Avoiding spam blacklists

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Avoiding spam blacklists

Alice Wonder
Virtual machine for a web application, it is still in testing.

reverse DNS is properly set up.
Postfix only listens on the local host.
Linux firewall drops anything not to port 80, 443, or a custom high
number port I use for SSH.

This postfix is not an open relay, or a relay for anything on the
Internet, it only exists so the web application can send e-mail.

SPF for the domain is correctly set up, DKIM for the host is correctly
set up, when it sends an e-mail and I inspect it - it passes the rDNS,
SPF, and DKIM checks.

So far it has only sent e-mails to addresses I control as the web
application is still in testing.

Yet yesterday the IP address ended up on Spamhaus blacklist.

I am 100% confident that no one else was sending e-mail from that IP
address, I'm a bit puzzled as to how the IP address got added to the
blacklist, but I was told that Spamhaus sometimes just adds an entire
subnet if more than one IP on the subnet was sending spam, and that's
probably what happened.

I think that is irresponsible of Spamhaus if that is what they are
doing, but is there something more I can do other than correct rDNS,
SPF, and DKIM to avoid getting on a blacklist?
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Dominic Raferd
Is your mailserver's external ip static or dynamic? I am afraid that
mail servers from dynamic ips always get listed as spambots even when
using SPF, DKIM, correct rDNS etc. The solutions in this case are
either to get your isp to allocate to you a static ip (not all isps
offer this however), set up another mail server at a new location with
static ip (e.g. vps), or use a relayhost through which postfix can
send your outgoing mails. Usually your isp will provide a relayhost.
This relayhost won't be bothered that you are sending from a dynamic
ip and the servers onto which it sends your mails will be concerned
about the relayhost's ip (which will be static), not yours.

On 28 December 2016 at 07:32, Alice Wonder <[hidden email]> wrote:

> Virtual machine for a web application, it is still in testing.
>
> reverse DNS is properly set up.
> Postfix only listens on the local host.
> Linux firewall drops anything not to port 80, 443, or a custom high number
> port I use for SSH.
>
> This postfix is not an open relay, or a relay for anything on the Internet,
> it only exists so the web application can send e-mail.
>
> SPF for the domain is correctly set up, DKIM for the host is correctly set
> up, when it sends an e-mail and I inspect it - it passes the rDNS, SPF, and
> DKIM checks.
>
> So far it has only sent e-mails to addresses I control as the web
> application is still in testing.
>
> Yet yesterday the IP address ended up on Spamhaus blacklist.
>
> I am 100% confident that no one else was sending e-mail from that IP
> address, I'm a bit puzzled as to how the IP address got added to the
> blacklist, but I was told that Spamhaus sometimes just adds an entire subnet
> if more than one IP on the subnet was sending spam, and that's probably what
> happened.
>
> I think that is irresponsible of Spamhaus if that is what they are doing,
> but is there something more I can do other than correct rDNS, SPF, and DKIM
> to avoid getting on a blacklist?
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

John Fawcett
In reply to this post by Alice Wonder
On 12/28/2016 08:32 AM, Alice Wonder wrote:

> Virtual machine for a web application, it is still in testing.
>
> reverse DNS is properly set up.
> Postfix only listens on the local host.
> Linux firewall drops anything not to port 80, 443, or a custom high
> number port I use for SSH.
>
> This postfix is not an open relay, or a relay for anything on the
> Internet, it only exists so the web application can send e-mail.
>
> SPF for the domain is correctly set up, DKIM for the host is correctly
> set up, when it sends an e-mail and I inspect it - it passes the rDNS,
> SPF, and DKIM checks.
>
> So far it has only sent e-mails to addresses I control as the web
> application is still in testing.
>
> Yet yesterday the IP address ended up on Spamhaus blacklist.
>
> I am 100% confident that no one else was sending e-mail from that IP
> address, I'm a bit puzzled as to how the IP address got added to the
> blacklist, but I was told that Spamhaus sometimes just adds an entire
> subnet if more than one IP on the subnet was sending spam, and that's
> probably what happened.
>
> I think that is irresponsible of Spamhaus if that is what they are
> doing, but is there something more I can do other than correct rDNS,
> SPF, and DKIM to avoid getting on a blacklist?

if you know which of the spamhaus lists it was you can check out its
policy. Each list has its own specific criteria. Also if you were
recently assigned the ip the listing may predate your activity.

