It was recently pointed out that we are on APEWS, and I am trying to find out why so I can figure out how to get us off. The record given to me is E-320750. The details (to save you a lookup) are:
CASE: C-1403 Dynamic IP space, generic DNS/rDNS, no PTR Direct connections to MX not permitted, you need to use your ISP servers or smarthost
--------------------------------------------------------------------------- ----- Special Reason: Dynamic IP, generic DNS, missing rDNS/PTR not permitted for direct email connection. You must use correctly configured [with registered working abuse contact] static IP / ISP mail servers / smarthost service
My first problem is trying to decode all of this. The FAQ didn't really explain what "Dynamic IP space" or "generic DNS/rDNS" is [as far as a problem] (let alone the rest). Is this all one problem or several? I can take reasonable guesses, and I can test my own systems, but can anyone shed light as to what the specific problem might be in different terms? If I thought it was one single problem, I'd guess it was a abuse@ contact problem, but the ARIN info and info for our major domains (at last check) all seems to be working fine...
My second problem has to do with our network. "Our" entire 134.197.0.0/16 block is listed - of which we are only a small part - that block is shared by one university, 3 community colleges, several system offices, and a research institute - and all sub-groups within those. While I work for a system office and am tasked with trying to determine the source of this listing, our network is decentralized and I don't really have an easy way to find out what caused the listing so I can fix it. The history in the record seems to indicate no escalation (e.g. it was an immediate block of a class B network) OR doesn't offer escalation details.
We're willing to fix any problems, but I don't want to guess or do an extensive analysis without exhausing input from this group first. Thank you for any input you can give!
Ian
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
>It was recently pointed out that we are on APEWS, and I am trying to >find out why so I can figure out how to get us off. The record given >to me is E-320750.
1) Well, you didn't share the IP that you first noticed the listing on, so we can't see if it has "dynamic-looking" DNS. Many admins use filters that reject IPs that look dynamic since they are more likely to be trojanned boxes trying to send spam directly to the victim. This isn't just an APEWS problem.
2) APEWS admins might read this group, but you won't get a direct reply. It's not their nature.
3) Do you have actual email rejected by a recipient that mentions APEWS as the reason? Can you share the headers of that email? Lots of folks find themselves or their ISP listed, but far fewer ever come up with proof that the APEWS listing was the reason. You may be able to reason with the admin of that recipent's system to get them to quit using APEWS if it's too aggressive, or whitelist your IP space assuming you're good guys.
4) ARIN doesn't know you're decentralized, and the only email listing for a tech contact is "d...@unr.edu". No abuse address listed at the highest level, so you should get that fixed so there's a single point of contact for the netblock.
5) Gmail and other anonymous email addresses get a bit (actually a lot) less credibility than an address from the IP range in question. You might want to rethink that, so we (whoever "we" are) know you're speaking with authority instead of (as sometimes happens) an end-user talking for the upper level provider with no ability to get stuff done. -- Bill "the Roadie" Carton
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
On Mon, 7 Jul 2008 15:56:08 GMT "Bill Carton - (The Roadie)" <wcar...@flash.net> wrote:
| 1) Well, you didn't share the IP that you first noticed the listing on, so | we can't see if it has "dynamic-looking" DNS. Many admins use filters that | reject IPs that look dynamic since they are more likely to be trojanned | boxes trying to send spam directly to the victim. This isn't just an APEWS | problem.
[mostly for the OP]
Take note that many people do something similar to this test for "dynamic" looking names, but instead, categorize it as "generic". The set "generic" is a broader set that "dynamic", and includes the "dynamic" set. The term "dynamic" means, or at least implies to mean, the set of internet access addresses which are dynamically assigned when the user logs in to the provider to gain access. These dynamic "leases" may last for minutes or months, but are considered dynamic because of the nature of how they are accessed. By contrast, the term "generic" means (at least my meaning when I first started using it many years ago) all addresses which reach a computer system which is under the control of a different entity than the one that "owns" the registered domain name associated with it. The idea behind designating an address as "generic" is that when obtaining a host name from the address (and one that passes forward verification), it does NOT identify the actual owner/operator of the host itself, but only that of the provider. Broadly interpreted, this can also include office desk computers _operated_ by individual staff of a company who are not the IT staff ordinarily charged with acting on the company behalf. The difference is that "generic" includes statically assigned addresses, whereas the term "dynamic" does not (despite the fact that a test for "looks dynamic" would likely flag such an address as looking dynamic).
Generic addresses and dynamic addresses are indistinguishable for the most part, just from the reverse DNS ("in-addr.arpa" PTR records) name. The big difference is that calling a hostname "dynamic" when it really is static is technically a "false positive error" whereas calling it "generic" is not unless the owner of the domain actually runs the machine involved (this does happen a lot).
Identification of both generic and dynamic are basically the same. Some difference might exist based on the intended classification. Once identified, the addresses may be conveyed in other forms. An address may be identified as dynamic or generic by the appearance of its name (too many digits or a specific subdomain, for example) and conveyed by its IP address (the most common way).
When an address _looks_ dynamic but is not, the owner might try to assert that an exception should be made and try to provide a statement or some evidence to show it is not dynamic. However, in most of these cases, it still fits the definition of generic in which case, for the classification of generic, no exception would rightly be made. When a host is indeed not generic or dynamic, but otherwise appears to be so, then it is the host owner that should change the reverse DNS name to reflect the truth.
Still, in the case of conveying dynamic or generic host lists by IP address, it is much easier to classify whole ranges, such as a whole /24 by means of a 3-component address, or a zone in a DNS server.
In any case, anyone wanting to get their address removed from a list should, at the very least, change the reverse DNS name to ones the indicate actual usage in some way, or the delegation to others. Additionally, any generic addresses that are not in dispute as generic, should be given a name that has a specific subdomain with no other addresses besides generic. The latter suggestion is so that those intending to quarantine or block generic addresses can simply do so by the parent DNS zone name. When non-generic addresses are not in a generic (looking) parent zone, then it is easier to avoid errors of a false positive nature.
Cases of claims by a customer that their ISP will not cooperate in changing reverse DNS names will be responded to by the suggestion to switch to another ISP.
| 5) Gmail and other anonymous email addresses get a bit (actually a lot) | less credibility than an address from the IP range in question. You might | want to rethink that, so we (whoever "we" are) know you're speaking with | authority instead of (as sometimes happens) an end-user talking for the | upper level provider with no ability to get stuff done.
It is possible to use both addresses. Someone can provide the in-domain email address (that works) for verification, and request communications via the email associated with the free mail service such as Gmail or Yahoo.
It's also possible to show authority over an IP address by doing something the world can see that only the one with authority over that IP address could do, such as adding a TXT record to the reverse DNS (in-addr.arpa) name that acknowledges the posting by its message ID.
-- |WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance | | by the abuse department, bellsouth.net is blocked. If you post to | | Usenet from these places, find another Usenet provider ASAP. | | Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
> > CASE: C-1403 > > Dynamic IP space, generic DNS/rDNS, no PTR Direct > > connections to MX not permitted, you need to use your > > ISP servers or smarthost
> > -------------------------------------------------------- > > Special Reason: > > Dynamic IP, generic DNS, missing rDNS/PTR not permitted > > for direct email connection. You must use correctly configured > > [with registered working abuse contact] static IP > > / ISP mail servers / smarthost service
> > My first problem is trying to decode all of this. > > The FAQ didn't really explain what "Dynamic IP space" > > or "generic DNS/rDNS" is [as far as a problem] > > (let alone the rest). ... > > My second problem has to do with our network. "Our" entire > > 134.197.0.0/16 block is listed - of which we are only a small part -
...
APEWS is unlikely to further clarify their record, and even less likely to post a reply here.
My guess, would be that perhaps their SpamTraps as seeing Spam from IPs that have no rDNS PTR &/or IPs with generic rDNS PTRs. e.g. 134.197.11.127 -> ppp-11-127.scsr.nevada.edu , 134.197.19.127 -> host-134-197-019-127.wnc.edu , 134.197.21.191 -> dhcp-191-21-197-134.scsr.nevada.edu , ...
They perhaps expect the _owner_ of 134.197.0.0/16 (unr.edu) {AS3851} to block port 25 for all IPs that are not authorized mail servers, and to make certain all authorized mail servers have a non-generic rDNS PTR.
FYI: _very_ recently (NoPTR [134.197.228.200]) was emitting Pharma Spam (see also: CBL PSBL UCEPROTECT SpamCop SORBS UnSubScore)
_very_ recently {helo=mail-n.dri.edu} (mail-nx.dri.edu [134.197.100.207]) was emitting 419 Spam. (See also: DCC SORBS)
very recently {helo=134.197.228.93} (NoPTR [134.197.228.93]) was emitting Pharma Spam (see also: CBL PSBL UCEPROTECT SpamCop UnSubScore)
not log ago {helo=134.197.228.152} (NoPTR [134.197.228.152]) was emitting variety of Spams (see also: DCC PSBL WPBL ProjectHoneyPot)
not long ago {helo=_srvr-Border-Ck.duckvalley.org} (duckvalley.org [134.197.202.211]) was emitting a variety of Spams (see also: ProjectHoneyPot)
not long ago {helo=spamfilter.scsr.nevada.edu} (spamfilter.scsr.nevada.edu [134.197.201.160]) was bouncing spam to forged From:(s).
If you are the owner of the 134.197.0.0/16 ARIN Direct Allocation, and you don't already know about all these issues, and have prevented them from happening again, APEWS is likely the least of your problems.
-- E-Mail Sent to this address <BlackL...@Griffin-Technologies.net> will be added to the BlackLists.
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
Thanks, Bill for your input... Sorry for the late response, I went on vacation for 10 days... comments below:
> 1) Well, you didn't share the IP that you first noticed the listing on, so > we can't see if it has "dynamic-looking" DNS.
Maybe I don't understand you, but the IP I first noticed the listing on was 134.197/16 - the ENTIRE block. And according to their own history, that's how it started as. Having read more posts from other people, I now understand the APEWS report a little better, and understand those are "separate" problems. I understand the reasoning behind dynamic IP's even though I don't agree with it - we use dynamic IPs for end users that are largely assigned after gardenwalling (although I understand others don't) and we have NO mail servers on any campus that aren't statically configured and named. There may be issues (I'll address in another reply to another respondant) though.
> 2) APEWS admins might read this group, but you won't get a direct reply. > It's not their nature.
Yeah, I get the impression that they're not well received by most of the internet at large either, and that being on their list might not be such a big impact. No, to answer your other question - we have no actual rejected email - just a campus admin who "noticed we are on that list."
> 4) ARIN doesn't know you're decentralized, and the only email listing for a > tech contact is "d...@unr.edu". No abuse address listed at the highest > level, so you should get that fixed so there's a single point of contact > for the netblock.
The address listed by ARIN _is_ working and is a central contact (unr passes it on to us mainly), as is abuse@ all our major mail servers/ domains. So all that is working as far as I know!
> 5) Gmail and other anonymous email addresses get a bit (actually a lot) > less credibility than an address from the IP range in question. You might > want to rethink that, so we (whoever "we" are) know you're speaking with > authority instead of (as sometimes happens) an end-user talking for the > upper level provider with no ability to get stuff done.
Advice noted. I wanted to use an "expendable public account" for reasons I won't get into, but understand your point.
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
Thanks for your response - I have been on vacation and not able to reply...
> My guess, would be that perhaps their SpamTraps as seeing > Spam from IPs that have no rDNS PTR &/or IPs with generic > rDNS PTRs. e.g. 134.197.11.127 -> ppp-11-127.scsr.nevada.edu , > 134.197.19.127 -> host-134-197-019-127.wnc.edu , > 134.197.21.191 -> dhcp-191-21-197-134.scsr.nevada.edu , ...
Noted and suspected that's perhaps what their issues might be. Unfortunately, both the generics thing and the blocking of some of those subblocks is out of my control, unfortunately. Maybe it would light a fire under the politico's butts who prevent us from doing certain things (my hands are somewhat tied by upper management and the political environment here)... but I still wish APEWS didn't feel the need to block the entire class B (I understand the theory but not the application). We'll see what I can come up with short term and long term as a workaround...
> FYI: > _very_ recently (NoPTR [134.197.228.200]) > was emitting Pharma Spam > (see also: CBL PSBL UCEPROTECT SpamCop SORBS UnSubScore) > ........ > not long ago {helo=spamfilter.scsr.nevada.edu} > (spamfilter.scsr.nevada.edu [134.197.201.160]) > was bouncing spam to forged From:(s).
> If you are the owner of the 134.197.0.0/16 ARIN Direct Allocation, > and you don't already know about all these issues, > and have prevented them from happening again, > APEWS is likely the least of your problems.
We are aware of them and are resolving in one form or another (and unfortunately sometimes we must ask the sub-institution to resolve it first before we do), but I am curious how you pulled all that information so quickly. Can you recommend a tool or script that helped you in this process?
thanks!
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
zfpubli...@gmail.com wrote: > We are aware of them and are resolving in one form or > another (and unfortunately sometimes we must ask the > sub-institution to resolve it first before we do), > but I am curious how you pulled all that information > so quickly. Can you recommend a tool or script that > helped you in this process?
The rDNS I just queried the PTRs for 134.197.0.0/16 , and briefly glanced at the first couple dozen pages of returns.
I have spamtraps several different ISPs / IP networks / domains, (all over the world).
I also checked 134.197.0.0/16 against the DNSbls I mentioned, as well as a few others (mostly for current listings of IPs I noticed hitting my spamtraps).
I also likely checked agains news.admin.net-abuse.sightings , and some other spam corpus, and likely didn't see anything there that got my attention (or I would likely have mentioned it).
You should be able to find plenty of scripts to do what you want, or at least give you some examples, in e.g. CPAN and many other places. I'm not certain without looking, but you might start by checking out http://spamlinks.net/
-- E-Mail Sent to this address <BlackL...@Anitech-Systems.com> will be added to the BlackLists.
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
BlackLists wrote: > 134.197.0.0/16 IPs I noticed hitting my spamtraps).
FWIW, if IPs you are responsible for are hitting my spamtraps, they are likely hitting thousands of others, some of those will be DNSbls and some will be ISPs.
Several Large ISPs and some DNSbls have feedback loops, are you getting these?
-- E-Mail Sent to this address <BlackL...@Griffin-Technologies.net> will be added to the BlackLists.
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
I reserve the right to publicly post or ridicule any abusive E-mail. Reply to domain Patriot dot net user shmuel+news to contact me. Do not reply to spamt...@library.lspace.org
-- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.
