Mailing List Archive: NANOG: users

AT&T SMTP Admin contact?

Index | Next | Previous | View Threaded

brad at brad-x

Nov 24, 2009, 12:54 AM

Post #1 of 21 (1153 views)
Permalink

AT&T SMTP Admin contact?

Hi all,

Would I be able to get an AT&T mail administrator to contact me off-list? We've recently moved our mailservers to a new IP address range, and the standard CGI forms haven't produced any progress for us in over a week now. Unfortunately this affects dozens of hosted clients...

The CGI form at http://wn.att.net/cgi-bin/block_admin.cgi has also got a dead link at the bottom, which shakes my confidence in its level of maintenance a little.

Thanks in advance,

--
Regards,

Brad Laue
Systems Administrator, Inftek Hosting
1-888-44-SYNCD
http://www.getsyncd.com

(888) 44-SYNCD (888-447-9623) x702

eksffa at freebsdbrasil

Nov 24, 2009, 5:51 AM

Post #2 of 21 (1108 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

Brad Laue escreveu:
> Hi all,
>
> Would I be able to get an AT&T mail administrator to contact me off-list? We've recently moved our mailservers to a new IP address range, and the standard CGI forms haven't produced any progress for us in over a week now. Unfortunately this affects dozens of hosted clients...
>
> The CGI form at http://wn.att.net/cgi-bin/block_admin.cgi has also got a dead link at the bottom, which shakes my confidence in its level of maintenance a little.
>
> Thanks in advance,

Any success?

I have been trying to mail @bellsouth for a while now, and I am stuckd
into this RBL. Filling the CGI form or mailing abuse@, postmaster, or
this address:

http://worldnet.att.net/global-images/general-info/abuse_mail.gif

Never helped. My IP address, which has very good reputation on mail
delivery on many other public RBLs, btw, is still blocked reason-less.

--
Patrick Tracanelli

brad at brad-x

Nov 24, 2009, 8:50 AM

Post #3 of 21 (1102 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

Patrick Tracanelli wrote:
> Brad Laue escreveu:
>
>> Hi all,
>>
>> Would I be able to get an AT&T mail administrator to contact me off-list? We've recently moved our mailservers to a new IP address range, and the standard CGI forms haven't produced any progress for us in over a week now. Unfortunately this affects dozens of hosted clients...
>>
>> The CGI form at http://wn.att.net/cgi-bin/block_admin.cgi has also got a dead link at the bottom, which shakes my confidence in its level of maintenance a little.
>>
>> Thanks in advance,
>>
>
> Any success?
>
> I have been trying to mail @bellsouth for a while now, and I am stuckd
> into this RBL. Filling the CGI form or mailing abuse@, postmaster, or
> this address:
>
> http://worldnet.att.net/global-images/general-info/abuse_mail.gif
>
> Never helped. My IP address, which has very good reputation on mail
> delivery on many other public RBLs, btw, is still blocked reason-less.
>
>
No luck as yet. I've sent an e-mail to postmaster@ and abuse_rbl@,
hopefully I'll receive a reply from these.

Exclusionary blocklists are a great idea if they're constantly
maintained. I'm unclear as to why mail administrators don't work more
proactively with things like SenderID and SPF, as these seem to be far
more maintainable in the long-run than an ever-growing list of IP
address ranges.

Valdis.Kletnieks at vt

Nov 24, 2009, 10:10 AM

Post #4 of 21 (1101 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Tue, 24 Nov 2009 11:50:54 EST, Brad Laue said:
> maintained. I'm unclear as to why mail administrators don't work more
> proactively with things like SenderID and SPF, as these seem to be far
> more maintainable in the long-run than an ever-growing list of IP
> address ranges.

There's a difference between maintainable and usable. Yes, letting the remote
end maintain their SenderID and SPF is more scalable, and both do at least a
plausible job of answering "Is this mail claiming to be from foobar.com really
from foobar.com?". However, there's like 140M+ .coms now, and neither of them
actually tell you what you really want to know, which is "do I want e-mail from
foobar.com or not?". Especially when the spammer is often in cahoots with the
DNS admins...

