what do you do when....

[Mike Scott]

<rant>

.... your ISP has recently set up its mail server to drop non-delivery
reports on outgoing mail (so you never know you've typed a recipient
address wrongly); blocks port 25 except to their own server (so you
can't send directly); and doesn't put in a reverse DNS entry (so other
mail servers won't allow access)?

All in the name of security! (And they won't listen to reason.)

And just where do they go to hire suitably incompetent support staff?

</rant>

Grrrr. And they used to be there with good service.


--
Mike Scott (unet2 <at> [deletethis] scottsonline.org.uk)
Harlow Essex England

[Thor Kottelin]

"Mike Scott" <usen...@scottsonline.org.uk.invalid> wrote in message
news:ki1fih$l79$1...@dont-email.me...

> .... your ISP has recently set up its mail server to drop non-delivery
> reports on outgoing mail (so you never know you've typed a recipient
> address wrongly); blocks port 25 except to their own server (so you
> can't send directly); and doesn't put in a reverse DNS entry (so other
> mail servers won't allow access)?
>
> All in the name of security! (And they won't listen to reason.)

Blocking port 25 for consumers has everything to do with security. It is
one of the most effective ways of stopping zombie spam. ISPs typically
offer business subscriptions that are intended for customers that run
their own mail servers.

--
Thor Kottelin
http://www.anta.net/

[Mike Scott]

It's not the blocking of port 25 so much - that's been there for years.
But they claim the lack of NDRs is for "security" too (they /claim/ it's
always been like this, but that's rubbish - I know full well I used to
get proper bounce messages). And they make it it impossible to use an
obvious alternative server, while telling me to do just that. The result
is a singularly unreliable mail service.

But to answer my own question, I guess it's time to move on.... but I
need to avoid the flames while leaping from this particular frying pan.
This particular broadband business is currently moving to less desirable
owners anyway.

[Thor Kottelin]

"Mike Scott" <usen...@scottsonline.org.uk.invalid> wrote in message

news:ki1jb5$61p$1...@dont-email.me...

> On 16/03/13 10:52, Thor Kottelin wrote:

>> Blocking port 25 for consumers has everything to do with security. It
>> is
>> one of the most effective ways of stopping zombie spam.

> they make it it impossible to use an obvious alternative server, while
> telling me to do just that.

Your alternative MSA should listen on port 587. Please see RFC 6409, an
Internet standard.

[Frank Slootweg]

While far from ideal, Gmail could be such a MSA/MSP. Gmail will stamp
your mail with a "Sender: <you>@gmail.com>" header, which can and will
confuse some mailers (MUAs), but it might give you (the OP) some time to
look for better alternatives. FYI, I use Gmail as my SMTP server when
roaming (i.e. when not on my ISP's network).

[Spam Guy]

Mike Scott wrote:

> .... your ISP has recently set up its mail server to drop non-
> delivery reports on outgoing mail (so you never know you've
> typed a recipient address wrongly);

No excuse for that, unless they don't want their server to be tricked
into sending spam outside their customer-base in the form of
non-delivery reports.

Is the server open-access (to the ISP's own customers that is) or does
it use authentication?

> blocks port 25 except to their own server (so you can't send
> directly);

If this block is in place for IP's assigned to residential customers,
then that's a good policy. If the block is also in place for commercial
customers (who also have or are paying extra for static IP assignment)
then that is not a good policy.

> and doesn't put in a reverse DNS entry (so other mail servers won't
> allow access)?

Ahh-

Just remember that the out-bound machine that you connect to to send
mail is not necessarily the same machine (same IP) that is facing the
outside world (the one that connects to external recipients).

> All in the name of security! (And they won't listen to reason.)

In my case, here at $dayjob, we have a single static IP on an aDSL
service (6mbps/800kbps) which is identical to a residential-type service
(in terms of speed) but we have static IP and we can make port-25
connections to the outside world - but if you do an rDNS on our IP
you'll just get a generic result that includes the domain of our ISP
(not our actual corporate domain).

But you still need to find out if the world-facing out-bound SMTP server
for your ISP has a resolvable rDNS.

Heck, as an anti-spam measure, I don't even have an MX record for our
domain(!). According to RFC, when an mx lookup fails, you're supposed
to resort to the A-record and see if you can connect to that machine to
deliver mail. In our case, since we have only a single IP, that method
works just fine. It used to be that spam zombies weren't sophisticated
enough to fall back to the A record, so they aborted the attempt when
the MX lookup failed.

We encounter very few destination servers that refuse our mail, even
though (a) we have a generic rDNS, and (b) we have no MX record for our
domain.

And in the spirit of improving usenet message-composition, I've fixed
your subject line.

