[HN Gopher] Spam blacklisting is out of control
___________________________________________________________________
Spam blacklisting is out of control
Author : derekzhouzhen
Score : 200 points
Date : 2022-02-05 16:33 UTC (6 hours ago)
(HTM) web link (blog.roastidio.us)
(TXT) w3m dump (blog.roastidio.us)
| thayne wrote:
| If I were to design a replacement messanging system to replace
| email, I would design it with deny by default, where messages
| that aren't signed by someone on your contact list are rejected.
| Maybe with a system to request that someone add you to their
| contact list (though with a limit on how much text can be in that
| request).
|
| Maybe something like that could be done with email, but without a
| culture around it, figuring out what addresses you need to add to
| your contact list when you add new services could be a pain.
| boudin wrote:
| UCEPROTECT is a scam. Blocking innocent people and asking them
| for money has nothing to do with security. The good thing is that
| most email servers do not use it because it's just bad. The bad
| thing is that Hotmail uses it (or at least was at until
| recently). It does mean that, as a Hotmail user, there's
| legitimate email that you won't receive.
|
| I do wonder if the guy behinf this scam is randomly blocking
| whole ip ranges to make a living, having enough people agreeing
| to the racket.
| pl0x wrote:
| The adblock lists are out of the control. Adblock Plus and Brave
| will block put your site on a block list to then sell ads against
| your site to companies like Verizon and Google.
|
| Brave loves Verizon so much they even listed them as a featured
| advertiser. https://brave.com/brave-ads/
| walrus01 wrote:
| note that there is a huge difference between corrupted for
| profit things like "adblock plus" and the community sourced,
| not for profit things like ublock origin.
| jijji wrote:
| this is the first time that I've ever heard of a email blacklist
| provider offering to remove an IP from their database if you pay
| a monthly fee... it sounds like extortion.
| cmroanirgo wrote:
| From the article:
|
| > _If my understanding of the law is correct, spamming is legal,
| albeit immoral_
|
| But the FTC takes a rather clear stance (at least in my eyes)
| [0]:
|
| > _Despite its name, the CAN-SPAM Act doesn't apply just to bulk
| email. It covers all commercial messages, which the law defines
| as "any electronic mail message the primary purpose of which is
| the commercial advertisement or promotion of a commercial product
| or service," including email that promotes content on commercial
| websites. The law makes no exception for business-to-business
| email. That means all email - for example, a message to former
| customers announcing a new product line - must comply with the
| law.
|
| > _Each separate email in violation of the CAN-SPAM Act is
| subject to penalties of up to $46,517, so non-compliance can be
| costly. But following the law isn't complicated*
|
| On top of that there's GDPR [1]:
|
| > _After the GDPR passed, some people said it would be "the end
| of email marketing" or "the end of spam." But it will be neither.
| Spam has always been outlawed or against the terms of use of most
| email providers. Those who send unsolicited or malicious mass
| emails will probably continue to send them. Did your spam folder
| dry up after May 25, 2018, when the GDPR took effect?_
|
| So, it seems the laws are in place, it's just that the jungle of
| unwanted & unsolicited email continues. It sucks when it's your
| server that get's blocked in a dragnet because you've a noisy
| neighbour. But like others have stated, move neighbourhoods.
|
| [0] https://www.ftc.gov/tips-advice/business-
| center/guidance/can...
|
| [1] https://gdpr.eu/email-encryption/
| spcebar wrote:
| I too have had issues with that particular blacklist, which, I
| believe, is gaining notoriety as a scam. In my case I was setting
| up outgoing email for a customer's WordPress website. In the end,
| rather than spending the time and money dealing with the
| blacklist, we routed their mail through Sendgrid. Not an
| especially happy ending, but their email works now.
| amar0c wrote:
| No one sane is using UCEPROTECT.. I would not even care. If
| someone is using them as blacklist(s) they have more problems
| than my mail not reaching them.
| Spamhaus/Spamcop/truncate.gbudb.net/Barracuda with some
| "premiums" like Abusix is all anyone should need
| nsajko wrote:
| The sad thing is that a solution for protection against spam has
| existed for about thirty years, yet it is almost unused. It is
| based on the same idea that later came to underpin Bitcoin: proof
| of work: https://news.ycombinator.com/item?id=30220979
| teekert wrote:
| Would be nice if ipv6 would fix this. This is also the reason I
| stopped self-hosting email, despite some nice benefits.
| NelsonMinar wrote:
| SMTP is a failed product.
| benjojo12 wrote:
| My personal experience with UCEPROTECT was that they had
| blacklisted 2 or 3 IPs in my /24 that were not routed to
| anything, nor had they _ever_ been routed to anything, a fresh
| new block from RIPE NCC too.
|
| Of course they offered to unblacklist them in exchange for
| payment, or wait.
|
| Waited 2 weeks and they dropped off. I've yet to hear about
| anyone using their DNSBL for anything serious in 2020/2021/2022
|
| I only knew about the listings because a monitoring service
| emailed me about it.