On the other hand, I can, by looking at my logs, develop a fairly good sense of
"do I have any real non-spam traffic from that address range?". Yes, it's more
work, but it's also more likely to actually answer the question that I wanted
answered.

joelja at bogus

Nov 24, 2009, 10:27 AM

Post #5 of 21 (1103 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

Valdis.Kletnieks [at] vt wrote:
> On Tue, 24 Nov 2009 11:50:54 EST, Brad Laue said:
>> maintained. I'm unclear as to why mail administrators don't work more
>> proactively with things like SenderID and SPF, as these seem to be far
>> more maintainable in the long-run than an ever-growing list of IP
>> address ranges.
>
> There's a difference between maintainable and usable. Yes, letting the remote
> end maintain their SenderID and SPF is more scalable, and both do at least a
> plausible job of answering "Is this mail claiming to be from foobar.com really
> from foobar.com?". However, there's like 140M+ .coms now, and neither of them
> actually tell you what you really want to know, which is "do I want e-mail from
> foobar.com or not?". Especially when the spammer is often in cahoots with the
> DNS admins...

identify framework with trust anchors and reputation management are not
things that spf or pra actually solve. spammers can publish spf and
senderid records and in fact arguably have more incentive to do so if it
can be demonstrated that your mail is more likely to be accepted on the
basis of their existence.

> On the other hand, I can, by looking at my logs, develop a fairly good sense of
> "do I have any real non-spam traffic from that address range?". Yes, it's more
> work, but it's also more likely to actually answer the question that I wanted
> answered.
>

brad at brad-x

Nov 24, 2009, 1:38 PM

Post #6 of 21 (1101 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On 2009-11-24, at 1:27 PM, Joel Jaeggli wrote:

>
>
> Valdis.Kletnieks [at] vt wrote:
>> On Tue, 24 Nov 2009 11:50:54 EST, Brad Laue said:
>>> maintained. I'm unclear as to why mail administrators don't work more
>>> proactively with things like SenderID and SPF, as these seem to be far
>>> more maintainable in the long-run than an ever-growing list of IP
>>> address ranges.
>>
>> There's a difference between maintainable and usable. Yes, letting the remote
>> end maintain their SenderID and SPF is more scalable, and both do at least a
>> plausible job of answering "Is this mail claiming to be from foobar.com really
>> from foobar.com?". However, there's like 140M+ .coms now, and neither of them
>> actually tell you what you really want to know, which is "do I want e-mail from
>> foobar.com or not?". Especially when the spammer is often in cahoots with the
>> DNS admins...
>
> identify framework with trust anchors and reputation management are not
> things that spf or pra actually solve. spammers can publish spf and
> senderid records and in fact arguably have more incentive to do so if it
> can be demonstrated that your mail is more likely to be accepted on the
> basis of their existence.

True, but wouldn't a blacklist of SPF records for known spam issuing domains be a more maintainable list than an IP block whitelist?

(I'm no doubt missing something very obvious with this question)

Brad

michael at linuxmagic

Nov 24, 2009, 2:01 PM

Post #7 of 21 (1101 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On November 24, 2009, Brad Laue wrote:
> True, but wouldn't a blacklist of SPF records for known spam issuing
> domains be a more maintainable list than an IP block whitelist?
>
> (I'm no doubt missing something very obvious with this question)
>
> Brad
>

Yes, I think you are :) First of all, domains are easier to throw away than
IP Addresses, IP Lookups are more efficient than DNS SPF records, and SPF is
not really meant to address Spam problems, although it can address some
forgeries.

SPF works best to identify forgeries of large well known domains, but I think
you do not really understand what SPF records do, or how they work. Don't
worry, many email operators don't either, and simply put in an SPF record that
says that every IP can send email for that domain ;)

And think how large the theoretical database size would be for every domain,
compared to the limited size of the IPv4 space.. But this is better taken off
list you want to discuss SPF's usage in combatting spam.

--
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-589-0037 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

Valdis.Kletnieks at vt

Nov 24, 2009, 3:15 PM

Post #8 of 21 (1102 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Tue, 24 Nov 2009 16:38:33 EST, Brad Laue said:

> True, but wouldn't a blacklist of SPF records for known spam issuing
> domains be a more maintainable list than an IP block whitelist?
>
> (I'm no doubt missing something very obvious with this question)

140M+ .com where a malicious DNS server in East Podunk can be authoritative for
a domain actually in Bratslavia and domains are cheap and throw-away.