[Ivan Shmakov]

>>>>> Mike Scott <usen...@scottsonline.org.uk.invalid> writes:

> <rant>

> .... your ISP has recently set up its mail server to drop
> non-delivery reports on outgoing mail (so you never know you've typed
> a recipient address wrongly); blocks port 25 except to their own
> server (so you can't send directly); and doesn't put in a reverse DNS
> entry (so other mail servers won't allow access)?

... Other than renting a "virtual" server (BKA "VPS") to put
your own MX on? As was already pointed out in this thread, this
MX should also listen on 587/tcp (AKA "submission"; STD 72.)

Please also consider supporting ESMTPS there, and, obviously,
some authentication mechanism. (Otherwise, the chances are that
it will quickly be used as a relay by a whole lot of abusers.)

PS. These days, they offer VPS hosting for as little as 3 USD per
month, with both IPv4 and IPv6 connectivity provided. (Checking
it out... well, they /claim/ to provide IPv6 connectivity, but
it doesn't work for me right now. Problem report filed.)

[...]

--
FSF associate member #7257

[Ivan Shmakov]

>>>>> Frank Slootweg <th...@ddress.is.invalid> writes:
>>>>> Thor Kottelin <th...@anta.net> wrote:

>>>>> "Mike Scott" <usen...@scottsonline.org.uk.invalid> wrote...

[...]

>>> they make it it impossible to use an obvious alternative server,
>>> while telling me to do just that.

>> Your alternative MSA should listen on port 587. Please see RFC
>> 6409, an Internet standard.

> While far from ideal, Gmail could be such a MSA/MSP. Gmail will stamp
> your mail with a "Sender: <you>@gmail.com>" header, which can and
> will confuse some mailers (MUAs),

Huh? From what I know, it's a standard behavior. Why, I've
spent some time to ensure that my MUA adds a proper Sender:.

> but it might give you (the OP) some time to look for better
> alternatives. FYI, I use Gmail as my SMTP server when roaming

> (i. e. when not on my ISP's network).

FWIW, I use Google Mail whenever the receiving party for some
reason declines to accept mail delivered via my own MX'es.
Which, luckily, tends to happen only occasionally.

[Mike Scott]

On 16/03/13 20:35, Frank Slootweg wrote:
> Thor Kottelin <th...@anta.net> wrote:
>> "Mike Scott" <usen...@scottsonline.org.uk.invalid> wrote in message
>> news:ki1jb5$61p$1...@dont-email.me...
>>> On 16/03/13 10:52, Thor Kottelin wrote:
>>
>>>> Blocking port 25 for consumers has everything to do with security. It
>>>> is
>>>> one of the most effective ways of stopping zombie spam.
>>
>>> they make it it impossible to use an obvious alternative server, while
>>> telling me to do just that.
>>
>> Your alternative MSA should listen on port 587. Please see RFC 6409, an
>> Internet standard.

The obvious alternative is the unofficial server run by this ISP's user
group - indeed, they /told/ me to use this instead. But be3cause they
now don't have rDNS entries, I can't.

>
> While far from ideal, Gmail could be such a MSA/MSP. Gmail will stamp
> your mail with a "Sender: <you>@gmail.com>" header, which can and will
> confuse some mailers (MUAs), but it might give you (the OP) some time to
> look for better alternatives. FYI, I use Gmail as my SMTP server when
> roaming (i.e. when not on my ISP's network).
>

And who wants their email potentially tampered with, analyzed by and
stored by the likes of gmail. No thanks.

Incidentally, bethere (and I assume it affects the whole of O2) still
seem to think black-holing mail is a good plan if it can't be delivered.
They don't seem to get the message. Mad!

[Mike Scott]

On 17/03/13 14:46, Spam Guy wrote:
> Mike Scott wrote:
>
>> .... your ISP has recently set up its mail server to drop non-
>> delivery reports on outgoing mail (so you never know you've
>> typed a recipient address wrongly);
>
> No excuse for that, unless they don't want their server to be tricked
> into sending spam outside their customer-base in the form of
> non-delivery reports.
>
> Is the server open-access (to the ISP's own customers that is) or does
> it use authentication?

open access. Has been for the several years I've been with them. But it
shouldn't be a problem, because it will only relay mail outbound from
their own customers - were some clown to use a fake sender address and
cause many NDR's, they'd pretty soon be found out.

>
>> blocks port 25 except to their own server (so you can't send
>> directly);
>
> If this block is in place for IP's assigned to residential customers,
> then that's a good policy. If the block is also in place for commercial
> customers (who also have or are paying extra for static IP assignment)
> then that is not a good policy.

It's there for all dynamic IPs (read - residential lines). I'm not too
fussed - it's no big deal to haver an extra hop by having to use their
own server. But it does need to obey correct protocols.

