems aren't as thorough, or don't give the end user as much control, but are you sure that they don't "care" where the delivering server might have relayed the message from?

DT

Link to comment
Share on other sites

I'm still stuck on wanting to see an actual set of headers to explain why the "user's PC" is identified as the source of the e-mail .. and somehow tying that back into a SpamCopDNSBL listing .....

Some things I haven't done ...

looked up to see just what "Domain Dossier" is ...

decided what the Title of this thing really ought to be ....

figured out just what the "DSL server" might be that keeps coming up ....

understoof whether or not there is a "real" blockage issue with the outgoing e-mail .... being "on a BL" is listed as a concern, use of the SORBS list on the SpamCop.net e-mail account has lead to some 'action' .... but how does that factor in to the actual outgoing e-mail and the receipt thereof at other places???

I moved this thing out of the How to use .... section as it was not an instructional post. I chose the Lounge because of the range of the query. At one time, it looked like a move back into the SpamCop E-Mail Account forum section would be appropriate .... yet I'm back to not quite groking the whole thing .... is there more than just the SpamCop.net e-mail account filtering/handling being asked about ?????

Edit: OK, Domain Dossier is a web-site / tool-set found at http://centralops.net/co/DomainDossier.aspx

never used, but not impressed at the first glance ... lists my IP address, but identifies it as (anonymous) ...???? (as compared to DNSstuff that even lists my city / location??) No idaa why the need is there to login/register .... found elsewhere;

I use your utilities all the time but sometimes run into the usage limit. How can I get more usage?

Currently we limit anonymous usage to 40 hits per hour per utility. To get more usage than that, you can get an account.

backing up a page, http://centralops.net/co/ more net tools are available ....

Link to comment
Share on other sites

I'm still stuck on wanting to see an actual set of headers to explain why the "user's PC" is identified as the source of the e-mail

I'll send you some privately, in which my IP is identified as the "message source" as far as the parser is concerned.

.. and somehow tying that back into a SpamCopDNSBL listing .....

The OP said that their IP was listed on dnsbl.sorbs.net, which in turn was one of the BLs being used in the SpamCop Email account settings to redirect messages into their Held Mail folder. I don't think that the SCBL was involved...or did I miss something above?

DT

Link to comment
Share on other sites

I'll send you some privately, in which my IP is identified as the "message source" as far as the parser is concerned.

Yes, I understand the theory .. and going with your additional samples, I'm still going with that this Topic is basically about the filtering / configuration of a SpamCop.net e-mail account. SORBS is invoked .. and I have to assume that the IP addresses listed in Linear Post #6 deal with the various attempted e-mails from/to the same user, suggesting that perhaps more whitelisting would be in order to circumvent the SORBS data ..????

The OP said that their IP was listed on dnsbl.sorbs.net, which in turn was one of the BLs being used in the SpamCop Email account settings to redirect messages into their Held Mail folder. I don't think that the SCBL was involved...or did I miss something above?

Probably me .... I do recall keying on the word 'spamtrap' .... but yes, this was a SORBS spamtrap identified .... probably another one of those "have my head in too many places at once" things ....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...