| zinekeller wrote:
| > a fresh new block from RIPE NCC too
|
| While I personally don't use UCE (and personally think that
| they're not good at what they're doing), unless you've get that
| IP range before 2012, I doubt it's a new one. Many spammers
| _do_ often exploit RIPE 's unallocated IPs for their spamming
| operations (either using BGP hijacking or just asking RIPE
| nicely for a range), which unfortunately is a perennial
| problem.
| adrium wrote:
| I have been running my own mail server for two years on my
| private ISP and have less problems than expected - even with the
| dynamic IP address (in practice, it changes once in 6-12 months)
| and no PTR. I also switched the ISP once. I have SPF, DKIM,
| DMARC.
|
| Edit: The nice thing about running the mail server personally and
| without a relay (like mailgun) is that mail is to-my-end
| encrypted. If the other party is running its own mail server, it
| could even be E2E encrypted. Considering the vast amount of
| personal information that going through email, this makes me feel
| good in terms of privacy.
|
| I have never heard of UCEPROTECT and fortunately, I never had to
| deal with it. The language on the webpage somehow reminds me of
| Kryptochef...
|
| A small inconvenience is that I had to unblock the IP on Spamhaus
| PBL every month. By now, it feels as if they know me, because I
| now only have to do this once if I get a new IP...
|
| Many mail servers are nice and provide the reason for the block
| even with hints how to unblock it. I successfully unblocked it on
| Abusix and Microsoft. Never had an issue with Google.
|
| GMX on the other hand will never accept my email because they
| require a proper PTR record. They are the only company I have
| come across and I find that scandalous.
| phishersfritz wrote:
| Your comment about no issues with no valid PTR surprised me.
|
| Spamhaus PBL is build based on your ISP telling Spamhaus which
| IPs are dynamic and which IPs should not send email. Your ISPs
| seemed to be nice enough to allow you delisting from it, which
| not all ISPs will allow.
|
| Abusix has a similar list, but its completely build based on
| dynamic looking or no PTRs. You can create an account and
| delist without any issues.
|
| Never the less there is way more services than GMX that block
| based on dynamic or no PTR. A lot of smaller solutions have
| this option checked by default. And it actually has been a best
| practice for decades to have a proper PTR.
|
| If you can, I'd set one and be done with it.
| PeterisP wrote:
| > I can complain to my hosting company and hope they evict the
| bad user from the network. But then why should my hosting company
| do so?
|
| The answer to this is the other option, leaving the hosting
| company. In this manner, every hosting company gets a choice -
| either they will kick out legal-but-immoral things like spammers,
| or they will not and rightly lose their above-board customers.
|
| This is essentially how the global e-mail community self-polices
| by establishing a norm that a host either has to work to exclude
| bad actors or will get boycotted/excluded for allowing them.
| cgriswald wrote:
| His whole defense of the hosting company's _hypothetical_
| failure to help is bizarre. He considers a lot of things that
| aren 't his concern or even really his business. A real
| analysis of whether to complain would only consider whether the
| hosting company will be responsive and whether they are
| competent to fix the problem.
|
| Why is he considering--with incomplete information--the hosting
| company's legal options and the severity of the spamming?
|
| Edited to add: He could also consider whether it is his hosting
| company with the problem or the orgs using UCEPROTECT; although
| as someone who needs their emails to go through "no matter
| what" that can be more difficult.
| indymike wrote:
| > The answer to this is the other option, leaving the hosting
| company. In this manner, every hosting company gets a choice -
| either they will kick out legal-but-immoral things like
| spammers, or they will not and rightly lose their above-board
| customers.
|
| This assumes that the RBL in question is a good actor. It is as
| bad as the spammers.
|
| > This is essentially how the global e-mail community self-
| polices by establishing a norm that a host either has to work
| to exclude bad actors or will get boycotted/excluded for
| allowing them.
|
| Most of us have ignored UCEPROTECTCTL lists for a long long
| time as it appears to be a money grab.
| indymike wrote:
| RBLs are useful, but there are a few that are not what they
| appear to be. The particular one in question, UCEPROTECT is
|
| a) not worth paying
|
| b) should never be used by a production mailserver to block
| messages.
|
| From the beginning there have been enterprising RBLs that are
| clearly overbroad, and offer to accept money. The money is not
| for getting off the list, it is always for something else so as
| to appear legitimate and a side effect is getting your domain off
| the list. This model is unethical at best, and is right up there
| with companies that snail mail over-priced domain renewal
| notices.
| sam_goody wrote:
| I agree with your plea, and view the current blacklists as Mafia
| style "protection" (that also conveniently helps the big players
| maintain their monopoly).
|
| Practically though, if you want to get your mail delivered, you
| should use Amazon SES or the like to send it - setup is really
| simple, and they have the clout to not be blacklisted EVEN THOUGH
| they are _definitely_ being used to send spam. At $1 per 1,000
| mails, it is unlikely you will even feel the cost.
