On Tue, 22 May 2007 11:22:20 GMT ***@harkless.org wrote:
| On May 21, 4:08 pm, Phil Howard wrote:
|>
|> I believe you will find that pretty much all DSL and cable providers
|> fall into the same category: they skimp on costs they should bear the
|> burden for, as I detailed, which passes those costs on to the victims
|> of the abuses from their network they fail to control.
|>
|> I share your concern about shared hosting. I wouldn't go that route.
|> But somehow you need to move up out of the rut you are in, and it is
|> very likely that no DSL/cable options will achieve that.
|>
|> How much of your traffic is outbound email?
|
| I don't have detailed stats at hand, but yeah, probably not that large
| a percentage. I don't monitor how much bandwidth my users (friends
| and family) use, though, and they may be using "email as a file
| transfer protocol" for large files. I would hate to have to restrict
| them.
|
|> Another option, if that
|> traffic level is smaller, is to get an ISDN or dialup service from a
|> different provider. Otherwise, finding a colocation or dedicated
|> hosting provider remains your big option.
|
| I like my email to go out as instantly as possible (another reason I
| don't like having to take an unnecessary hop through ISP mailservers),
| so dialup wouldn't be a good solution. ISDN from someone other than
| my phone company? I didn't realize that was possible. Tried to do
| some searching just now and I'm not seeing any such providers. AT&T
| requires you to call if you're ordering ISDN and doesn't list prices
| online, but last I knew, several years ago, ISDN was a lot more
| expensive than DSL (despite the much slower speeds). If that's still
| the case, co-lo or dedicated hosting would seem a better use of money.
The number of providers is dropping. But a great many still offer that
as a backup means. ISDN is just a switched network that happens to be
digitally interfaced. It's a circuit (64kbps) or two (128kbps) that is
directly feeding the underlying switched circuit for voice calls in the
traditional call switching networks.
These services can generally be operated nailed-up, too. Analog dialup
is essentially the same, but you get a slower speed (and the other end
has to have a modem, too, which may not exist for some ISPs).
|> I'm not expecting any lists that list big provider blocks to be cutting
|> any holes. If they do, they would have to for everyone else who makes
|> the same claims as you do, and there is a huge list of that. They would
|> end up having to expend a huge cost burden to carry out verifications of
|> such requests.
|
| The dynablock.njabl.org (recently deprecated in favor of:),
| pbl.spamhaus.org, dul.dnsbl.sorbs.net, and dhcp.tqmcube.com DNSBLs
| (and others, I believe) all list large ISP netblocks yet provide the
| ability for server owners to get their IPs excluded. It appears
| they've been able to successfully manage the potential costs of the
| verification (e.g. through automation).
I was thinking of starting a blacklist of my own that just lists the
whole internet :-) Then I'd punch out holes for whoever asks :-)
|> Charging to be exempted from such a listing would sure
|> be seen as a conflict of interest, and possibly illegal.
|
| I note that uceprotect.net charges to be removed, but that's only if
| you want to be removed immediately, and their system drops entries
| automatically after 7 days (assuming no more spam from an IP hitting
| the spamtraps).
Right. And I like that idea.
|> Otherwise it is just entirely impractical to do that.
|
| Apparently it's not -- see the DNSBLs I mentioned above (which do not
| charge for removal).
I'll check them out. I don't know if I'll ever be able to test their
hole drilling procedures, though.
|> What I am doing with my own lists (not publically available right now)
|> is listing by domain NAME, rather than IP address. The effect of such
|> a list is that your correctly rDNS'd addresses would not be affected
|> unless and until your own domain somehow got listed. If those who have
|> the resources to operate a worldwide public DNSBL were convinced to run
|> a list that used names like that, maybe it would become more popular
|> to use instead of lists based on IP address. So maybe you might want
|> to take the position of supporting that concept.
|
| At first blush, that sounds like RHSBLs, which are indeed offered by a
| number of public providers. Of course the problem with them is that
| spammers can evade them by forging the envelope From domain and not
| all domains publish SPF (or similar) records to deal with the forging
| problem.
They cannot forge the verification of rDNS very easily. That's what my
idea would be based on.
| But since you mention rDNS, perhaps you're talking about a list that
| checks to see if the IP address of the sending SMTP server resolves to
| a domain that's listed? How do you deal with forged rDNS? Require
| reverse and forward lookup to match? How do you allow for virtual
| hosting on the same IP? And what about spammer servers that have no
| rDNS? Also, do you only support domain names, or full hostnames? If
| the former, I guess you have no way of listing one rogue server inside
| verizon.net without blocking the entire domain?
The end user would have to enable the rDNS check to make it work right.
That would be a good idea even if the list wasn't used. If rDNS does
not validate, the mail should be rejected unless a specific whitelist
over that is applicable (I do have a few sender email addresses listed
that can override rDNS failures).
|> | I dunno, other DNSBLs are able to make IP exceptions work. It's
|> | generally pretty automated.
|>
|> How do they verify that a request for exception is valid (e.g. does not
|> meet the criteria that the rest of the large enclosing subnet does meet)?
|
| I'm not sure -- not all of them publish exactly how it works (perhaps
| to help avoid abuse). Here's what the SORBS DUHL requires:
|
| We also operate a self-help exclusion interface that allows the
| owner of a system to quickly exclude a single IP address (or, in
| some cases, multiple IP addresses) from the DUHL. For this to
| be possible, the following criteria need to be met:
|
| * The MX record of a domain needs to contain a host name
| that maps to the IP address involved. The Time to Live of
| the MX record needs to be at least 43200 seconds.
| * The A record for the host name needs to have a TTL of at
| least 43200 seconds.
| * The reverse DNS PTR record for the IP address involved
| needs to map back to the name given in the MX record,
| and to have a TTL of at least 43200 seconds.
| * If there are multiple MX entries, these rules apply to them
| all.
Sounds like they might want to have the same effect as name-based.
This might work. Maybe for them and maybe not for APEWS.
So I'll think about what I might do to create a white-only list that
works that way.
| No doubt they also have stuff in place to block exclusion requests if
| the requester is found to be spamming.
|> Find a provider that fully understands APEWS (and SPEWS).
|
| Sounds easier said than done. Even if such providers are around, I
| probably won't usually be able to get access to the people on staff
| who have that understanding.
You might be surprised, especially at the smaller ISPs.
|> Talk with the
|> candidate providers about this and see what they say. Be sure to avoid
|> those who say things like "we can't control who lists us where" as that
|> can either be weasling to avoid a commitment they know they cannot make,
|> or just plain ignorance about the whole issue. Ask for a contract that
|> states that during any time either your IP space, or any other space at
|> least /24 in size, is listed in APEWS (or any other list you itemize and
|> agree to in the contract), then you cost is reduced to some substantially
|> low percentage, and the contract cannot be terminated early by them during
|> that period (unless they can show you were the spammer, which we assume
|> is something they will never be able to do).
|
| It's an interesting thought, but I really doubt I'd have the leverage
| to get them to agree to that kind of risk ("What, some faceless entity
| that can't be contacted lists some IP space that includes us on some
| whim and you no longer have to pay us enough to cover our costs? I
| don't think so."), especially since I'd of necessity have to go with
| one of the lower-cost providers (and packages).
Then you will need to keep yourself agile, mobile.
--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-05-22-***@ipal.net |
|------------------------------------/-------------------------------------|
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.