>
>> and doesn't put in a reverse DNS entry (so other mail servers won't
>> allow access)?
>
> Ahh-
>
> Just remember that the out-bound machine that you connect to to send
> mail is not necessarily the same machine (same IP) that is facing the
> outside world (the one that connects to external recipients).

I meant rDNS for my own dynamic line. They used to; but with recent
network improvements (!!!) they've dropped this. So their usergroup
unofficial server (which they told me to use instead of their own
server) won't accept mail.

>
>> All in the name of security! (And they won't listen to reason.)
>
> In my case, here at $dayjob, we have a single static IP on an aDSL
> service (6mbps/800kbps) which is identical to a residential-type service
> (in terms of speed) but we have static IP and we can make port-25
> connections to the outside world - but if you do an rDNS on our IP
> you'll just get a generic result that includes the domain of our ISP
> (not our actual corporate domain).

That's pretty well what my situation used to be. But they've not entered
rDNS for the new address ranges I've been shoved onto recently. And at
the same time (I t6hink) they've messed up the mail server. Bad
decisions when taken together.

...

> And in the spirit of improving usenet message-composition, I've fixed
> your subject line.
>

Yeh, thanks; good idea. I was feeling singularly frustrated when I
penned the original item. Still am - I've got the CEO's email address:
it's tempting to use it - I'll bet he doesn't know the details of this
change and how they've screwed things up.

[Mike Scott]

On 17/03/13 19:16, Ivan Shmakov wrote:
....

> PS. These days, they offer VPS hosting for as little as 3 USD per
> month, with both IPv4 and IPv6 connectivity provided. (Checking

Hmmm. That's an order of magnitude cheaper than I remember seeing
anywhere - who offers that pricing???

> it out... well, they /claim/ to provide IPv6 connectivity, but
> it doesn't work for me right now. Problem report filed.)
>
> [...]
>


--

[Ivan Shmakov]

>>>>> Mike Scott <usen...@scottsonline.org.uk.invalid> writes:
>>>>> On 16/03/13 20:35, Frank Slootweg wrote:

[Cross-posting to news:comp.security.misc.]

[...]

>> While far from ideal, Gmail could be such a MSA/MSP. Gmail will
>> stamp your mail with a "Sender: <you>@gmail.com>" header, which can
>> and will confuse some mailers (MUAs), but it might give you (the OP)
>> some time to look for better alternatives. FYI, I use Gmail as my

>> SMTP server when roaming (i. e. when not on my ISP's network).

> And who wants their email potentially tampered with, analyzed by and
> stored by the likes of gmail. No thanks.

Those who do /not/ want for their Internet traffic (including,
but not limited to, Web, email, and netnews access) to be
potentially tampered with, analyzed and stored by third parties,
use GNUnet, Freenet, and other similar technologies. Or,
perhaps, OpenPGP or S/MIME, as long as only email is considered.

(Well, preferential use of TLS- and SSL-based services may help.
Sadly, even HTTPS is not as common as it should've been, and
properly set up ESMTPS is more of an exception than a rule.
Then, there also is DNSSEC, and that reclusive DANE, which I'm
yet to see deployed in some production environment...)

[...]

[Frank Slootweg]

Ivan Shmakov <onei...@gmail.com> wrote:
> >>>>> Frank Slootweg <th...@ddress.is.invalid> writes:
> >>>>> Thor Kottelin <th...@anta.net> wrote:
> >>>>> "Mike Scott" <usen...@scottsonline.org.uk.invalid> wrote...
>
> [...]
>
> >>> they make it it impossible to use an obvious alternative server,
> >>> while telling me to do just that.
>
> >> Your alternative MSA should listen on port 587. Please see RFC
> >> 6409, an Internet standard.
>
> > While far from ideal, Gmail could be such a MSA/MSP. Gmail will stamp
> > your mail with a "Sender: <you>@gmail.com>" header, which can and
> > will confuse some mailers (MUAs),
>
> Huh? From what I know, it's a standard behavior. Why, I've
> spent some time to ensure that my MUA adds a proper Sender:.

It's not a problem [1] that Gmail adds the "Sender: <you>@gmail.com>",
but that some MUAs' replies go to that addresss.

So mail "From: <you>@<normal_MSP>" has "Sender: <you>@gmail.com>", but
broken_MUA replies "To: <you>@gmail.com>" instead of
"To: <you>@<normal_MSP>".

[...]

[1] "not a problem" with the disclaimer that you may not want to
advertize your Gmail address.