16M /24's, where you (mostly(*)) need to be able to actually route the packets,
so if you have a /24 in Bratslavia, you need something resembling a router
in Bratslavia as well, and somebody willing to light up the other end of
the cable, and you need a way to make BGP announcements (legal or otherwise ;)
to be able to exploit it.

Choose wisely which you'd rather use for defense.

(*) Mostly - though the BGP hack demonstrated at last year's DefCon
did qualify as an Epic Win for kewl presentations. ;)

brad at brad-x

Nov 24, 2009, 4:06 PM

Post #9 of 21 (1100 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On 2009-11-24, at 6:15 PM, Valdis.Kletnieks [at] vt wrote:

> On Tue, 24 Nov 2009 16:38:33 EST, Brad Laue said:
>
>> True, but wouldn't a blacklist of SPF records for known spam issuing
>> domains be a more maintainable list than an IP block whitelist?
>>
>> (I'm no doubt missing something very obvious with this question)
>
> 140M+ .com where a malicious DNS server in East Podunk can be authoritative for
> a domain actually in Bratslavia and domains are cheap and throw-away.
>
> 16M /24's, where you (mostly(*)) need to be able to actually route the packets,
> so if you have a /24 in Bratslavia, you need something resembling a router
> in Bratslavia as well, and somebody willing to light up the other end of
> the cable, and you need a way to make BGP announcements (legal or otherwise ;)
> to be able to exploit it.
>
> Choose wisely which you'd rather use for defense.
>
> (*) Mostly - though the BGP hack demonstrated at last year's DefCon
> did qualify as an Epic Win for kewl presentations. ;)

Ah, very true. Still really hoping to get in touch with someone from AT&T. :-)

Thanks for the info.

justin at justinshore

Nov 24, 2009, 4:16 PM

Post #10 of 21 (1101 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

Brad Laue wrote:
> Ah, very true. Still really hoping to get in touch with someone from AT&T. :-)

Good luck. You might be a better response from posting a video
complaint on Youtube. "AT&T Breaks Guitars" perhaps. :-)

Justin

rsk at gsp

Dec 2, 2009, 10:31 AM

Post #11 of 21 (1010 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Tue, Nov 24, 2009 at 11:50:54AM -0500, Brad Laue wrote:
> Exclusionary blocklists are a great idea if they're constantly
> maintained. I'm unclear as to why mail administrators don't work more
> proactively with things like SenderID and SPF, as these seem to be far
> more maintainable in the long-run than an ever-growing list of IP
> address ranges.

Because SenderID and SPF have no anti-spam value, and almost no
anti-forgery value. Not that this stops a *lot* of people who've drunk
the kool-aid from trying to use them anyway, but blacklists are still --
by a huge margin -- the most effective anti-abuse tool available.

That said, blacklists (like all such resources) should be maintained,
and those using them should provide working contact methods that
enable resolution of the inevitable mistakes. The problem thus isn't
so much the choice of/use of blacklist(s), it's incompetent mail system
administration.

---Rsk

owenc at hubris

Dec 2, 2009, 10:38 AM

Post #12 of 21 (1006 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Dec 2, 2009, at 12:31 PM, Rich Kulawiec wrote:

> Because SenderID and SPF have no anti-spam value, and almost no
> anti-forgery value. Not that this stops a *lot* of people who've drunk
> the kool-aid from trying to use them anyway,

OK, I'll bite--How exactly do you go about forging email from my domain name if the host receiving it is checking SPF?

Chris

-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------

Valdis.Kletnieks at vt

Dec 2, 2009, 7:52 PM

Post #13 of 21 (1007 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Wed, 02 Dec 2009 12:38:54 CST, Chris Owen said:
> On Dec 2, 2009, at 12:31 PM, Rich Kulawiec wrote:
>
> > Because SenderID and SPF have no anti-spam value, and almost no
> > anti-forgery value. Not that this stops a *lot* of people who've drunk
> > the kool-aid from trying to use them anyway,
>
> OK, I'll bite--How exactly do you go about forging email from my domain
> name if the host receiving it is checking SPF?

It only stops forgery if the SPF record has a -all in it (as hubris.net does).
However, a lot of domains (mine included) have a ~all instead.