|
| (I commented on this a few weeks ago at
| https://news.ycombinator.com/item?id=29713030.)
| bendbro wrote:
| What is "blicklisting"? A misspelling?
| berkut wrote:
| Very likely...
|
| Unless they're South African :)
| jspaetzel wrote:
| Any shared hosting provider is extremely susceptible to this type
| of issue and this type of list just doesn't work. It's a scam.
| There are lots of good blocklists, but there are also lots of bad
| ones like this.
|
| When I worked with a company who ran email systems like this we'd
| always steer customers away from lists like this, in cases where
| we couldn't deliver mail because of it we blamed the other
| provider. This actually worked a lot of the time and the customer
| would wind up contacting the sender another way to let them know
| they had a problem, and fairly often they'd change lists.
|
| Our standard messaging was something like, "Google and Microsoft
| are receiving our emails just fine, something is wrong with the
| receiving service"
| jeffbee wrote:
| This post meanders between complaining about RBLs and vaguely
| whining about the big email hosts, but I don't see the
| connection. There is zero useful information contained in the
| RBLs and the big hosts don't use them.
| derekzhouzhen wrote:
| I believe that outlook.com starts using UCEPROTECTL2/3. However
| I have no proof so I have to be vague about it.
|
| It is in the interest of big email hosts to shut out small,
| independent senders to strengthen their position of monopoly.
| Again, I have no proof.
| sylware wrote:
| I run my own email server, and I have _really_ a pb with smtp
| servers using spamhaus block lists. Ofc, to "whitelist" your IP
| with spamhaus (some shady andoran/swiss mafia), you must use a
| javascript only web engine based web browsers (I don't and I
| shoud not have to) in order to contact spamhaus. If this is a
| "chat" with their ppl, where is their IRC server? If I have to
| pay something out of this, this will be a lawyer to deal with the
| admins of such smtp servers.
| bhauer wrote:
| This has become bad enough that operators of personal mail
| servers are put into no-win situations and generally give up.
|
| Either we can concede defeat and relay personal correspondence
| email through a commercial service or we can just accept that
| some recipients will not receive our emails.
|
| I've adopted the latter stance because I don't operate a business
| that uses my personal mail server and therefore have the luxury
| of not caring a whole lot. My stance is that if a recipient is
| using an email service that blocks me for no good reason, they
| don't want to receive my email. They can complain to their
| service provider if they choose to. In a few cases, I've asked
| them to complain to their service provider and have seen _some_
| minor corrective action. But that 's pretty rare.
| gorgoiler wrote:
| Can anyone here (the author?) recommend a one-stop-shop script
| for checking ones IP address / prefixes against these blacklists,
| ordered by severity?
| lucb1e wrote:
| What would be nice is if there could be whitelists as well, or a
| blacklist that additionally keeps count of positive interactions.
|
| I've had an IP for about a decade that never once sent spam, but
| has ended up on blacklists from time to time (hosting EICAR on a
| web server apparently gets your mail server banned, 15-year-old
| me found out). SPF nicely says that this IP is supposed to be
| sending email for this domain. I don't think I'm on blacklists
| anymore, but email still ends up in spam folders nine out of ten
| times. People are giving off signals that my messages aren't spam
| all the time (it's my personal email server).
|
| Years of non-spam emails count for nothing whereas a single spam
| mail from an adjacent IP can get you on such a list. Somehow it's
| a bit imbalanced.
| Ansil849 wrote:
| > Other customers within this range did not care about their
| security and got hacked, started spamming, or were even attacking
| others, while your provider has possibly not even noticed that
| there is a serious problem. We are sorry for you, but you have
| chosen a provider not acting fast enough on abusers.
|
| What a ridiculously hostile message. Just because a website or
| mail server or whatever they are talking about got compromised
| does not mean that the owner "did not care about their security".
| This sounds like a case of a blocklist operator on a power trip,
| talking down to people.
| mjrpes wrote:
| I fought the battle to keep my SMTP server IP off blacklists, and
| lost.
|
| You can do everything possible, have a perfectly clean IP, have a
| good amount of outbound email traffic, only send transactional
| email, etc. Still, there will be edge cases where email does not
| go through. AT&T email servers would constantly blacklist me and
| not respond to requests to remove me, gmail/yahoo/outlook would
| silently put emails in the spam folder, and companies using email
| firewall products would blacklist me, with an IT Dept too inept
| to fix it.
|
| The solution was to pay a small fee and proxy all outbound email
| through a transactional SMTP sender, like Postmark or Mailgun.
| It's easy to do, with one line of code in Postfix. You can be
| selective, and only proxy emails sent to certain troublesome
| domains. If you try an email provider and it's not working out,
| it's one line of code to change to another provider.
|
| This allows me to still manage nearly all aspects of hosting my
| email server and control my email data, while not dealing with
| deliverability issues. I use Postmark and I have not dealt with a
| deliverability issue in two years.
| Silhouette wrote:
| While I am happy for you that you have found a solution, the
| solution you found is symptomatic of a very dangerous
| situation: it is increasingly impossible for individuals or
| SMEs to use essential online facilities like sending messages
| or transferring money reliably unless they use a broker service
| as an intermediary. We are allowing small numbers of tech firms
| to take control of vital functionality that should be using
| open, standardised protocols in a decentralised way. This
| leaves everyone who isn't big enough to run their own
| implementation that others can't afford to ignore beholden to
| those brokers and subject to arbitrary charges and/or denial of
| service.
| kbenson wrote:
| This is just the internet moving to match the real world. In
| the real world, reputation matters and some people don't want
| to talk to you unless someone can vouch for you. For areas
| where the general public needs to interact, third party
| intermediary services spring up to fill this need.
|
| This is why for any store over the size of a mom and pop
| operation in a neighborhood, you can't just tell the owner
| who you know by name to put it on your account, and instead
| for credit purchases you use a credit card company which acts
| as an intermediary and smooths problems over on both sides,
| and refuses to work with stores and people that are
| untrustworthy.
|
| This is why there are mailing list (mass email) services and
| why mail servers allow them. They keep their customers
| working within the accepted bounds (they ensure removal works
| and fire clients that abuse), and this allows mass email for
| accepted reasons while still being able to come down hard in
| random exploited servers/accounts.
|
| This is why big email services are very selective about what
| servers they talk to. I work at an ISP where our main
| outbound mail servers are on IPs that we try not to change
| because they've got decades of reputation attached. Even so,
| we recently brought up two new servers for email forwards,
| and shifted a small percentage of our mail queue traffic to
| them and ramped it up over a couple weeks, and that seemed to
| work "warming them up" to the likes of Gmail and yahoo, etc.
| It used to be there were lists of mail operators you could be
| part of and you could use reputation within that to get them
| to be lenient with you when you started. These days it's all
| so centralized in a few very large players that they really
| likely just talk to each other.
| Silhouette wrote:
| _In the real world, reputation matters and some people don
| 't want to talk to you unless someone can vouch for you._
|
| This has absolutely nothing to do with someone not wanting
| to talk to someone else. It has everything to do with some
| third party having the power to decide whether the other
| two may communicate.
|
| _These days it 's all so centralized in a few very large
| players that they really likely just talk to each other._
|
| And thus the single most important method of remote
| communication in the world today, the method that is
| frequently akin to root access to our online lives, became
| subject to arbitrary monitoring and interference by huge,
| powerful organisations with their own interests and
| negligible regulatory oversight, legal safeguards or
| accountability to anyone but their shareholders.
|
| Do you really not see why this is a problem? You talk about
| the internet matching the real world, but in the real world
| we've had laws against monitoring and interference with
| things like postal mail and telephone calls for a very long
| time almost everywhere.
| lytefm wrote:
| > and that seemed to work "warming them up" to the likes of
| Gmail and yahoo, etc
|
| Yes, warming up a "fresh" IP definely works. If you
| suddenly send thousands of mails from a new server - sure,
| you'll be labeled as Spam. If you slowly increase the
| volume over time, have a good domain and recipients that
| interact with the email, things should be fine. GMail has
| quite helpful guidelines [1].
|
| 1: https://support.google.com/mail/answer/81126?hl=en
| YPCrumble wrote:
| I agree completely with this, but the one problem is that you
| haven't addressed how we control spam without these "trusted"
| intermediaries. "Trusted" here meaning that they aren't
| spammers.
| Silhouette wrote:
| Spam has largely been a solved problem for _decades_ IME.
| You don 't need some big-data-crunching mega-mail-host to
| block it successfully. For my personal mail, I use a small
| provider that isn't configured to block anything
| automatically and the built-in tools in my mail software.
| For my businesses, we have a pretty standard SpamAssassin-
| style setup. Either way, I see hardly any spam in my inbox
| despite receiving mail to multiple published contact
| addresses for those businesses, and I also can't remember
| the last time a false positive resulted in missing a
| legitimate mail.
|
| Meanwhile I've seen people miss events because
| $BIG_MAIL_PROVIDER decided the invitation was spam, I've
| seen recruitment go wrong because a CV from an excellent
| candidate was blocked on its way to the designated email
| address for applications, and countless other examples
| where bad spam blocking was throwing baby out with
| bathwater.
| Karrot_Kream wrote:
| Sure for you, but all of these other mailservers still
| obviously find value in applying spam filters or they
| wouldn't keep filtering.
|
| The problem is that it's much easier to send email than
| it is to receive it. This puts the onus of spam filtering
| on the recipient. I'm sad that HashCash or some other PoW
| scheme was never adopted as a way to force rate limiting
| of mailers.
| netr0ute wrote:
| The solution is to eliminate spam filters because that is
| the only good choice.
| uoaei wrote:
| No one is free until we are all free to send spam.
