Hi guys, I've been receiving complaints lately from my users about messages not getting to them and on investigating, I have found that a number of local ISPs have blacklisted mail servers. Is it just me or is it common among admins on the list? I have configured my mail server to reject messages relayed by mailservers blacklisted by spamcop, spamhaus and barracuda and respond with a message explaining that action. Now this has got me wondering whether I have made my security settings too tight or what... Is that too drastic a security measure that I have taken? Me.
On Thu, Apr 29, 2010 at 12:38 PM, Simon Mbuthia <simon.mbuthia@gmail.com>wrote:
Hi guys,
I've been receiving complaints lately from my users about messages not getting to them and on investigating, I have found that a number of local ISPs have blacklisted mail servers. Is it just me or is it common among admins on the list? I have configured my mail server to reject messages relayed by mailservers blacklisted by spamcop, spamhaus and barracuda and respond with a message explaining that action. Now this has got me wondering whether I have made my security settings too tight or what...
Is that too drastic a security measure that I have taken?
I used to do the same when I used to be Sysadmin, with one exception: I'd find out ALL the subnets used by ISPs in KE and exempt those from the filtering. I'd still monitor and look at my stats for culprits and contact them to address the issues, and yes, I was very much willing to cooperate with them towards addressing the issues. I have a friend who is using Onecom's mail servers for outbound, and quite often the servers are blacklisted. One mail I shot to onecom's support about three weeks ago still remains unanswered to date! Demographics have changed, I believe. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
It's quite puzzling that major ISPs would have blacklisted mail servers and let their clients use them anyway. I told some IT dude for one organisation with which we do much business that their emails are not being received by my users because they were using AK's mail servers to realy their mail to their MX server [as per their DNS MX records] which is in the US. This morning I noticed yet another server for AK which is blacklisted in more than ten lists. I also found another one for orange Kenya also blacklisted in more than ten lists and that got me wondering if my security settings on my mail server are too tight. Finding local ISP's subnets is too much work - or rather I feel too lazy to do that. I have allowed messages from blacklisted servers to come in, but tightened AV scan settings. Anti-spam settings are tight already. I use MDaemon by the way, but I've integrated it with ClamWin, so I have two antivirus engines scanning my mail. On 29 April 2010 16:28, Odhiambo Washington <odhiambo@gmail.com> wrote:
On Thu, Apr 29, 2010 at 12:38 PM, Simon Mbuthia <simon.mbuthia@gmail.com>wrote:
Hi guys,
I've been receiving complaints lately from my users about messages not getting to them and on investigating, I have found that a number of local ISPs have blacklisted mail servers. Is it just me or is it common among admins on the list? I have configured my mail server to reject messages relayed by mailservers blacklisted by spamcop, spamhaus and barracuda and respond with a message explaining that action. Now this has got me wondering whether I have made my security settings too tight or what...
Is that too drastic a security measure that I have taken?
I used to do the same when I used to be Sysadmin, with one exception: I'd find out ALL the subnets used by ISPs in KE and exempt those from the filtering. I'd still monitor and look at my stats for culprits and contact them to address the issues, and yes, I was very much willing to cooperate with them towards addressing the issues.
I have a friend who is using Onecom's mail servers for outbound, and quite often the servers are blacklisted. One mail I shot to onecom's support about three weeks ago still remains unanswered to date! Demographics have changed, I believe.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On Thu, Apr 29, 2010 at 5:37 PM, Simon Mbuthia <simon.mbuthia@gmail.com>wrote:
It's quite puzzling that major ISPs would have blacklisted mail servers and let their clients use them anyway. I told some IT dude for one organisation with which we do much business that their emails are not being received by my users because they were using AK's mail servers to realy their mail to their MX server [as per their DNS MX records] which is in the US. This morning I noticed yet another server for AK which is blacklisted in more than ten lists. I also found another one for orange Kenya also blacklisted in more than ten lists and that got me wondering if my security settings on my mail server are too tight.
AK have Barracuda, no? How can their servers be blacklisted?