(And before anybody asks, yes ~all is what we want, and no you can't ask us
to try -all instead, unless we're allowed to send you all the helpdesk calls
about misconfigured migratory laptops".. ;)

owenc at hubris

Dec 2, 2009, 10:25 PM

Post #14 of 21 (1005 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Dec 2, 2009, at 9:52 PM, Valdis.Kletnieks [at] vt wrote:

> It only stops forgery if the SPF record has a -all in it (as hubris.net does).
> However, a lot of domains (mine included) have a ~all instead.

I guess I've never really seen the point of publishing a SPF record if it ends in ~all. What are people supposed to do with that info?

Spamassassin assigns it a score of 0.6 but that is low enough it really doesn't have much since it doesn't assign any negative points for SPF_PASS.

> (And before anybody asks, yes ~all is what we want, and no you can't ask us
> to try -all instead, unless we're allowed to send you all the helpdesk calls
> about misconfigured migratory laptops".. ;)

I certainly understand that you may not be able to lock down your domain. We don't even try for customers for instance. However, if you can't, I guess I don't really see what good publishing a SPF record is if you tell people not to enforce it.

Chris

-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------

ops.lists at gmail

Dec 2, 2009, 10:41 PM

Post #15 of 21 (1006 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Thu, Dec 3, 2009 at 12:08 AM, Chris Owen <owenc [at] hubris> wrote:
> On Dec 2, 2009, at 12:31 PM, Rich Kulawiec wrote:
>
>> Because SenderID and SPF have no anti-spam value, and almost no
>> anti-forgery value. Not that this stops a *lot* of people who've drunk
>> the kool-aid from trying to use them anyway,
>
> OK, I'll bite--How exactly do you go about forging email from my domain name if the host receiving it is checking SPF?

Dont let me stop you playing russian roulette with your users' email.

johnl at iecc

Dec 2, 2009, 10:42 PM

Post #16 of 21 (1006 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

>I guess I've never really seen the point of publishing a SPF record if
>it ends in ~all. What are people supposed to do with that info?

Get your mail delivered to Hotmail, the last significant outpost of
SPF/Sender-ID. Other than that, I agree it's useless.

I also agree that any domain with live users (as opposed to mail
cannons sending ads or transaction confirmations) is likely to
experience pain with -all from all the overenthusiastic little MTAs
whose managers imagine that "stopping forgery" will lessen their spam
load rather than losing mail from roaming users.

R's,
John

sethm at rollernet

Dec 2, 2009, 10:51 PM

Post #17 of 21 (1006 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

John Levine wrote:
>> I guess I've never really seen the point of publishing a SPF record if
>> it ends in ~all. What are people supposed to do with that info?
>
> Get your mail delivered to Hotmail, the last significant outpost of
> SPF/Sender-ID. Other than that, I agree it's useless.
>
> I also agree that any domain with live users (as opposed to mail
> cannons sending ads or transaction confirmations) is likely to
> experience pain with -all from all the overenthusiastic little MTAs
> whose managers imagine that "stopping forgery" will lessen their spam
> load rather than losing mail from roaming users.
>

In all fairness, the roaming users problem isn't a problem when one uses
smtp auth and a constant submission point.

~Seth

owenc at hubris

Dec 2, 2009, 10:53 PM

Post #18 of 21 (1006 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Dec 3, 2009, at 12:42 AM, John Levine wrote:

> I also agree that any domain with live users (as opposed to mail
> cannons sending ads or transaction confirmations) is likely to
> experience pain with -all from all the overenthusiastic little MTAs
> whose managers imagine that "stopping forgery" will lessen their spam
> load rather than losing mail from roaming users.

Again I guess I don't understand. How are these MTA managers being "overenthusiastic"?

Publishing a SPF (with -all) is essentially me requesting that they reject any mail from my domain not coming from one of the approved hosts. I'm the one making the decision to ask them to bounce such mail. Seems to me they are only being responsible in actually enforcing a policy that I set for the domain.

Chris

-------------------------------------------------------------------------
Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
President - Wichita (316) 858-3000 - A stupidity tax
Hubris Communications Inc www.hubris.net
-------------------------------------------------------------------------

sean at donelan

Dec 3, 2009, 2:11 AM

Post #19 of 21 (1005 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Wed, 2 Dec 2009, Valdis.Kletnieks [at] vt wrote:
> (And before anybody asks, yes ~all is what we want, and no you can't ask us
> to try -all instead, unless we're allowed to send you all the helpdesk calls
> about misconfigured migratory laptops".. ;)

While I'll remain neutral about the specifics of SPF (and all the other
solutions), the legacy problem comes up trying to secure any thing. If
it (and I deliberately leave "it" undefined) had never worked, no one
would complain. Of course, there will always be someone who goes too one
extreme or the other extreme. People were dropping heavily spoofed
domains before SPF anyway.