| SturgeonsLaw wrote:
| This is the real value of cryptocurrencies. Yes, I know HN
| doesn't like them, yes there's a bunch of get-rich-quick bros
| and scammers out there, please try and separate the grift
| from the tech and consider how vital it is that people are
| able to control their finances without a third party having
| the ultimate say as to whether a transaction takes place or
| not.
| walrus01 wrote:
| cryptocurrencies and not screwing up global implementation
| of SMTP are _completely different things_.
|
| cryptocurrencies are not in any way going to solve the
| problem of people centralizing their MX all onto office365
| and gsuite.
| dtech wrote:
| The only currently realistic way to acquire cryptocurrency
| or for non-tech people to use it is through a 3rd party
| broker. It's about as difficult as running your own SMTP
| server I'd say.
|
| _edit_ see this current front-page submission about how
| Bitcoin fails to provide this despite being centralized in
| exactly the same way as the decentralized SMTP:
| https://news.ycombinator.com/item?id=30224637
| dane-pgp wrote:
| > for non-tech people to use it
|
| Then it should be only the SMTP server operators who have
| to handle the crypocurrency side of things, so email
| users never have to worry about it.
|
| As you say, acquiring and using the cryptocurrency would
| be about as technically difficult as what the SMTP server
| operators are already doing, and there are a variety of
| 3rd party brokers they can choose if they want to
| simplify things and not run a node themselves.
|
| The system I'm imagining is one where each newly
| registered domain has to put up a cryptocurrency bond if
| the registrant wants to send email from it. Existing
| domains would be grandfathered in (having already built
| up their reputation) and new domains would have their
| bonds burned if some N-of-M stakeholders agreed that they
| were sending (DKIM-signed) spam.
|
| Choosing those stakeholders would be controversial, but
| hopefully no less controversial than the system we have
| today where Google can use the threat of a Gmail
| blacklist to make every SMTP server in the world follow
| its wishes. Ideally some of the stakeholders would be
| non-profits like the ISRG and Mozilla Foundation.
| js2 wrote:
| How do you know whether your mail is going through? I can
| understand for messages that bounce, but how about mails that
| are silently dropped or end up in spam folders?
| noduerme wrote:
| In our case it's quickly obvious since our server sends
| verification codes when people sign up for online accounts or
| change their passwords. We'll see a pattern of customer
| complaints from certain mail services within a day of being
| on any major blacklist.
| johnklos wrote:
| Honestly, we usually find out after communication has failed
| and some other form of communication is used.
|
| It's usually worthwhile to remind businesses that when they
| use "free" services like privacy-paid outlook.com and Gmail,
| they'll get what they pay for, and if their communications
| really matter, they should find proper email providers.
| mjrpes wrote:
| I can never know for sure if email is avoiding the spam
| folder, but everything tells me if it does happen, it's quite
| rare now.
|
| First, I will send emails to test accounts I have set up with
| major email providers (gmail, yahoo, outlook, etc). I used to
| do this often, but they have all been going to the inbox on
| my last few tests, so I haven't done this recently.
|
| Second, is feedback I get from recipients. When I send an
| email and ask for a reply, I'll get a reply. I also used to
| hear a few times a month, "sorry for the delay. I found your
| email in my spam folder!". This has gone away.
| AviationAtom wrote:
| TedDoesntTalk wrote:
| I did not even know services like Postfix and Mailgun solved
| this problem. Thank you!
| suzzer99 wrote:
| My Dad still sends all emails to my main address and my gmail
| address, due to the occasional spat between netzero and godaddy
| that would block emails to my main address.
| [deleted]
| noduerme wrote:
| I manage an outbound mail server for a mid-sized company. I
| happen to also use it for my own personal mail.
|
| We have had on and off deliverability issues for years (AT&T
| and Comcast being the worst).
|
| As head of IT it fell to me to post whitelisting requests and
| try to get mail delivering again. I decided after awhile that
| this really isn't my job, and made a suggestion to the CEO
| which he took to heart:
|
| There is another solution besides changing IPs, using a paid
| sender, or filling out whitelist requests into the void: Get
| your legal department involved. We have repeatedly been taken
| off various public and private blacklists by having lawyers do
| their job. Once we went this path, it was like magic. Same day
| responses from those companies, and we haven't been on any
| blacklists for a couple of years.
| walrus01 wrote:
| Not everyone can spend $500 on lawyer billable hours per SMTP
| destination multiplied by N number of destinations.
|
| I also think that the likelihood of success in sending legal
| threats to somebody that demand they accept your SMTP traffic
| will not stand up in court, if you ever escalated it that
| far.
|
| As somebody who runs postfix MX on the receiving side of
| things, I can guarantee you that the day I receive a legal
| threat from some unknown third party with which I don't have
| a pre-existing business/contract relationship, demanding that
| I accept their email, is the day that I blacklist their
| entire organization and tell them "okay, I'll await service
| of your statement of claim".
|
| You actually think that the best answer to a _network
| engineering_ problem is to make legal threats at third party
| ISPs? Companies with which you don 't have a signed service
| order contract and/or master services agreement?
