Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Question re ASPEWS 44

3 views
Skip to first unread message

Grant

unread,
Aug 28, 2008, 8:15:16 AM8/28/08
to
We had a problem with spam. Per earlier thread we have gotten the
offenders out of here.

http://www.aspews.org/?p=44

Restoration Media was canceled.

The listings that are there do not indicate IP's but if there were a way
for me to lookup those listed offenses, I would be able to comment on
those and verify if they have been dealt with or kicked off or whatever.

Assistance in this would sure be appreciated

Grant T.
og...@yahoo.com
972-805-0579

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

phil-new...@ipal.net

unread,
Aug 28, 2008, 11:21:08 AM8/28/08
to
On Thu, 28 Aug 2008 12:15:16 GMT Grant <og...@yahoo.com> wrote:

| We had a problem with spam. Per earlier thread we have gotten the
| offenders out of here.
|
| http://www.aspews.org/?p=44
|
| Restoration Media was canceled.
|
| The listings that are there do not indicate IP's but if there were a way
| for me to lookup those listed offenses, I would be able to comment on
| those and verify if they have been dealt with or kicked off or whatever.
|
| Assistance in this would sure be appreciated

How many addresses in your network are operated by customers (e.g they decide
what runs on the computer) but have your own domain name in the reverse DNS?

BTW, a lot of the reverse DNS in your address spaces have domain names that
very strongly suggest (because of the radical marketing aspect) these are
being operated by spammers. They may not be sending the spam from your
network, but instead may be hosting the spamvertized website there. Do take
note that this kind of spammer support can get you in many lists, too.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

Grant

unread,
Aug 28, 2008, 12:32:17 PM8/28/08
to
phil-new...@ipal.net wrote:
> How many addresses in your network are operated by customers (e.g they decide
> what runs on the computer) but have your own domain name in the reverse DNS?

Very few. If any. Typically a customer requests or sets their own PTR
(since we delegate rDNS on blocks larger than /28)

> BTW, a lot of the reverse DNS in your address spaces have domain names that
> very strongly suggest (because of the radical marketing aspect) these are
> being operated by spammers. They may not be sending the spam from your
> network, but instead may be hosting the spamvertized website there. Do take
> note that this kind of spammer support can get you in many lists, too.

duly noted. I recognize that things may appear one way to one person,
and differently to another. I'm not justifying or asking for
justification. I'd just like to do what I can to get off the aspews
list. Especially since 2 of us here have worked very hard to make sure
that the bad guys are cleaned out and we're being as vigilant as possible.

I also know that aspews operates under their own unique parameters, and
they guarantee nothing. I get that they are aggressive in their
approach. Maybe its a once-housed-a-spammer, always-houses-spammer
proposition with them. If so, then I guess we are screwed. :( But if
that's not the rule there, then maybe I can work to get delisted. And
if we re-offend, we get listed again. That would seem to me logical,
but aspews ain't my shop to run or call to make.

Grant T.
og...@yahoo.com
972-805-0579

phil-new...@ipal.net

unread,
Aug 28, 2008, 1:59:50 PM8/28/08
to
On Thu, 28 Aug 2008 16:32:17 GMT Grant <og...@yahoo.com> wrote:
| phil-new...@ipal.net wrote:
|> How many addresses in your network are operated by customers (e.g they decide
|> what runs on the computer) but have your own domain name in the reverse DNS?
|
| Very few. If any. Typically a customer requests or sets their own PTR
| (since we delegate rDNS on blocks larger than /28)
|
|> BTW, a lot of the reverse DNS in your address spaces have domain names that
|> very strongly suggest (because of the radical marketing aspect) these are
|> being operated by spammers. They may not be sending the spam from your
|> network, but instead may be hosting the spamvertized website there. Do take
|> note that this kind of spammer support can get you in many lists, too.
|
| duly noted. I recognize that things may appear one way to one person,
| and differently to another. I'm not justifying or asking for
| justification. I'd just like to do what I can to get off the aspews
| list. Especially since 2 of us here have worked very hard to make sure
| that the bad guys are cleaned out and we're being as vigilant as possible.

Did you know you were on the UCEPROTECT list a few months ago? Was that a
customer that was kicked out?

2008-04-29.08:**:** vega postfix/smtpd[29612]: NOQUEUE: reject: RCPT from unknown[208.77.144.103]: 554 Service unavailable; Client host [208.77.144.103] blocked using dnsbl-1.uceprotect.net; IP 208.77.144.103 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=208.77.144.103; from=<***REDACTED***> to=<***REDACTED***> proto=SMTP helo=<mx4.zerogravityco.com>

Did that customer tell you their domain name was "zerogravityco.com"?