John

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Alice Wonder
On 12/28/2016 12:28 AM, John Fawcett wrote:

> On 12/28/2016 08:32 AM, Alice Wonder wrote:
>> Virtual machine for a web application, it is still in testing.
>>
>> reverse DNS is properly set up.
>> Postfix only listens on the local host.
>> Linux firewall drops anything not to port 80, 443, or a custom high
>> number port I use for SSH.
>>
>> This postfix is not an open relay, or a relay for anything on the
>> Internet, it only exists so the web application can send e-mail.
>>
>> SPF for the domain is correctly set up, DKIM for the host is correctly
>> set up, when it sends an e-mail and I inspect it - it passes the rDNS,
>> SPF, and DKIM checks.
>>
>> So far it has only sent e-mails to addresses I control as the web
>> application is still in testing.
>>
>> Yet yesterday the IP address ended up on Spamhaus blacklist.
>>
>> I am 100% confident that no one else was sending e-mail from that IP
>> address, I'm a bit puzzled as to how the IP address got added to the
>> blacklist, but I was told that Spamhaus sometimes just adds an entire
>> subnet if more than one IP on the subnet was sending spam, and that's
>> probably what happened.
>>
>> I think that is irresponsible of Spamhaus if that is what they are
>> doing, but is there something more I can do other than correct rDNS,
>> SPF, and DKIM to avoid getting on a blacklist?
>
> if you know which of the spamhaus lists it was you can check out its
> policy. Each list has its own specific criteria. Also if you were
> recently assigned the ip the listing may predate your activity.
>
> John
>

The IP is relatively new to me, about two months, but it was not on the
list before as I use Spamhaus on my other mail servers and mail from it
was not being rejected until yesterday.

I did go through the manual removal process and that worked, but I'm
worried about it happening again.
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Alice Wonder
In reply to this post by Dominic Raferd
Static IP, Linode. Only the IPv6 was listed, the IPv4 was not, but it
seems that postfix usually chooses IPv6 when the receiving MX resolves
on IPv6. And that's probably the correct behavior.

On 12/28/2016 12:18 AM, Dominic Raferd wrote:

> Is your mailserver's external ip static or dynamic? I am afraid that
> mail servers from dynamic ips always get listed as spambots even when
> using SPF, DKIM, correct rDNS etc. The solutions in this case are
> either to get your isp to allocate to you a static ip (not all isps
> offer this however), set up another mail server at a new location with
> static ip (e.g. vps), or use a relayhost through which postfix can
> send your outgoing mails. Usually your isp will provide a relayhost.
> This relayhost won't be bothered that you are sending from a dynamic
> ip and the servers onto which it sends your mails will be concerned
> about the relayhost's ip (which will be static), not yours.
>
> On 28 December 2016 at 07:32, Alice Wonder <[hidden email]> wrote:
>> Virtual machine for a web application, it is still in testing.
>>
>> reverse DNS is properly set up.
>> Postfix only listens on the local host.
>> Linux firewall drops anything not to port 80, 443, or a custom high number
>> port I use for SSH.
>>
>> This postfix is not an open relay, or a relay for anything on the Internet,
>> it only exists so the web application can send e-mail.
>>
>> SPF for the domain is correctly set up, DKIM for the host is correctly set
>> up, when it sends an e-mail and I inspect it - it passes the rDNS, SPF, and
>> DKIM checks.
>>
>> So far it has only sent e-mails to addresses I control as the web
>> application is still in testing.
>>
>> Yet yesterday the IP address ended up on Spamhaus blacklist.
>>
>> I am 100% confident that no one else was sending e-mail from that IP
>> address, I'm a bit puzzled as to how the IP address got added to the
>> blacklist, but I was told that Spamhaus sometimes just adds an entire subnet
>> if more than one IP on the subnet was sending spam, and that's probably what
>> happened.
>>
>> I think that is irresponsible of Spamhaus if that is what they are doing,
>> but is there something more I can do other than correct rDNS, SPF, and DKIM
>> to avoid getting on a blacklist?

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

lists@lazygranch.com
In reply to this post by Alice Wonder
I'm on Digital Ocean, which is basically similar to Linode. You can just get a new IP and maybe have better luck. That is employ the "V" in VPS.  For a brief period you will be charged for two VPS. Digital Ocean charges by the hour (like a seedy motel). Probably Linode is similar.