Finding local ISP's subnets is too much work - or rather I feel too lazy to do that
Someone from KIXP can avail those to you, I believe, since they all peer there.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
Have you forwarded this to tech team of the providers, on a separate note it will be prudent to send all this IP's blacklisted and a list of the RBL's that have blacklisted them in the spirit of skunkworks ? On Thu, Apr 29, 2010 at 6:00 PM, Odhiambo Washington <odhiambo@gmail.com>wrote:
On Thu, Apr 29, 2010 at 5:37 PM, Simon Mbuthia <simon.mbuthia@gmail.com>wrote:
It's quite puzzling that major ISPs would have blacklisted mail servers and let their clients use them anyway. I told some IT dude for one organisation with which we do much business that their emails are not being received by my users because they were using AK's mail servers to realy their mail to their MX server [as per their DNS MX records] which is in the US. This morning I noticed yet another server for AK which is blacklisted in more than ten lists. I also found another one for orange Kenya also blacklisted in more than ten lists and that got me wondering if my security settings on my mail server are too tight.
AK have Barracuda, no? How can their servers be blacklisted?
Finding local ISP's subnets is too much work - or rather I feel too lazy to do that
Someone from KIXP can avail those to you, I believe, since they all peer there.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Sam Oduor
For an ISP who offers email relay services, its a tricky business avoiding blacklisting. This is because you have all types of users behind your network using your servers and a good number of them could have their machine infected with trojans that send out spam. Options are available such as using port 587 for mail submission instead of 25 but the support involved with that would be a nightmare or having relay servers as anti-spam gateways but also this comes at the risk of false positives. I also have a problem with companies with internal servers using smart relay to ISP relay server. Someone needs to educate me why this is necessary step if all other necessary measures like rDNS and security have been taken care of. NB: You can always check if your ISP is blacklisted and in which blacklist here http://www.mxtoolbox.com/blacklists.aspx to avoid myths. Some blacklist like sorbs, spamhaus are more popular and would worry any sys admin more that others. -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke> To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Blacklisted mail servers Date: Thu, 29 Apr 2010 16:28:18 +0300 On Thu, Apr 29, 2010 at 12:38 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote: Hi guys, I've been receiving complaints lately from my users about messages not getting to them and on investigating, I have found that a number of local ISPs have blacklisted mail servers. Is it just me or is it common among admins on the list? I have configured my mail server to reject messages relayed by mailservers blacklisted by spamcop, spamhaus and barracuda and respond with a message explaining that action. Now this has got me wondering whether I have made my security settings too tight or what... Is that too drastic a security measure that I have taken? I used to do the same when I used to be Sysadmin, with one exception: I'd find out ALL the subnets used by ISPs in KE and exempt those from the filtering. I'd still monitor and look at my stats for culprits and contact them to address the issues, and yes, I was very much willing to cooperate with them towards addressing the issues. I have a friend who is using Onecom's mail servers for outbound, and quite often the servers are blacklisted. One mail I shot to onecom's support about three weeks ago still remains unanswered to date! Demographics have changed, I believe. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
2010/4/30 Alex Kamiru <nderitualex@gmail.com>
For an ISP who offers email relay services, its a tricky business avoiding blacklisting. This is because you have all types of users behind your network using your servers and a good number of them could have their machine infected with trojans that send out spam. Options are available such as using port 587 for mail submission instead of 25 but the support involved with that would be a nightmare or having relay servers as anti-spam gateways but also this comes at the risk of false positives.
The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN.
I also have a problem with companies with internal servers using smart relay to ISP relay server. Someone needs to educate me why this is necessary step if all other necessary measures like rDNS and security have been taken care of.
In this age where bandwidth is available, there is no need for them to use smart hosts. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN. How would a company like Safaricom, Orange or Zain enforce this for all their broadband, 3G or EDGE clients who have no mail servers since they are 'home users' and only use outlook to send emails and they have no technical knowledge so to speak. -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke> To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Blacklisted mail servers Date: Fri, 30 Apr 2010 09:07:07 +0300 The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN.
2010/4/30 Alex Kamiru <nderitualex@gmail.com>
*The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN.*
How would a company like Safaricom, Orange or Zain enforce this for all their broadband, 3G or EDGE clients who have no mail servers since they are 'home users' and only use outlook to send emails and they have no technical knowledge so to speak.
