On Thu, Jul 27, 2006 at 12:09:24PM +0300, Juha-Matti Tapio wrote: > I think this TTL issue is relatively trivial and I would like to not see too > long threads about it here, so after this message, I can talk to people > privately about it but I prefer not to flood this list about this specific > issue for now. So I would appreciate reply's about this to be off-list. It may be convenient for you to be able to regard other people's problems with being listed by SORBS as trivial, but the TTL criteria is in my opinion both arbitrary and not something that most users of the DNSBL are aware of. > On Wed, Jul 26, 2006 at 09:50:25PM +0000, Andy Smith wrote: > > On Thu, Jul 27, 2006 at 12:13:57AM +0300, Juha-Matti Tapio wrote: > > > And if TTL is not a listing criteria, it therefore is > > > propably never the sole delisting criteria. > > http://strugglers.net/~andy/tmp/sorbs-demands-high-ttl-for-delisting.txt > > This IP space, and many others, are not delisted solely because of > > their DNS PTR record's TTL. SORBS has no place enforcing arbitrary > > rules on DNS TTL, and that is why I no longer use it to outright > > reject email. > > I think the message you link to gives pretty well specified options where > TTL check is not the sole criteria nor even necessary. You don't appear to have read the part where I said that everything had already been done apart from the TTL change. The SORBS response is essentially a canned one in response to me asking why it was still listed after the RDNS had been changed and the ISP in question had stated it was a static. > [Quoting from it:] > : (2) Have your DNS data modified so that the listed IP address has a > : clearly non-dynamic rDNS. We suggest that you include the keyword > : "static" on this name, to avoid future listings. Also, insure that the > : TTL is set to no less than 43200 seconds (we recommend 86400). > [...] > > Sorbs claimed that your address was listed because the reverse looked like a > dynamic one. This delisting option number 2 requires that both the reverse > has to be changed to a non-dynamic one _and_ that the TTL must be high > enough to look convincing. Therefore in this scenario TTL is not the _sole_ > delisting criteria, but it is only there to make the primary delisting > criteria more trustworthy. Yes, I am aware. BTW, this is not my IP address. It was one trying to communicate with my servers when I used to use SORBS DUHL. What you seem to keep ignoring though is that after the ISP jumps through the RDNS hoops, there is still the TTL hoop, and if they won't jump through that one then they don't get delisted. > : (3) Ask your ISP to get in touch with SORBS with the list of dynamic > : and static IP allocations within its network, so that our DUHL list > : can be updated. Note that many large ISPs do this periodically to > : reduce the inconvenience to its users. In this case, the communication > : must come from a RIR contact for the affected IP space. > > And since Sorbs promises to give this option number three, did your ISP use > it? Did the RIR contact do this? Because this option does not seem to demand > high TTL at all. I assume this is intentional from Sorbs part and not just > an accidental omission. The word of a RIR-contact does mean a lot. So again > the TTL criteria is not a _sole_ delisting criteria. I'm afraid it is. Everything had been done apart from the TTL change. The ISP in question gave up at this point. > > My users get false positives and then I have to tell them that the > > ISP of the person sending the mail applied a TTL that is too low in > > the opinion of SORBS, then I need to explain what DNS TTL is about. > > And after all that when they ask "Okay so why is that bad?" there > > really isn't a good answer other than some paranoid stance regarding > > people changing their RDNS while SORBS looks and then changing it > > back later (WTF???) I cannot advocate a position I find ridiculous, > > much less spend a lot of time doing so. > > I do have kind of a hard time understanding why anyone would refuse to raise > the TTL while they have anyway decided to choose option number two and > change their reverse name to something real. For the admin the biggest > hurdle is to just open up the DNS zone and start editing it, not the > individual changes. Who are SORBS to make arbitrary demands over the TTL of a DNS record? I can perfectly understand why ISPs would decline to pander to this; it makes no sense. > Just to sidestep a bit since you mentioned users. I assume you are talking > about the host that got listed. How many mail users do you host on an ADSL > line and what kind of experiences have you had with it? > > ADSL does have kind of bad reputation for servers (at least mine has almost > daily network problems) and I would propably not be brave enough to use it > for such purpose, but I would be interested to know about your environment. > > Don't you get too many blocked outbound messages for having 'adsl' in your > reverse name? I don't do that and do not recommend that anyone send mail from servers at the end of DSL, even business DSL, since blocking of it is too prevalent. However my customers still expect to receive mails and when they are sent by: - a business - at the end of business SDSL - with static-looking reverse DNS and it gets blocked because SORBS has the IP range listed and won't delist due to the TTL of PTR records being too low, that is when I can't justify using it in that mode any longer. Neither can I maintain a whitelist due to the numbers of such listings and the inability to easily tell which ones are listed only because of TTL. Cheers, Andy -- http://strugglers.net/wiki/Xen_hosting -- A Xen VPS hosting hobby Encrypted mail welcome - keyid 0x604DE5DB
Attachment:
signature.asc
Description: Digital signature