|
| You say you're a mid sized company. I think you're running a
| huge legal risk of angering a Comcast or AT&T size entity
| that has much deeper pockets and legal resources than you.
| The day that one of those giants calls you out on your bluff
| is going to be very expensive.
|
| On an ISP-to-ISP relationship level, this is not how you
| solve SMTP flow traffic problems. I can tell you that if I
| went to a NANOG conference representing my AS and proudly
| told other people "oh yeah, we've started sending threats
| from our lawyers to $OTHERISP1 and $OTHERISP2 because they
| won't take our mail traffic", that I would quickly be treated
| as a pariah.
| Brian_K_White wrote:
| The rationale for involving legal is to place some
| accountability and consequences where they belong.
|
| Currently, countless people essentially commit countless
| abuses for free because the actor is hidden behind a
| machine or a process. But somewhere it's a humans decision
| to institute an abusive protocol, and it seems pretty fair
| fo me to make that human accountable for their action. Not
| just email but all kinds of things.
|
| You are probably merely a dick but still a legal dick if
| you wantonly block email for yourself. But the second you
| are responsible for even one other person's correspondence
| reaching them, I say you should be legally culpable for any
| failure to deliver.
| walrus01 wrote:
| I'm a dick?
|
| I question whether you or what other percentage of the
| commenters in this thread represent any specific ASN with
| its own IP space that it cares about keeping clean, and
| have bgp relationships with other ISPs.
|
| Or whether they're actually end users only.
|
| Have you actually encountered this problem as a service
| provider in the past and implemented solutions to it, or
| are you just sharing your opinion as a possibly-
| frustrated end user of email?
| mhh__ wrote:
| Could you get a lawyer to draft you one template that looks
| scary while also not leading to much follow up unless you
| really want to be whitelisted by that particular entity?
| viraptor wrote:
| > Not everyone can spend $500 on lawyer billable hours per
| SMTP destination multiplied by N number of destinations.
|
| You likely wouldn't do that - just get a template version
| that gets reused, just like you pay once for a contract /
| t&c you reuse with multiple parties.
| superasn wrote:
| So what's the advice for an avg Joe for getting a reply
| from ATT, Comcast, etc when they unjustly blacklist you and
| ignore all correspondence?
| walrus01 wrote:
| 1. Host your mx somewhere that isn't on any blacklists.
| This means a small to medium sized isp, where you can
| directly contact the people who run the core network
| operations there, and who truly do care about kicking off
| abusive other customers very quickly. Ideally I would go
| with an ISP in your own region and home business area.
| Best chances of success if it's a hosting ISP where
| random customers _cannot_ sign up online with just a name
| and a credit card, but it 's more of a "contact us for a
| custom price quotation for your colocation needs" type of
| hosting operation.
|
| 2. Possibly run all your outbound smtp through a trusted
| third party service that you pay for such relay. Leaves a
| bad taste in my mouth but that's where we are at in 2022.
|
| 3. Be absolutely certain that your own smtp, spf, dkim,
| dmarc configuration is flawless and you've never been a
| source of spam.
| CPLX wrote:
| He didn't say threaten them.
|
| It's pretty easy to envision a situation where a lawyer
| sends a quite friendly and factual email to a company, that
| is literally identical to the one the IT head would have
| sent, but _because it's coming from a lawyer the recipient
| uses completely different internal routing_ to process the
| request. So someone actually takes the request seriously.
|
| Seems both plausible and a reasonable thing to do for a
| company large enough to have a legal department.
|
| People pay attention to lawyer letters. You've pretty much
| confirmed as much by noting that letters from a lawyer are
| so concerning to you that the mere mention of one makes you
| assume it's a threat.
|
| If you got a letter from an attorney asking for something
| nicely, and _it was a reasonable request_ you would
| automatically reply "SUE ME" just on principle? What's the
| principle?
| walrus01 wrote:
| In the American legal system, if somebody spends the
| money to take the time to have their lawyer hand craft
| and send me a letter about something such as this, I'm
| going to take it as a threat whether or not it
| specifically contains one.
|
| The implication is that if you do not do whatever is
| demanded in the letter, the next step will be the client
| of said lawyer escalating the situation to paying their
| lawyer to actually sue you.
| bo1024 wrote:
| Do you know what the lawyers said beyond "I'm a lawyer and
| would like you to edit the blacklist" ? Are these companies
| doing something illegal by blacklisting you unfairly, or do
| you have grounds for some sort of civil suit (if so, what
| grounds)?
| tyingq wrote:
| I would think "Tortious interference" is the most likely
| legal basis to complain about it.
|
| _" Tortious interference is a common law tort allowing a
| claim for damages against a defendant who wrongfully
| interferes with the plaintiff's contractual or business
| relationships"_
| phishersfritz wrote:
| Safe your 500 bucks per hour. A lawyer will not do
| anything.
|
| A blacklist is not directly interfering with your
| business. They just provide a list that contains IPs,
| your IP, and say we have seen spam traffic from it in the
| last x hours. The mail receiver, who trusts and uses the
| list might be interfering, but it is his right to pick
| and choose who he is accepting email from. Same right you
| have to pick and choose who you let into your bar,
| apartment, club, house, ... what so ever.
| jgerrish wrote:
| Safe your 500 bucks per hour. A lawyer will not do
| anything
|
| Sigh, I think I understand this statement. A warning to
| patent holders or a call to let it all burn down. A
| clever appeal to class divisions. I can't work through
| all the implications.
|
| But I do know the "enemy" of my "enemy" is not
| necessarily my "friend".
|
| I've seen the nightmare of the next Internet. Whether
| it's micropayments for digital stamps, or slowly
| refilling quotas, or hard hierarchical controls, it's
| more power to central authority.
|
| I know I'll never win this argument.
|
| The Internet will keep fracturing and normal citizens
| will get more frustrated. There will be a change. But
| just like the hatred of social media, lurking underneath
| it is an insatiable thirst for power.
| jasode wrote:
| _> Get your legal department involved. We have repeatedly
| been taken off various public and private blacklists by
| having lawyers do their job. _
|
| What's the particular law that makes those curators of
| blacklists pay attention to your company's lawyers? Do you
| have example text of those legal requests?
| karmicthreat wrote:
| I think many RBLs started out with good intentions. But it does
| feel like like many of them have shifted to pure grift. Pay for
| "priority" review definitely has negatively impacted this.
| UCEPROTECTL3 especially feels like an extortion attempt similar
| to the threatening domain renewal scams. But I've never notice
| any outgoing email from my services being blocked by it. So it
| just goes in the crank file.
|
| Really we probably need some sort of anti-RBL system. To keep
| good actors honest and force bad actors out of business.
| csnover wrote:
| Fortunately for the author, I haven't noticed any email servers
| that use the UCEPROTECTL3 RBLs to reject mail--which is to say,
| I've noticed some servers I administer end up on UCEPROTECTL3
| incidentally and it has never caused a delivery problem.
|
| On the other hand, some VPS providers are still allocating
| multiple customers to the same IPv6 /64 using SLAAC by default,
| and this _will_ make it impossible to deliver mail on IPv6 since
| reputable RBLs always blacklist the whole /64.
|
| As far as the argument about spamming being immoral but not
| illegal, I've never seen a reputable ISP that didn't prohibit
| unsolicited bulk email in their terms of use, so the grounds for
| reporting it is that a customer is violating the terms that they
| agreed to follow when they signed up.
|
| And to answer the question of whether or not RBLs are useful: in
| my experience, yes, they are quite useful. The biggest problem
| I've noticed with them is not typically false positives on small
| providers, but false negatives on giant companies like Google who
| cannot ever end up on an RBL because they process so much mail
| but don't do a good enough job of preventing their servers from
| being used to send spam.
| vsviridov wrote:
| Outlook properties seemingly use uceprotect lists. Outlook
| support even has a page for getting off their block list, but I
| could never get a reply.
|
| And my hosting provider basically said "we're warning against
| using our servers for outbound email", which amounts to "we're
| not gonna do anything about your bad neighbors that landed you
| on the uceprotect lvl2&3 lists"
|
| Been running my own email for 18 years, and outlook is the only
| place that i have problems delivering to.
| kazinator wrote:
| > _My hosting company is competitively priced, is fast, and has
| served me well for many years._
|
| ... attributes which they achieve by (1) selling services to
| anyone and anyone and (2) not dedicating any resources to
| fighting spam.
|
| So you got what you pay for.
| derekzhouzhen wrote:
| I don't want my hosting company to dictate what I can do and
| what I can't do. I don't spam, but I won't hold my moral
| standard to everyone else.
| istillwritecode wrote:
| If you start a new mail server in 2022 (or migrate from a
| previous address), you have to apply to be whitelisted by
| outlook.com and the many domains owned by Microsoft. They no
| longer accept mail from servers they haven't seen before.
| Companies such as google, microsoft, and facebook would rather
| that email died, and are actively working to destroy it through
| neglect, so that people will shift their messaging to proprietary
| networks they happen to own. Email has problems - spam being one
| of them, but it's as potentially important as IP routing itself,
| and we should work to preserve it.
| thaumaturgy wrote:
| > _They no longer accept mail from servers they haven 't seen
| before._
|
| Interesting. This tracks with my experiences too, but is there
| a good source for this that I can reference in the future?
|
| I got out of hosting email last year entirely because of
| intractable deliverability problems with the big three: Google,
| Microsoft, and Comcast. Comcast's issues mostly appeared
| intermittent and the result of incompetence. Google and
| Microsoft have clearly been competing to see who can kill small
| email service providers the fastest.
| lytefm wrote:
| I contacted Microsoft, actually received an answer from them
| and got an IP unblocked.
|
| Google can be tough though. If their Algorithms don't like
| you, good look.