[Ivan Shmakov]

>>>>> Frank Slootweg <th...@ddress.is.invalid> writes:
>>>>> Ivan Shmakov <onei...@gmail.com> wrote:
>>>>> Frank Slootweg <th...@ddress.is.invalid> writes:

[Cross-posting to news:comp.internet.services.google.]

[...]

>>> Gmail will stamp your mail with a "Sender: <you>@gmail.com>"
>>> header, which can and will confuse some mailers (MUAs),

>> Huh? From what I know, it's a standard behavior. Why, I've spent
>> some time to ensure that my MUA adds a proper Sender:.

> It's not a problem [1] that Gmail adds the "Sender:
> <you>@gmail.com>", but that some MUAs' replies go to that addresss.

Any specific examples, please?

(So that I could set up a procmail rule to ring a bell should a
message with a matching User-Agent: be delivered to my,
otherwise rarely read, Sender: mailbox.)

[...]

> [1] "not a problem" with the disclaimer that you may not want to
> advertize your Gmail address.

Fair enough. But then, this makes it impossible to completely
hide one's email while using Gmail, which also makes sense.

[Jorgen Grahn]

On Mon, 2013-03-18, Mike Scott wrote:
> On 17/03/13 14:46, Spam Guy wrote:
>> Mike Scott wrote:
...

>>> blocks port 25 except to their own server (so you can't send
>>> directly);
>>
>> If this block is in place for IP's assigned to residential customers,
>> then that's a good policy. If the block is also in place for commercial
>> customers (who also have or are paying extra for static IP assignment)
>> then that is not a good policy.

And as I understand it, random servers out in the world are likely
ayway to drop mail delivered to them if it appears to come from a home
server -- using checks against address ranges believed to be dynamic.

> It's there for all dynamic IPs (read - residential lines). I'm not too
> fussed - it's no big deal to haver an extra hop by having to use their
> own server.

It's a central point for supervision and logging, but apart from that
it's not a big problem. I've run my mail that way for a decade now
(but have problems switching ISPs -- the one I want to move to blocks
port 25 and supports pop-before-SMTP only, unless I can convince them
to make an exception for me.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

[Frank Slootweg]

Ivan Shmakov <onei...@gmail.com> wrote:
> >>>>> Frank Slootweg <th...@ddress.is.invalid> writes:
> >>>>> Ivan Shmakov <onei...@gmail.com> wrote:
> >>>>> Frank Slootweg <th...@ddress.is.invalid> writes:
>
> [Cross-posting to news:comp.internet.services.google.]
>
> [...]
>
> >>> Gmail will stamp your mail with a "Sender: <you>@gmail.com>"
> >>> header, which can and will confuse some mailers (MUAs),
>
> >> Huh? From what I know, it's a standard behavior. Why, I've spent
> >> some time to ensure that my MUA adds a proper Sender:.
>
> > It's not a problem [1] that Gmail adds the "Sender:
> > <you>@gmail.com>", but that some MUAs' replies go to that addresss.
>
> Any specific examples, please?

Sorry, I don't remember. I *think* that Gmail itself was one of the
culprits, because two people in our families who use Gmail, replied to
the "Sender:" address. One (computer-savvy) only needed one
'correction', the other one was and is clue-resistant, so to be sure, I
POP my Gmail mailbox as well! :-)

[Anonymous]

>> .... your ISP has recently set up its mail server to drop
>> non-delivery reports on outgoing mail (so you never know you've
>> typed a recipient address wrongly); blocks port 25 except to their
>> own server (so you can't send directly);

Get a new ISP, clearly. Forcing you to use *their* server such that
that your unencrypted mail loses the benefit of TLS - thus damaging to
your privacy further, is not something that you should sponsor
financially. Vote with your feet.

If you're in a region that has no broadband competition, then get a
VPN. Your nanny ISP cannot inspect your packets or scrutinize what
ports you want to use if you tunnel.

Think of your current lousy ISP as a "connectivity provider", not an
"ISP". But more importantly, don't give them your business if you
don't have to.

>Blocking port 25 for consumers has everything to do with security.

Security related, yes, but in a detrimental way. /Availability/ is
one of the three most significant objectives to security, if not the
single most. Blocking port 25 *damages* availability.

> It is one of the most effective ways of stopping zombie spam.

It's the cheapest, sloppiest approach. Like most anti-spam practices,
the methods that are the most defensive against spam also cause the
most collateral damage.

It's reckless, irresponsible, and stupid to block port 25. It also
goes directly against EFF principles.

Corporations save a buck by not addressing the problem more
appropriately. Everyone loses when unwise consumers support it.

> ISPs typically offer business subscriptions that are intended for
> customers that run their own mail servers.

Yes, one can decide to give even more money to unethical ISPs, if
they have an apathetic sense of ethics that allows for it.