Dynamic hosts should never be allowed to "behave" as mail servers. I hope you understand what I mean. It's so simple. Any host without proper rDNS (hello name must match rDNS) should not be allowed to submit mail as a server (I mean in bulk). -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
Dynamic hosts should never be allowed to "behave" as mail servers. These hosts are not servers, they are just users with outlook configured with outgoing mail servers as the relay servers of their providers such as mail.gprs.safaricom.com for Safaricom 3G users, which is the case now I believe. -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke> To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Blacklisted mail servers Date: Fri, 30 Apr 2010 09:21:59 +0300 2010/4/30 Alex Kamiru <nderitualex@gmail.com> The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN. How would a company like Safaricom, Orange or Zain enforce this for all their broadband, 3G or EDGE clients who have no mail servers since they are 'home users' and only use outlook to send emails and they have no technical knowledge so to speak. Dynamic hosts should never be allowed to "behave" as mail servers. I hope you understand what I mean. It's so simple. Any host without proper rDNS (hello name must match rDNS) should not be allowed to submit mail as a server (I mean in bulk). -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
2010/4/30 Alex Kamiru <nderitualex@gmail.com>
*Dynamic hosts should never be allowed to "behave" as mail servers.* These hosts are not servers, they are just users with outlook configured with outgoing mail servers as the relay servers of their providers such as mail.gprs.safaricom.com for Safaricom 3G users, which is the case now I believe.
So mail.gprs.safaricom.com is just like another server on some "LAN" and should also enforce submission via 587. Should take care of worms that bypass Outlook configuration, I believe. In fact they should use some other non-standard ports:) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
I agree fully, its only the enforcement part and support that would be a nightmare. -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Reply-to: Skunkworks Mailing List <skunkworks@lists.my.co.ke> To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Blacklisted mail servers Date: Fri, 30 Apr 2010 09:44:10 +0300 2010/4/30 Alex Kamiru <nderitualex@gmail.com> Dynamic hosts should never be allowed to "behave" as mail servers. These hosts are not servers, they are just users with outlook configured with outgoing mail servers as the relay servers of their providers such as mail.gprs.safaricom.com for Safaricom 3G users, which is the case now I believe. So mail.gprs.safaricom.com is just like another server on some "LAN" and should also enforce submission via 587. Should take care of worms that bypass Outlook configuration, I believe. In fact they should use some other non-standard ports:) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@Sam I haven't done it yet. Actually, I would do it - I informed one of our business partners' IT guy about it for him to follow up with his ISP coz it's easier that way - saves me on the time needed to find a contact person at their ISP. I also believe [or is it assume?] that we have at least one techie from almost every ISP on the list so they would be aware. So let me list the IP addresses of local ISPs that I've come across in my log files as blacklisted below: http://www.robtex.com/ip/41.220.126.234.html <- AK http://www.robtex.com/ip/41.215.65.34.html <- AK http://www.robtex.com/ip/212.49.88.34.html <- Orange http://www.robtex.com/ip/196.201.218.215.html <- Safcom http://www.robtex.com/ip/212.49.92.74.html <- Jambonet/TKL/Orange These are just a few. I'm not so sure about Postfix/Exim etc, but I can and have configured my mail server (MDaemon) to forward messages to the mx server of the recipient, rather than use relay servers. What I'm asking here is, why would someone use a relay server? Why not just forward the message straight to the recipient's mail server as per the recipient's domain's MX record on DNS? Something else, apparently all blacklisted relay servers handling clean mail are local. If it's hard for relay servers not to get blacklisted, why am I only seeing local servers blacklisted? Me. On 30 April 2010 09:21, Odhiambo Washington <odhiambo@gmail.com> wrote:
2010/4/30 Alex Kamiru <nderitualex@gmail.com>
*The ISP should help them setup their mail servers to ensure they adhere to certain standards in their server configurations. That is "service". As a matter of fact, they can also enforce the use of port 587 for mail submission, which will lock our most (if not all) spam emanating from compromised hosts on their LAN.*
How would a company like Safaricom, Orange or Zain enforce this for all their broadband, 3G or EDGE clients who have no mail servers since they are 'home users' and only use outlook to send emails and they have no technical knowledge so to speak.
Dynamic hosts should never be allowed to "behave" as mail servers. I hope you understand what I mean. It's so simple. Any host without proper rDNS (hello name must match rDNS) should not be allowed to submit mail as a server (I mean in bulk).
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "If you have nothing good to say about someone, just shut up!." -- Lucky Dube
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (4)
-
Alex Kamiru -
Odhiambo Washington -
Sam Oduor -
Simon Mbuthia