At what point do we consider legacy support not worth it? It took 10+
years, but now almost no SMTP servers allow open relay by default. Will
it take another 10+ years to stop supporting misconfigured migratory
laptops by default?

andre.engel at fhe3

Dec 3, 2009, 10:32 AM

Post #20 of 21 (986 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

> -----Urspr�ngliche Nachricht-----
> Von: Chris Owen [mailto:owenc [at] hubris]
> Gesendet: Donnerstag, 3. Dezember 2009 07:25
> An: NANOG list
> Betreff: Re: AT&T SMTP Admin contact?
>
> On Dec 2, 2009, at 9:52 PM, Valdis.Kletnieks [at] vt wrote:
>
> > It only stops forgery if the SPF record has a -all in it (as
> hubris.net does).
> > However, a lot of domains (mine included) have a ~all instead.
>
> I guess I've never really seen the point of publishing a SPF record if
> it ends in ~all. What are people supposed to do with that info?

For instance some ISPs or Freemail providers give their customers the
possibility to use SPF as a value added service to decide if "senders
domain" should be dropped in theirs suspicious-folders or not .

I also learned that SPF is qualified for senders reputation :
http://www.ceas.cc/2006/19.pdf

> Spamassassin assigns it a score of 0.6 but that is low enough it really
> doesn't have much since it doesn't assign any negative points for
> SPF_PASS.
> > (And before anybody asks, yes ~all is what we want, and no you can't
> ask us
> > to try -all instead, unless we're allowed to send you all the
> helpdesk calls
> > about misconfigured migratory laptops".. ;)
> I certainly understand that you may not be able to lock down your
> domain. We don't even try for customers for instance. However, if
> you can't, I guess I don't really see what good publishing a SPF record
> is if you tell people not to enforce it.

MAAWG published a document around : Trust in Email begins with
Authentication

http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Pap
er_2008-07.pdf

> Chris
>
> -----------------------------------------------------------------------
> --
> Chris Owen - Garden City (620) 275-1900 - Lottery (noun):
> President - Wichita (316) 858-3000 - A stupidity tax
> Hubris Communications Inc www.hubris.net
> -----------------------------------------------------------------------
> --
>

Cheers

Andre

--
Andre Engel

Consulting Program Director,
Email and Cyber Intelligence Services "..no ghost just a shell"

FHE3 GmbH P: +49 721 869 5907
Scheffelstr. 17a M: +49 160 962 44476
76135 Karlsruhe

andre.engel [at] fhe3
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Gesch�ftsf�hrer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt

This message (including any attachments) is the property of FHE3 and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments.

herrin-nanog at dirtside

Dec 3, 2009, 11:58 AM

Post #21 of 21 (985 views)
Permalink

Re: AT&T SMTP Admin contact? [In reply to]

On Thu, Dec 3, 2009 at 1:25 AM, Chris Owen <owenc [at] hubris> wrote:
> On Dec 2, 2009, at 9:52 PM, Valdis.Kletnieks [at] vt wrote:
>
>> It only stops forgery if the SPF record has a -all in it (as hubris.net does).
>> However, a lot of domains (mine included) have a ~all instead.
>
> I guess I've never really seen the point of publishing a SPF record if it
>ends in ~all. �What are people supposed to do with that info?
>
> Spamassassin assigns it a score of 0.6 but that is low enough it
>really doesn't have much since it doesn't assign any negative
>points for SPF_PASS.

Chris,

In addition to pushing the spam assassin score a little more towards
tagging it as a spam, I use SPF to suppress backscatter from my
confirmation system. When I receive a message whose spam probability
is ambiguous (spamassassin score between 3 and 8), I generate a
confirmation request to the sender. This allows the sender to put the
message in front of me anyway if it turns out to have been a false
positive, as it occasionally does.

If you publish SPF records (even with ~all) and the source doesn't
match, I won't generate that request. You've given me sufficient
forward knowledge to detect the forgery so that I can silently drop
the spam and still comply with RFC 2821's "must."

Regards,
Bill Herrin

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads