Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

UCEPROTECT: Listing Policy Questions

4 views
Skip to first unread message

Thomas Krieger

unread,
Aug 24, 2008, 7:02:46 AM8/24/08
to
Hello,

I have a few questions about listing policy on uceprotect.

The following happend:

One of our mailsever users sent 4 mails to an non existing account of a
german institution using uceprotect. We therefore get blacklisted after the
first mail. I can not decide if the mail address was misspelled or
completely wrong but I think that does not matter anywhere. Mails to
misspelled or not existing email addresses are not spam in my opinion. And
blacklisting for that is never justified unless there is a huge number of
mails sent to not existing accounts from the same server.

After getting listed I want to complain about the listing at the postmaster
account of the institution. But the account does not exist resulting in
another blacklisting (in fact I was listed not 7 days but 10). According to
the RFCs a postmaster account must exist. Therefore I think its very
strange to get blacklisted for that.

My questions:
How to deal with this situation? The postmaster of the institution is not
reachable by mail because the postmaster account does not exist and mails
to other accounts are blocked because of the blacklisting. Ok you can
advice to use phone, facsimile or snail mail. But that make the situation
not even better.

What about the listing policy of uceprotect dealing with accounts not
existing? Especially when the postmaster account does not exist.

Is there anyone at uceprotect who checks the listings? Becoming listed due
to mails to a not existing postmaster account is never justified in my
opinion! Also no mailserver admin can take care about misspelled email
addresses or invalid email addresses.

How to deal with unjustified listings at uceprotect? As I wrote before,
getting listed for such minor facts is never justified in my opinion. And
its not worth to wait 7 days until delisting takes place automatically. If
another mailserver user sends a mail with a wrong or misspelled email
address to the institution the blacklisting will, as far as I can see,
never run out.

Kind regards

Thomas

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

h.z...@uceprotect.net

unread,
Aug 24, 2008, 12:56:27 PM8/24/08
to
On 24 Aug., 13:02, Thomas Krieger <t...@tom-krieger.de> wrote:
> Hello,
>
> I have a few questions about listing policy on uceprotect.
>
> The following happend:
>
> One of our mailsever users sent 4 mails to an non existing account of a
> german institution using uceprotect. We therefore get blacklisted after the
> first mail. I can not decide if the mail address was misspelled or
> completely wrong but I think that does not matter anywhere. Mails to
> misspelled or not existing email addresses are not spam in my opinion. And
> blacklisting for that is never justified unless there is a huge number of
> mails sent to not existing accounts from the same server.

As long as your PTR is set and consistent and you are not operating
your system on a DSL-Line, it is impossible to get listed for hitting
an invalid address only.
If that address is defined as spamtrap, then there is a chance to end
up in the list if you get reported from multiple systems only.
You will have to provide your IP, otherwise I can't investigate what
really caused your listing.

> After getting listed I want to complain about the listing at the postmaster
> account of the institution. But the account does not exist resulting in
> another blacklisting (in fact I was listed not 7 days but 10). According to
> the RFCs a postmaster account must exist. Therefore I think its very
> strange to get blacklisted for that.

If they are not accepting mails to postmaster, I would nominate them
at rfc-ignorant.org.

Heidi Zink
UCEPROTECT-Network
Blacklistmaster of the day

Christoph Weber-Fahr

unread,
Aug 27, 2008, 2:43:47 PM8/27/08
to
h.z...@uceprotect.net wrote:

> As long as your PTR is set and consistent and you are not operating
> your system on a DSL-Line, it is impossible to get listed for hitting
> an invalid address only.

Hmm. Does that mean you are classifying completely legitimate traffic
from DSL lines as spam just because they operate an MTA and deliver
directly?

I understand that blocking such traffic is considered acceptable
as a heuristic measure - but blocking something and classifying it
as spam for the purpose of maintaining blacklists (and thus
blacklisting potentially, whole networks or ISPs) is a completely
different ballgame.

Regards

Christoph Weber-Fahr

E-Mail Sent to this address will be added to the BlackLists

unread,
Aug 27, 2008, 10:52:16 PM8/27/08
to
Christoph Weber-Fahr wrote:
> h.z...@uceprotect.net wrote:
>
>> As long as your PTR is set and consistent and you are not
>> operating your system on a DSL-Line, it is impossible to
>> get listed for hitting an invalid address only.
> -------------------------------

>
> Hmm. Does that mean you are classifying completely
> legitimate traffic from DSL lines as spam just because
> they operate an MTA and deliver directly?

That does not appear to be what they said.


> I understand that blocking such traffic is considered
> acceptable as a heuristic measure - but blocking something
> and classifying it as spam for the purpose of maintaining
> blacklists (and thus blacklisting potentially, whole
> networks or ISPs) is a completely different ballgame.

In the example above, they would have to have a
inconsistent PTR, or look like a "DSL-Line"
(whatever that is defined as by UCEPROTECT)
and be hitting invalid addresses?

Why would anyones mail server be hitting invalid addresses
at domains running UCEPROTECT appliances very often?

Why would doing so not look like a dictionary attack?


I think what you chopped out also matters.

>> If that address is defined as spamtrap, then there is a
>> chance to end up in the list if you get reported from
>> multiple systems only.


--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

Seth

unread,
Aug 28, 2008, 7:33:52 AM8/28/08
to
In article <48b5876f$0$1065$9b4e...@newsspool3.arcor-online.net>,

Christoph Weber-Fahr <we...@gmx.de> wrote:
>h.z...@uceprotect.net wrote:
>
>> As long as your PTR is set and consistent and you are not operating
>> your system on a DSL-Line, it is impossible to get listed for hitting
>> an invalid address only.
>
>Hmm. Does that mean you are classifying completely legitimate traffic
>from DSL lines as spam just because they operate an MTA and deliver
>directly?

They also have to hit one of the spamtrap addresses. "Completely
legitimate traffic" wouldn't do that.

Seth

phil-new...@ipal.net

unread,
Aug 28, 2008, 7:36:08 AM8/28/08
to
On Wed, 27 Aug 2008 18:43:47 GMT Christoph Weber-Fahr <we...@gmx.de> wrote:
| h.z...@uceprotect.net wrote:
|
|> As long as your PTR is set and consistent and you are not operating
|> your system on a DSL-Line, it is impossible to get listed for hitting
|> an invalid address only.
|
| Hmm. Does that mean you are classifying completely legitimate traffic
| from DSL lines as spam just because they operate an MTA and deliver
| directly?

A very large number of networks blocks such traffic without the need for
UCEPROTECT to have listed it. There are many reasons why this is done and
they are not all the same. The purpose for which I block them is that the
domain name associated with the IP address does not reflect the operator
of the computer involved. I have referred to these as "generic". It has
nothing to do with the IP layer access technology. It doesn't matter if
it is dialup, DSL, ethernet or OC-192. What matters to me is whether the
hostname is that of the customer who runs the machine, or the ISP that
does not.

FYI, I do such blocking on a "parent zone" basis. That is, the part of the
hostname just beyond the obvious delineation between many addresses is what
I use. ISPs that put all their generic addresses in a SUBdomain will find
that SUBdomain is blocked. Those that leave their registered domain as the
parent zone for their generic addresses will have THAT name blocked. They
always have the choice at any time to fix it (a few have done so once the
reasoning is explained to them).

My point: even if your talk UCEPROTECT into not including these in their
list (which I doubt you will achieve), you've really gained very little.

The world wants to accept email ONLY from addresses that can distinguish
themselves above the riff-raff.


| I understand that blocking such traffic is considered acceptable
| as a heuristic measure - but blocking something and classifying it
| as spam for the purpose of maintaining blacklists (and thus
| blacklisting potentially, whole networks or ISPs) is a completely
| different ballgame.

Blacklists consists of IP addresses, network addresses, host names, or domain
names. These entities are not themselves spam. What they may be classified
as are _sources_ of spam. This is just a pedantic point of semantics. But
it important to understand that what is being blocked (or quarantined as the
case may be) is not spam per se, but the well known sources of spam. Generic
addresses are well known to be a huge source of spam that does not appear to
be mitigated in any way by virtually all ISPs.

Get a real server. There are a lot of options.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |

Thomas Krieger

unread,
Aug 28, 2008, 10:48:16 AM8/28/08
to
E-Mail Sent to this address will be added to the BlackLists wrote:

> Christoph Weber-Fahr wrote:
>> h.z...@uceprotect.net wrote:
>>
>>> As long as your PTR is set and consistent and you are not
>>> operating your system on a DSL-Line, it is impossible to
>>> get listed for hitting an invalid address only.
>> -------------------------------
>>
>> Hmm. Does that mean you are classifying completely
>> legitimate traffic from DSL lines as spam just because
>> they operate an MTA and deliver directly?
>
> That does not appear to be what they said.
>
>
>> I understand that blocking such traffic is considered
>> acceptable as a heuristic measure - but blocking something
>> and classifying it as spam for the purpose of maintaining
>> blacklists (and thus blacklisting potentially, whole
>> networks or ISPs) is a completely different ballgame.
>
> In the example above, they would have to have a
> inconsistent PTR, or look like a "DSL-Line"
> (whatever that is defined as by UCEPROTECT)
> and be hitting invalid addresses?

The case I posted PTR is consistent and its our own class c network not
looking like a dsl line.

> Why would anyones mail server be hitting invalid addresses
> at domains running UCEPROTECT appliances very often?

A few reasons to be continued ...

1. the user has got an invalid address and is not experienced in
reading bounces (in my case that is the reason for hitting four or
five times the same address)

2. the user is writing to a former existing email address not knowing
about that the employee has left the company (and the mail address is a
spam trap now)

3. writing an email to a postmaster account which does not exist
(was a reason in my case to prolong listing)

> Why would doing so not look like a dictionary attack?

A dictionary attack will try many diffrent email addresses not always the
same address.

Thomas

h.z...@uceprotect.net

unread,
Aug 28, 2008, 11:20:09 AM8/28/08
to
On 27 Aug., 20:43, Christoph Weber-Fahr <we...@gmx.de> wrote:
> h.z...@uceprotect.net wrote:
> > As long as your PTR is set and consistent and you are not operating
> > your system on a DSL-Line, it is impossible to get listed for hitting
> > an invalid address only.
>
> Hmm. Does that mean you are classifying completely legitimate traffic
> from DSL lines as spam just because they operate an MTA and deliver
> directly?

That is not correct. Dialups just have a significantly lower listing
threshold.
See here: http://www.uceprotect.net/en/index.php?m=3&s=3

Heidi Zink
UCEPROTECT-Network
Blacklistmaster of the day

--

0 new messages