The reason I haven't done this myself is I need to do the DNS setup again for the new IP. I'm on a seldom used RBL called spamrl.com. Truly incompetent organization. I tell them that I'm clear on 90+ RBLs, but they don't care. Their system is perfect. ;-) But I can pay 20€ a month to be on a white list! Spamrl.com isn't even on the mxtool checker. 


  Original Message  
From: Alice Wonder
Sent: Tuesday, December 27, 2016 11:32 PM
To: Postfix users
Subject: Avoiding spam blacklists

Virtual machine for a web application, it is still in testing.

reverse DNS is properly set up.
Postfix only listens on the local host.
Linux firewall drops anything not to port 80, 443, or a custom high
number port I use for SSH.

This postfix is not an open relay, or a relay for anything on the
Internet, it only exists so the web application can send e-mail.

SPF for the domain is correctly set up, DKIM for the host is correctly
set up, when it sends an e-mail and I inspect it - it passes the rDNS,
SPF, and DKIM checks.

So far it has only sent e-mails to addresses I control as the web
application is still in testing.

Yet yesterday the IP address ended up on Spamhaus blacklist.

I am 100% confident that no one else was sending e-mail from that IP
address, I'm a bit puzzled as to how the IP address got added to the
blacklist, but I was told that Spamhaus sometimes just adds an entire
subnet if more than one IP on the subnet was sending spam, and that's
probably what happened.

I think that is irresponsible of Spamhaus if that is what they are
doing, but is there something more I can do other than correct rDNS,
SPF, and DKIM to avoid getting on a blacklist?
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Wietse Venema
In reply to this post by Alice Wonder
Alice Wonder:
> Static IP, Linode. Only the IPv6 was listed, the IPv4 was not, but it
> seems that postfix usually chooses IPv6 when the receiving MX resolves
> on IPv6. And that's probably the correct behavior.

smtp_address_preference (default: any)
        ...
       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
       the default is "ipv6"; earlier implementations are hard-coded to prefer
       IPv6 over IPv4.

The reason to use "any" is so that mail won't get stuck, as long as
at least one IP protocol (Postfix mission is to deliver mail, not
to enforce preferences for a specific protocol).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

John Fawcett
In reply to this post by Alice Wonder
On 12/28/2016 09:36 AM, Alice Wonder wrote:

> On 12/28/2016 12:28 AM, John Fawcett wrote:
>> On 12/28/2016 08:32 AM, Alice Wonder wrote:
>>> Virtual machine for a web application, it is still in testing.
>>>
>>> reverse DNS is properly set up.
>>> Postfix only listens on the local host.
>>> Linux firewall drops anything not to port 80, 443, or a custom high
>>> number port I use for SSH.
>>>
>>> This postfix is not an open relay, or a relay for anything on the
>>> Internet, it only exists so the web application can send e-mail.
>>>
>>> SPF for the domain is correctly set up, DKIM for the host is correctly
>>> set up, when it sends an e-mail and I inspect it - it passes the rDNS,
>>> SPF, and DKIM checks.
>>>
>>> So far it has only sent e-mails to addresses I control as the web
>>> application is still in testing.
>>>
>>> Yet yesterday the IP address ended up on Spamhaus blacklist.
>>>
>>> I am 100% confident that no one else was sending e-mail from that IP
>>> address, I'm a bit puzzled as to how the IP address got added to the
>>> blacklist, but I was told that Spamhaus sometimes just adds an entire
>>> subnet if more than one IP on the subnet was sending spam, and that's
>>> probably what happened.
>>>
>>> I think that is irresponsible of Spamhaus if that is what they are
>>> doing, but is there something more I can do other than correct rDNS,
>>> SPF, and DKIM to avoid getting on a blacklist?
>>
>> if you know which of the spamhaus lists it was you can check out its
>> policy. Each list has its own specific criteria. Also if you were
>> recently assigned the ip the listing may predate your activity.
>>
>> John
>>
>
> The IP is relatively new to me, about two months, but it was not on
> the list before as I use Spamhaus on my other mail servers and mail
> from it was not being rejected until yesterday.
>
> I did go through the manual removal process and that worked, but I'm
> worried about it happening again.

