Sites that block dynamic/dialups

Discussion in 'Linux Networking' started by Jem Berkes, Nov 17, 2003.

  1. Jem Berkes

    Jem Berkes Guest

    People who run small sites such as my own may notice that some commercial
    sites are now blocking SMTP connections from dynamic IP addresses. It is
    for this reason that I am publishing a list of domains that require mail
    delivery through ISPs. These sites have decided that they will only
    accept mail from commercial IP addresses and not from 'consumer-class'
    addresses. That's their decision to make, though I think it's a misguided
    one that will further divide Internet among commercial lines.

    The following domains do not accept mail transactions from dynamic IPs:
    http://www.pc9.org/antidyn

    You can use this list with postfix to generate an /etc/postfix/transport
    file. This will allow you to continue direct mail delivery to all
    domains, except for the ones indicated. For those domains mail can be
    relayed through your ISP's server - smtp.example.com

    In main.cf:
    -----------
    transport_maps = hash:/etc/postfix/transport

    Load list:
    ----------
    cat antidyn | sed 's/$/\t\tsmtp:[smtp.example.com]/' > transport
    postmap /etc/postfix/transport

    Enable:
    -------
    postfix reload


    Feel free to send me more domains if you know that they refuse mail from
    dynamic IPs. I'm sure I'll get lots of replies telling me "I should use
    my ISP's mail server for all mail". This is more convenient (faster, more
    reliable, efficient) so I will deliver mail myself thank you.

    Others will point out that dynamic IPs are blocked because of spam/worms.
    While it's true that much spam comes from dynamic IPs, there are even
    better ways to block such abuse. If your goal is to block dynamic IPs,
    then you use a dynamic blocklist. If your goal is to block spam/viruses,
    use a DNSBL designed for that. They're in no short supply:

    + blackholes.easynet.nl
    + psbl.surriel.com
    + cbl.abuseat.org
    + relays.ordb.org
    + list.dsbl.org
    + sbl.spamhaus.org
     
    Jem Berkes, Nov 17, 2003
    #1
    1. Advertisements

  2. Jem Berkes

    Alan Connor Guest

    Good of you to do this, Jem.

    But why do you have a problem with it? Won't this cut down on the
    spam?
     
    Alan Connor, Nov 17, 2003
    #2
    1. Advertisements

  3. Jem Berkes

    Simon Dean Guest

    How does it know if its dynamic or not? What about small sites on static
    Ip's? Just that...
    aol.com?

    Just that... I've not noticed a problem sending mail to aol.com before.
    And I last sent something a couple days ago.

    Cya
    Simon
     
    Simon Dean, Nov 17, 2003
    #3
  4. Not by much and it will cause much inconvenience to those who prefer to run
    their own dial-ups.

    Or put it another way, one idiot spammer using my ISP's smart mailer causes
    that mailer to get blocked for a short time by various trigger-happy RBL
    sites and poorly configures sites that rely on them which causes large
    numbers of people to be inconvenienced by one spammer. I run my own smtp
    client and I take great pains to keep it free of mail relay problems and so
    I can bypass these outages by just sending mail direct. I also know that
    it's arrived whereas the ISP smarthost isn't always prompt.

    Dave
     
    Dave {Reply Address in.sig}, Nov 17, 2003
    #4
  5. Jem Berkes

    Alan Connor Guest

    What's a "smart mailer/host" ?

    What's an "RBL site" ?
     
    Alan Connor, Nov 18, 2003
    #5
  6. Some misguided individual or group actually has a block list that includes
    any IPs that they think reverse resolve to dsl or cable as "dialup
    equivalent", without any verification from the ISP. This could
    inadvertently block small businesses on dsl even if they have static IPs,
    but nothing to squelch the flood of spam from nameless IPs.

    The fact that my ISP (Ameritech end of SBC Yahoo) blocks "direct" mail
    from their own dynamic users, prompted me to learn how to have sendmail
    or postfix work as SMTP AUTH clients. But I use mailertable or transport
    to only relay if the destination requires it.
     
    David Efflandt, Nov 18, 2003
    #6
  7. [rant deleted]
    Please grow up. Spam/worms usually originate from individual users,
    either directly or through infected machines. If a mail server is
    blocked, it is normally the ISPs server, not the dynamic ip user! If you
    ever should be responsible for an ISPs mailserver, you would know :)
     
    Trygve Selmer, Nov 18, 2003
    #7
  8. Jem Berkes

    Jem Berkes Guest

    Please grow up. Spam/worms usually originate from individual users,
    Have you seen the new spam/worms? There is one that even popups up a dialog
    box and asks the user to enter their ISP's mail server address. And people
    do it. Now the virus is coming through mail.isp.com.

    Do you also realize how much spam comes from commercial connections? Take a
    look at SPEWS.ORG and SPAMHAUS.ORG. These sites list huge commercial
    netblocks that are known sources of spam.

    Dynamic IP != spammer

    You're going to find out very soon that the new strain of viruses are
    coming through the ISP's 'legit' mail server. I keep getting swen worms
    that are coming through ISPs' SMTP servers.
     
    Jem Berkes, Nov 18, 2003
    #8
  9. Jem Berkes

    Jem Berkes Guest

    The fact that my ISP (Ameritech end of SBC Yahoo) blocks "direct" mail
    What's the domain involved? I can add it to my list.
     
    Jem Berkes, Nov 18, 2003
    #9
  10. Ameritech.net MX blocks direct mail from ameritech.net dynamic IPs (to
    stop worms from spredding from within I guess), but they do not
    necessarily block non-ameritech dynamic IPs (as evidenced by volume of my
    Bulk mail folder). Not sure if that is just an ameritech thing or if it
    is SBC wide.
     
    David Efflandt, Nov 18, 2003
    #10
  11. Jem Berkes

    Jem Berkes Guest

    Ameritech.net MX blocks direct mail from ameritech.net dynamic IPs (to
    That's really interesting. I actually observed the same thing with my ISP.
    They blocked customers from sending to their MX host, but only their
    customers. I had no idea until now why they did this.

    Thinking back a few months I figured out why they have done this. It was
    either swen or one before that had a novell technique to find out what the
    ISP's customer outgoing mail server was. It did a reverse lookup on the
    infected host's IP address, then stripped the hostname of all but the
    domain name. It then did an MX lookup on this domain. It is very likely
    that the resulting MX host is also a mail server that accepts customer
    mail. The worm would try to send through this, bypassing other ISPs'
    dynamic-blocking measures.

    Note that the next worm will probably try something else, like simply a
    hardcoded list: smtp.isp, mail.isp, pop.isp, etc. :(
     
    Jem Berkes, Nov 18, 2003
    #11
  12. Jem Berkes

    Alan Connor Guest

    I'm thinking I don't need postfix or sendmail to do that. Just another
    netcat script and the RFC you referred me to. Don't need anything but
    netcat and the shell for any of the other protocols.

    AC
     
    Alan Connor, Nov 18, 2003
    #12
  13. Many mail programs can only deliver to a single place. A smart mailer is
    terminology to describe a mail program (which may or may not have a user
    interface, usually not) that can send mail anywhere. Sendmail is a smart
    mailer, programs like Evolution and KNode are not.
    Realtime Blackhole List. One of those places where you can do a lookup of a
    site and it'll tell you if it thinks the site is a spammer. Most are of
    dubious value because many sysadmins seem to be clueless about how to use
    them properly.

    Dave
     
    Dave {Reply Address in.sig}, Nov 18, 2003
    #13
  14. Jem Berkes

    Alan Connor Guest

    Thank you, Dave. That helps.

    AC
     
    Alan Connor, Nov 18, 2003
    #14
  15. The latest spammer trick seems to be sending email directly from hacked
    machines to remote mail servers. Blocking dynamic IP address may have
    significant impact on this type of spam. Currently these guys aren't running
    a mail server on the compromised machines, so trying to connect back to
    port 25 is a better way to check this for now.
     
    Bruno Wolff III, Nov 18, 2003
    #15
  16. Jem Berkes

    Jem Berkes Guest

    The latest spammer trick seems to be sending email directly from
    Actually, the latest spammer trick (as of Sept. 2004) is determining the
    proper outgoing SMTP server for the given ISP and using it for relaying.
    Spam/viruses are thus sent out through the ISP's primary mail server. Ever
    wonder why SWEN is such a menace? Blocklists can't start listing major ISPs
    because of the huge collateral damage this would cause.

    I tend to think that blocking dynamic IPs causes more problems than it
    solves. It fundamentally segregates the Internet based on connection class.
    The spam/virus defense has some merit, but certainly not in the long term.
     
    Jem Berkes, Nov 19, 2003
    #16
  17. The trouble is that some widely-used lists DO block major ISPs within a
    short period after a spam event, giving the ISP no time to respond to
    complaints. What often happens is that the ISP has a cluster of machines
    and one or two of the set of possible IP addresses gets blocked, causing
    the situation where mail may or may not get through depending on which
    machine picks up the job.


    Dave
     
    Dave {Reply Address in.sig}, Nov 19, 2003
    #17
  18. Jem Berkes

    D. Stussy Guest

    You're just noticing this NOW? That started THREE years ago with some of the
    smaller sites and about 1.3 years ago, the major ISPs picked it up too (except
    that ISPs obviously cannot block their own customers - but for the dial-up
    service, may direct those customers to relay via their outbound mail service).
    This is not news. This is the current status quo.
    No, it's not (misguided). Why?

    1) It requires the dial-up user to "validate" himself against his ISP's
    service. It also places responsibility on the ISP by putting their server(s) in
    the spam or virus trace path.

    2) It attempts to solve the problem of misconfigured servers by the average
    person, infected systems, and spam. Much of this comes from dial-up accounts
    and lately, CABLE and DSL served machines (i.e. "always on" internet access).
    Not accepting direct connections from these "lowers the noise."
     
    D. Stussy, Nov 19, 2003
    #18
  19. Jem Berkes

    D. Stussy Guest

    That only proves that there's no shortage of either stupidity and/or naivete on
    the Internet. (Some people don't know any better; some can figure it out but
    just don't care.)
    SPEWS also includes the non-spammers in the same netblock. They are NOT a
    spammer list. They are an ISP list. Spamhaus IS a spammer list.
    I will agree that dynamic ip !-> spammer, but much spam and virus problems do
    come from dynamic IPs; enough so that it is a concern. Earlier this year, there
    was a big spam relay problem from dynamic IPs in Brazil. There are just too
    many misconfigured systems out there to justify allowing them anymore.

    I have denied dynamic IP addresses from connecting to my mail server for more
    than a full year now. Even so, I still get about 200-300 attempts to spam or
    infect from dial-ups per day per recipient user (per the mail server logs).
    It's also been about a year since I saw any legitimate messages attempt to come
    directly from a dial-up address i.e. NOT relayed via the ISP's outbound server.
    If one disallows connections from dynamic IP addresses, then of course - because
    that will be the ONLY allowed source of mail. Duh! That says nothing of the
    fact that large ISPs usually do employ antispam and antivirus systems on their
    mail systems (some on BOTH the OUTBOUND and inbound mail servers). Usually,
    there's also some recourse - in that they will listen and [attempt to] quash the
    problem (not always in a timely manner, but some try).
     
    D. Stussy, Nov 19, 2003
    #19
  20. Jem Berkes

    James Knott Guest

    Wow, that is so recent, it hasn't happened yet!!! ;-)

    --

    Fundamentalism is fundamentally wrong.

    To reply to this message, replace everything to the left of "@" with
    james.knott.
     
    James Knott, Nov 19, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.