Note that the above redacted destination address a class B spamtrap. Those
are spamtraps that get blocked. Class A spamtraps don't get blocked. That
spamtrap address _never_ belonged to any user and _never_ verified that it
wanted any bulk email.

That address had no reverse DNS. There are other attempts to deliver email
that came from your network, many of which had no reverse DNS. What's up
with that? Having many such addresses that try to send email is a pattern
than can land you in many private blacklists. I'm considering start just
such a private list here, too.

Private lists are generally not published, provide no means for removal,
and often are permanent (none of this automatic removal after 7 years).


| I also know that aspews operates under their own unique parameters, and
| they guarantee nothing. I get that they are aggressive in their
| approach. Maybe its a once-housed-a-spammer, always-houses-spammer
| proposition with them. If so, then I guess we are screwed. :( But if
| that's not the rule there, then maybe I can work to get delisted. And
| if we re-offend, we get listed again. That would seem to me logical,
| but aspews ain't my shop to run or call to make.

It is likely they don't list until some threshhold is reached. It's more a
case of "spam-a-lot" leads to "spam-some-more". The more spam from a network,
the longer it takes to get a removal.

So who was spamming from 208.77.149.209 just a few days ago? That's yet
another address with no reverse DNS.

It seems spammers find your service attractive for some reason. Unless you
are in the business of specifically serving spammers, you should change things
so that spammers don't find your service attractive anymore. For example,
you can block outgoing connections to port 25 unless the customer provides a
valid hostname within _their_ domain name, and is a domain name in which the
public whois data matches the information they give to start the account, AND
you send by snailmail to that address a verification letter where they must
email back to you the authorization code in that letter for services to go on
beyond a 2 week period, or for services to allow large amounts of email, etc.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

--

phil-new...@ipal.net

unread,
Aug 28, 2008, 3:38:02 PM8/28/08
to
On Thu, 28 Aug 2008 16:32:17 GMT Grant <og...@yahoo.com> wrote:

| phil-new...@ipal.net wrote:
|> How many addresses in your network are operated by customers (e.g they decide
|> what runs on the computer) but have your own domain name in the reverse DNS?
|
| Very few. If any. Typically a customer requests or sets their own PTR
| (since we delegate rDNS on blocks larger than /28)

Look at 208.77.149.209. It's not delegated anywhere beyond your DNS server.
And your DNS server is not even answering authoritative for this. It's just
caching what it gets from the ARIN servers.

You need to get your reverse DNS working for ALL of your IP ranges, and have
either a customer delegation, or a customer data record, or your own data
record, or a dummy data record, or a valid NXDOMAIN response, set up for each
one.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

--

Grant

unread,
Aug 28, 2008, 7:28:07 PM8/28/08
to
phil-new...@ipal.net wrote:
> Did you know you were on the UCEPROTECT list a few months ago? Was that a
> customer that was kicked out?
>
> 2008-04-29.08:**:** vega postfix/smtpd[29612]: NOQUEUE: reject: RCPT from unknown[208.77.144.103]: 554 Service unavailable; Client host [208.77.144.103] blocked using dnsbl-1.uceprotect.net; IP 208.77.144.103 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=208.77.144.103; from=<***REDACTED***> to=<***REDACTED***> proto=SMTP helo=<mx4.zerogravityco.com>

Yes, this was a customer on 208.77.144.96/27. And yes their service
has been cancelled.

> Did that customer tell you their domain name was "zerogravityco.com"?

No.

> That address had no reverse DNS. There are other attempts to deliver email
> that came from your network, many of which had no reverse DNS. What's up
> with that?

Generally speaking, there are not PTR's on an IP unless [A] in the case
of a /28 or smaller, a customer has issued a request or [B] in the case
of a /27 or larger the customer has set up their own PTR.

Are you saying that every IP, regardless of status (ie: used / unused)
should return a PTR, and that would help with delisting or preventing a
listing from ASPEWS?

> So who was spamming from 208.77.149.209 just a few days ago? That's yet
> another address with no reverse DNS.

# whois 208.77.149.209
[Querying whois.arin.net]
[whois.arin.net]
VIRTBIZ Internet Services VIRTBIZ-DFW4 (NET-208-77-144-0-1)
208.77.144.0 - 208.77.151.255
DFW Broadband, LLC DFW-BB1 (NET-208-77-149-0-1)
208.77.149.0 - 208.77.149.255

A provider of DIA to businesses.

> It seems spammers find your service attractive for some reason. Unless you
> are in the business of specifically serving spammers, you should change things
> so that spammers don't find your service attractive anymore.

Maybe we are too inexpensive. LOL.
Seriously though, we acquired another company that had 208.77.144.0/21
and those customers. Then those blocks became our blocks. And their
problems became our problems. We have been addressing them as promptly
as possible while integrating them into our network.

> you send by snailmail to that address a verification letter where they must
> email back to you the authorization code in that letter for services to go on
> beyond a 2 week period, or for services to allow large amounts of email, etc.

That is interesting. I have never heard of such a thing from any other
provider. Are you aware of other companies instituting such a policy?

Grant T.
og...@yahoo.com
972-805-0579

Grant

unread,
Aug 29, 2008, 5:54:39 AM8/29/08
to
phil-new...@ipal.net wrote:
> On Thu, 28 Aug 2008 16:32:17 GMT Grant <og...@yahoo.com> wrote:
>
> | phil-new...@ipal.net wrote:
> |> How many addresses in your network are operated by customers (e.g they decide
> |> what runs on the computer) but have your own domain name in the reverse DNS?
> |
> | Very few. If any. Typically a customer requests or sets their own PTR
> | (since we delegate rDNS on blocks larger than /28)
>
> Look at 208.77.149.209. It's not delegated anywhere beyond your DNS server.
> And your DNS server is not even answering authoritative for this. It's just
> caching what it gets from the ARIN servers.

# whois 208.77.149.209


[Querying whois.arin.net]
[whois.arin.net]
VIRTBIZ Internet Services VIRTBIZ-DFW4 (NET-208-77-144-0-1)
208.77.144.0 - 208.77.151.255
DFW Broadband, LLC DFW-BB1 (NET-208-77-149-0-1)
208.77.149.0 - 208.77.149.255

> You need to get your reverse DNS working for ALL of your IP ranges, and have
> either a customer delegation, or a customer data record, or your own data
> record, or a dummy data record, or a valid NXDOMAIN response, set up for each
> one.

This customer has the /24. We leave it up to them to do the reverse if
they so choose. In this particular case, they're providing DIA to
end-users. I can run generic PTR's up the flagpole and see if that flys!

Grant T.
og...@yahoo.com
972-805-0579

Atro Tossavainen

unread,
Aug 29, 2008, 8:46:03 AM8/29/08
to
Grant <og...@yahoo.com> writes:

> We had a problem with spam.

Who are you?

--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS

Steve Baker

unread,
Aug 29, 2008, 8:45:57 AM8/29/08
to
On Fri, 29 Aug 2008 09:54:39 GMT, Grant <og...@yahoo.com> wrote:

>> Look at 208.77.149.209. It's not delegated anywhere beyond your DNS server.
>> And your DNS server is not even answering authoritative for this. It's just
>> caching what it gets from the ARIN servers.
>
># whois 208.77.149.209
>[Querying whois.arin.net]
>[whois.arin.net]
>VIRTBIZ Internet Services VIRTBIZ-DFW4 (NET-208-77-144-0-1)
> 208.77.144.0 - 208.77.151.255
>DFW Broadband, LLC DFW-BB1 (NET-208-77-149-0-1)
> 208.77.149.0 - 208.77.149.255
>
>
>> You need to get your reverse DNS working for ALL of your IP ranges, and have
>> either a customer delegation, or a customer data record, or your own data
>> record, or a dummy data record, or a valid NXDOMAIN response, set up for each
>> one.
>
>This customer has the /24. We leave it up to them to do the reverse if
>they so choose. In this particular case, they're providing DIA to
>end-users. I can run generic PTR's up the flagpole and see if that flys!

DIA = Dynamic Internet Addresses? I'm no expert, and I'm not sure
it's relevant, but it seems like you guys are doing things in a *very*
odd way. You give referrals to NS records obtained from the parent
servers for PTR lookups. EG:

dig @NS1.VIRTBIZ.COM -x 209.77.149.209
..
;; QUESTION SECTION:
;209.149.77.209.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
77.209.in-addr.arpa. 26046 IN NS ns2.pbi.net.
77.209.in-addr.arpa. 26046 IN NS ns1.pbi.net.