One thing that is worth noting is that blocking of ipv6 addresses is
going to be done generally not at the lowest level since that will
create a lot of entries. Spamhaus are listing at /64 range. That is
compliant with the ipv6 space that end users should get as a minimum
allocation. However, not all providers adhere to the minimum allocation.
For example one of my providers gives me a single ipv6 /128 address.
That means that anyone else in the /64 could get my ip blocked.

John


Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Peter Ajamian
On 29/12/16 01:32, John Fawcett wrote:

>> The IP is relatively new to me, about two months, but it was not on
>> the list before as I use Spamhaus on my other mail servers and mail
>> from it was not being rejected until yesterday.
>>
>> I did go through the manual removal process and that worked, but I'm
>> worried about it happening again.
>
> One thing that is worth noting is that blocking of ipv6 addresses is
> going to be done generally not at the lowest level since that will
> create a lot of entries. Spamhaus are listing at /64 range. That is
> compliant with the ipv6 space that end users should get as a minimum
> allocation. However, not all providers adhere to the minimum allocation.
> For example one of my providers gives me a single ipv6 /128 address.
> That means that anyone else in the /64 could get my ip blocked.

This is likely what happened.  Linode assigns a single static IPv6 /128
by default, but you can request a /64 free of charge.  For an email
server I would recommend you do this or you will have problems.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Istvan Prosinger
In reply to this post by Alice Wonder
On 2016-12-28 09:36, Alice Wonder wrote:

> On 12/28/2016 12:28 AM, John Fawcett wrote:
>> On 12/28/2016 08:32 AM, Alice Wonder wrote:
>>> Virtual machine for a web application, it is still in testing.
>>>
>>> reverse DNS is properly set up.
>>> Postfix only listens on the local host.
>>> Linux firewall drops anything not to port 80, 443, or a custom high
>>> number port I use for SSH.
>>>
>>> This postfix is not an open relay, or a relay for anything on the
>>> Internet, it only exists so the web application can send e-mail.
>>>
>>> SPF for the domain is correctly set up, DKIM for the host is
>>> correctly
>>> set up, when it sends an e-mail and I inspect it - it passes the
>>> rDNS,
>>> SPF, and DKIM checks.
>>>
>>> So far it has only sent e-mails to addresses I control as the web
>>> application is still in testing.
>>>
>>> Yet yesterday the IP address ended up on Spamhaus blacklist.
>>>
>>> I am 100% confident that no one else was sending e-mail from that IP
>>> address, I'm a bit puzzled as to how the IP address got added to the
>>> blacklist, but I was told that Spamhaus sometimes just adds an entire
>>> subnet if more than one IP on the subnet was sending spam, and that's
>>> probably what happened.
>>>
>>> I think that is irresponsible of Spamhaus if that is what they are
>>> doing, but is there something more I can do other than correct rDNS,
>>> SPF, and DKIM to avoid getting on a blacklist?
>>
>> if you know which of the spamhaus lists it was you can check out its
>> policy. Each list has its own specific criteria. Also if you were
>> recently assigned the ip the listing may predate your activity.
>>
>> John
>>
>
> The IP is relatively new to me, about two months, but it was not on
> the list before as I use Spamhaus on my other mail servers and mail
> from it was not being rejected until yesterday.
>
> I did go through the manual removal process and that worked, but I'm
> worried about it happening again.

So what dis Spamhaus say? Why is your IP listed? Did you actually mass
mail?
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

@lbutlr
In reply to this post by Peter Ajamian
On 29 Dec 2016, at 03:53, Peter <[hidden email]> wrote:
> Linode assigns a single static IPv6 /128

That seems like incorrect behavior. 2^64 is 1.8 10E19 addresses. There is absolutely no reason to mask to 128bits, it's absurd.

(1.8x10E19 is enough address space for every single person on the planet to have two and a half billion IPs to themselves).

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Jan Ceuleers
On 09/01/17 16:58, @lbutlr wrote:
> (1.8x10E19 is enough address space for every single person on the planet to have two and a half billion IPs to themselves).
640K RAM ought to be enough for everybody.
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

@lbutlr
On 09 Jan 2017, at 10:50, Jan Ceuleers <[hidden email]> wrote:
> On 09/01/17 16:58, @lbutlr wrote:
>> (1.8x10E19 is enough address space for every single person on the planet to have two and a half billion IPs to themselves).
> 640K RAM ought to be enough for everybody.