;; ADDITIONAL SECTION:
ns1.pbi.net. 85455 IN A 206.13.28.11
ns2.pbi.net. 76316 IN A 206.13.29.11

You do the same thing for 208.77.149.209 (note 208 vs 209 in the
first octet), referring queries to your own nameservers. Which don't
answer authoritatively and don't offer up any PTR records, which
causes an endless loop of lookups.

dig @NS1.VIRTBIZ.COM -x 208.77.149.209
..
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;209.149.77.208.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
149.77.208.in-addr.arpa. 64471 IN NS NS2.VIRTBIZ.COM.
149.77.208.in-addr.arpa. 64471 IN NS NS1.VIRTBIZ.COM.

;; ADDITIONAL SECTION:
NS1.VIRTBIZ.COM. 86400 IN A 208.77.220.11
NS2.VIRTBIZ.COM. 86400 IN A 208.77.216.60

--
Steve Baker

phil-new...@ipal.net

unread,
Aug 29, 2008, 8:45:10 AM8/29/08
to
On Thu, 28 Aug 2008 23:28:07 GMT Grant <og...@yahoo.com> wrote:

| phil-new...@ipal.net wrote:

|> That address had no reverse DNS. There are other attempts to deliver email
|> that came from your network, many of which had no reverse DNS. What's up
|> with that?
|
| Generally speaking, there are not PTR's on an IP unless [A] in the case
| of a /28 or smaller, a customer has issued a request or [B] in the case
| of a /27 or larger the customer has set up their own PTR.
|
| Are you saying that every IP, regardless of status (ie: used / unused)
| should return a PTR, and that would help with delisting or preventing a
| listing from ASPEWS?

No. What I am saying is that every IP that exchanges mail via the SMTP
port (25) to MX hosts, should have a valid PTR record naming a hostname
that in a forward lookup yields A (or AAAA for IPv6) records where one
of them has that IP address ... AND the domain name of that hostname must
identify the customer, not the ISP.

Deviations from this, such as making SMTP connections from IPs without
a completely valid hostname, give that ISP the _appearance_ of hosting
spammers. This is because of a very high correlation between networks
that host spammers or spamvertised web sites, and bad DNS consistency.

My recommendation is:

1. Block connections to port 25 by default.
2. Host the PTR records for your customers by default.
3. If the customer specifically asks for reverse delegation for their
statically allocated addresses, provide that.
4. If the customer specifically asks for the port 25 block to be lifted,
or otherwise indicates they are running an outgoing mail server, then
ask them for the hostname for the PTR record, or if they delegate,
make sure they will provide a hostname. This is a good time to remind
them of your anti-spam AUP, and their obligation to ensure that their
network and computers are 100% secure from infiltrations and infections.
5. Check the PTR records of all IP addresses not SMTP blocked to be sure
the reverse DNS is valid (that the A records given when looking up the
hostname from the PTR record includes this IP). Run this check by an
automated script every week, and have it send you an email report that
lists all IP address which fail (after a few retries to be sure).


|> So who was spamming from 208.77.149.209 just a few days ago? That's yet
|> another address with no reverse DNS.
|
| # whois 208.77.149.209
| [Querying whois.arin.net]
| [whois.arin.net]
| VIRTBIZ Internet Services VIRTBIZ-DFW4 (NET-208-77-144-0-1)
| 208.77.144.0 - 208.77.151.255
| DFW Broadband, LLC DFW-BB1 (NET-208-77-149-0-1)
| 208.77.149.0 - 208.77.149.255
|
| A provider of DIA to businesses.

See my recommendations above. If an ISP is one of your customers, insist
they carry out the same recommendations.


|> It seems spammers find your service attractive for some reason. Unless you
|> are in the business of specifically serving spammers, you should change things
|> so that spammers don't find your service attractive anymore.
|
| Maybe we are too inexpensive. LOL.

Maybe. Everyone likes to use a less expensive provider. I do. I'm sure you
would. Spammers do, too (they get to keep a greater portion of ill-gotten
profits).


| Seriously though, we acquired another company that had 208.77.144.0/21
| and those customers. Then those blocks became our blocks. And their
| problems became our problems. We have been addressing them as promptly
| as possible while integrating them into our network.

See my recommendations above. But give them a few days warning time before
doing step #1, so they can notify you if they are running a mail server.


|> you send by snailmail to that address a verification letter where they must
|> email back to you the authorization code in that letter for services to go on
|> beyond a 2 week period, or for services to allow large amounts of email, etc.
|
| That is interesting. I have never heard of such a thing from any other
| provider. Are you aware of other companies instituting such a policy?

I am aware of a lot of companies that _need_ to do this. This step can be
skipped when your sales people visit the customer premise to make the sales
pitch or close the deal. The point is that you need to know, with absolute
100% confidence, exactly who your customers are. If you ever need to shut
out a customer, you don't want them sneaking back in under a false name.