No even similar. The address space for 128bit is in the general neighborhood of the number of atoms in the universe.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

@lbutlr

> On 09 Jan 2017, at 12:28, @lbutlr <[hidden email]> wrote:
>
> On 09 Jan 2017, at 10:50, Jan Ceuleers <[hidden email]> wrote:
>> On 09/01/17 16:58, @lbutlr wrote:
>>> (1.8x10E19 is enough address space for every single person on the planet to have two and a half billion IPs to themselves).
>> 640K RAM ought to be enough for everybody.
>
> No even similar. The address space for 128bit is in the general neighborhood of the number of atoms in the universe.

Sorry, that's 256 bits. 128 bits is the number of stars in 100,000,000,000,000,000 universes.


--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Jan Ceuleers
On 09/01/17 21:06, @lbutlr wrote:
> 640K RAM ought to be enough for everybody.
>> No even similar. The address space for 128bit is in the general neighborhood of the number of atoms in the universe.
> Sorry, that's 256 bits. 128 bits is the number of stars in 100,000,000,000,000,000 universes.
All I'm saying is that "we" might merely not yet have thought of how end
users might be able to make use of a plethora of IP addresses.

And the uses that "we" do come up with might be wasteful (such as
determining certain fields of assigned IPv6 addresses by making them up
(i.e. using random bits)), such that the address space is being used
only (very) sparsely).

Anyway, probably off-topic.
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

@lbutlr
On 2017-01-10 (09:16 MST), Jan Ceuleers <[hidden email]> wrote:
>
> On 09/01/17 21:06, @lbutlr wrote:
>> 640K RAM ought to be enough for everybody.
>>> No even similar. The address space for 128bit is in the general neighborhood of the number of atoms in the universe.
>> Sorry, that's 256 bits. 128 bits is the number of stars in 100,000,000,000,000,000 universes.
> All I'm saying is that "we" might merely not yet have thought of how end
> users might be able to make use of a plethora of IP addresses.

That’s not relevant at all to Linode assigning a /128 IP to a machine.


--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Larry Kuenning
Excuse my ignorance, but isn't this whole discussion of "/128" based on
the assumption that this notation means a block of 2^128 addresses?  And
isn't 2^128 the size of the entire IPv6 address space?  There would be
nothing left over after designating a block of that size.

Doesn't "/128" mean a block of 2^7 addresses, i.e. just 128?

On 1/11/2017 1:18 PM, @lbutlr wrote:

> On 2017-01-10 (09:16 MST), Jan Ceuleers <[hidden email]> wrote:
>>
>> On 09/01/17 21:06, @lbutlr wrote:
>>> 640K RAM ought to be enough for everybody.
>>>> No even similar. The address space for 128bit is in the general neighborhood of the number of atoms in the universe.
>>> Sorry, that's 256 bits. 128 bits is the number of stars in 100,000,000,000,000,000 universes.
>> All I'm saying is that "we" might merely not yet have thought of how end
>> users might be able to make use of a plethora of IP addresses.
>
> That’s not relevant at all to Linode assigning a /128 IP to a machine.

--
Larry Kuenning
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

Petri Riihikallio

> Larry Kuenning <[hidden email]> kirjoitti 11.01.2017 kello 21:20:
>
> Excuse my ignorance, but isn't this whole discussion of "/128" based on the assumption that this notation means a block of 2^128 addresses?  And isn't 2^128 the size of the entire IPv6 address space?  There would be nothing left over after designating a block of that size.
>
> Doesn't "/128" mean a block of 2^7 addresses, i.e. just 128?

OT, but in short: /128 means the count of ones in the bitmask. For IPv6 /128 means a single address - like /32 means in IPv4.

The ones in the bitmask denote the bits belonging to the address provider upstream (e.g. ISP). /128 means all of the bits are out of your hands, you have only a single address. I have /64 which means I can subnet the last 64 bits as I see fit.

--
Cheers
Petri
GSM +358 400 505 939


Reply | Threaded
Open this post in threaded view
|

Re: Avoiding spam blacklists

@lbutlr
In reply to this post by Larry Kuenning
On 2017-01-11 (12:20 MST), Larry Kuenning <[hidden email]> wrote:
>
> Excuse my ignorance, but isn't this whole discussion of "/128" based on the assumption that this notation means a block of 2^128 addresses?

No, a /128 is a single IP out of the 2^128 block space. Just like a single IPv4 is a /32, while a “class A” is /8.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.