Since you have been "easy for spammers" in the past, apparently, it might
take efforts like this to clean up your customer base.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

--

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 29, 2008, 10:22:34 AM8/29/08
to
Grant wrote:
> Are you saying that every IP, regardless of status
> (ie: used / unused) should return a PTR, and that would
> help with delisting or preventing a listing from ASPEWS?

Who knows exactly what criteria they are applying.


It might help some blacklists see the progression of the
IPs use, however I suspect most would not continually
check the rDNS, rather only as the IPs / CIDR got their
attention again.

e.g. rDNS goes from spammer.tld to ip4r.unassigned.ISP.tld
to ip4r.cust.ISP.tld to host.cust.tld
(hopefully with matching IP whois SWIP info).

Although it seems likely the same with no rDNS while
unused should be just about as useful

e.g. rDNS goes from spammer.tld to no rDNS to host.cust.tld
(hopefully with matching IP whois SWIP info).

However, if the outside sees IPs without rDNS emitting
spam; it seems they would be more likely to treat
all IPs from that ISP, that don't have any rDNS as
potential problem IPs.


If a _ISP_ _authorized_ SMTP server, is on a specific IP,
what _good_ reason would there be for it to not have
valid rDNS?

In general, it seems IPs with missing or inconsistent PTRs
are often BlackListed / Blocked at a much lower threshold.
(where it doesn't resolve IP -> smtp.domain.tld -> IP )


--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

phil-new...@ipal.net

unread,
Aug 30, 2008, 8:58:29 AM8/30/08
to

Unless your own network size is /16 (and you get a 2nd level delegation from
ARIN instead of the 3rd level any smaller subnet of /17 or longer gets), then
you CANNOT directly subdelegate the whole /24 all at once to a customer since
the delegation to you is in units of /24 already. You can only delegate a
new _label_ to another name server. Maybe an attempt to double delegate was
the cause of the problem I saw earlier.

If you need to delegate a /24 to a customer (that's a substantial customer if
they get a whole /24) then either do it like you would do a /25 or use one of
the CNAME tricks (google "cname delegate subnet").

I see that there is now a hosted PTR record for that address. At least it
works now.

209.149.77.208.in-addr.arpa. 3600 IN PTR 209-149-77-208.virtbiz.com.

I recommend using a SUBDOMAIN name for all your generic addresses (those that
might be dynamically allocated by whatever means, where it is not practical
to keep track of who is using it in DNS). Some networks block address by the
PARENT ZONE of any generic address (especially if it spammed them), and in
this case the parent zone is "virtbiz.com" (so they would end up blocking
your whole domain).

Examples of subdomains (you can pick your own names):

209-149-77-208.customer.virtbiz.com.
209-149-77-208.dyn.virtbiz.com.
209-149-77-208.dial.virtbiz.com.
209-149-77-208.unassigned.virtbiz.com.

I recommend a TTL of 1 to 3 full days (86400 to 259200). You have a TTL of
just one hour. Short TTLs "look spammy" because spammers have used that as
a means to juggle things around in real time to hide their origins. A short
TTL implies the semantics of "we may be changing this real soon now". The
only time you should have a short TTL is when a scheduled change is in fact
pending.

I suspect a short TTL will lower the threshold of getting on a list.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

--

Grant

unread,
Aug 30, 2008, 6:14:21 PM8/30/08
to
phil-new...@ipal.net wrote:
> I recommend using a SUBDOMAIN name for all your generic addresses (those that
> might be dynamically allocated by whatever means, where it is not practical
> to keep track of who is using it in DNS). Some networks block address by the
> PARENT ZONE of any generic address (especially if it spammed them), and in
> this case the parent zone is "virtbiz.com" (so they would end up blocking
> your whole domain).

That's an excellent recommendation. I see no reason NOT to implement
that right away. Thanks.

> I recommend a TTL of 1 to 3 full days (86400 to 259200). You have a TTL of
> just one hour. Short TTLs "look spammy" because spammers have used that as
> a means to juggle things around in real time to hide their origins. A short
> TTL implies the semantics of "we may be changing this real soon now". The
> only time you should have a short TTL is when a scheduled change is in fact
> pending.
>
> I suspect a short TTL will lower the threshold of getting on a list.

Yeah - Agreed. That could be done, as well, you are correct.

Thanks, Phil.

Grant T.
og...@yahoo.com
972-805-0579

0 new messages