|
| I was responsible for a new IP/Email setup and while all
| other relevant providers liked our mail and Google Postmaster
| tools didn't show anything bad, all our mail went to Spam in
| GMail. I found out why when even mails from completely
| different senders would usually go to Inbox but hit Spam once
| our Website or email was included:
|
| Despite showing it as "high reputation", GMail must have
| considered it as utter trash. Changed to a different, older
| domain and all has been fine since.
| causality0 wrote:
| _I signed up for random stuff quite liberally_
|
| Wait, what? That's like off-handedly mentioning you eat a pine
| cone for breakfast every day and glossing over it like we're not
| going to wonder if you're crazy.
| upofadown wrote:
| Blacklists are fine. If someone wants to make a list based on
| some criteria then OK, there is no real way to prevent them from
| doing that.
|
| The people doing the actual blocking based on the list have the
| responsibility for their actions. If, say, one of the largest
| email providers in the world is found to be giving preferential
| treatment to the email of other large email providers then they
| can't use some list as an excuse. Their actions are still
| anticompetitive and generally harmful.
|
| We shouldn't forget to go after the entity that runs the email
| server that is blocking email from our servers. You don't have to
| care that there is a list. Blame the right people and involve
| governments if required.
| yosamino wrote:
| This is a complaint about "UCEPROTECT Blacklist Policy LEVEL 3"
| [0]
|
| It's description is not subtle:
|
| > This blacklist has been created for HARDLINERS. It can, and
| probably will cause collateral damage to innocent users when used
| to block email.
|
| So if the mailsystem you are trying to reach employs it, is
| either experiencing spam levels that justify it's use - OR they
| made a mistake in using it, if this is the sole reason you are
| being banned.
|
| The first order of business is _of course_ to complain to your
| hosting provider. Nobody wants spammers on their networks - but
| if they do: then this is kind of exactly the reason for this
| list. The policy describes in detail what made it possible for
| this netblock to end up on the list, that should be enough for
| them to take action either pre-emptively or by notifying their
| offending customer, and if neccessary kicking them off the
| network.
|
| The _next_ thing you can do, instead of paying for whitelisting,
| ist to contact the mailserver-admin at system you are trying to
| deliver mail to. This can be a bit of a hassle - seeing that your
| mailserver just got blocked - but it usually works. The same way
| systems don 't want to receive SPAM they also don't want to
| overblock, after all they want their users to _receive_ emails as
| well. If you are the mail admin of a sending system and you 're
| reaching out to the receiving system this is usually a pretty
| good indicator that you don't want to spam them.
|
| I have had success doing this even at some larger ISPs, where you
| would expect this to be more difficult.
|
| I very much _enjoy_ these blocklists - simple, transparent. Loads
| better than the kafkaesk black holes that are the major mail
| providers who barely care, and who do not give you easy recourse
| if you are mistakenly blocked.
|
| [0] https://www.uceprotect.net/en/index.php?m=3&s=5
| cure wrote:
| > The next thing you can do, instead of paying for
| whitelisting, ist to contact the mailserver-admin at system you
| are trying to deliver mail to. This can be a bit of a hassle -
| seeing that your mailserver just got blocked - but it usually
| works. The same way systems don't want to receive SPAM they
| also don't want to overblock, after all they want their users
| to receive emails as well. If you are the mail admin of a
| sending system and you're reaching out to the receiving system
| this is usually a pretty good indicator that you don't want to
| spam them.
|
| That's nice in theory. In practice, UCEPROTECT level 3 is used
| by, for example, all Microsoft properties (including hotmail,
| etc). And UCEPROTECT level 3 lists a _lot_ of netblocks.
|
| So, if you want to send e-mail from, say, Digital Ocean, to any
| Microsoft managed e-mail domain, you can just forget about it.
| DO doesn't care, Microsoft very much doesn't care. Good luck
| trying to contact a postmaster there!
| neilv wrote:
| The US federal government should tackle huge email account
| providers that effectively (by accident or design) use anti-spam
| as a pretext to sabotage self-hosted email.
| scarface74 wrote:
| Yes because the government involved in technology always makes
| things better as I click on "allow cookies" on every damn
| website.
| gog wrote:
| Punishing anti-competitive measures doesn't have to be always
| complicated.
|
| "Allow cookies" modals are horrible but GDPR gives people in
| the EU rights to be forgotten and not contacted in the
| future. Reminding companies about GDPR regulations works very
| well.
| scarface74 wrote:
| just wait for the new law to outlaw spam filters so anyone
| can host email.
|
| As soon as they do, email might as well be dead.
|
| The GDPR already caused some sites just to block access to
| EU countries.
| vmception wrote:
| Extortion rackets
| lytefm wrote:
| > On the other hand, if a legitimate email from a future friend
| or a potential business associate were accidentally blocked, the
| lost opportunity cost is several magnitudes higher.
|
| To some extent, this also applies to legitimate business mails
| going to Spam. That was a big reason for me to switch away from
| Outlook to a provider where I could configure the spam filter to
| the equivalent of "Viagra scams etc".
| kazinator wrote:
| > _I run my own email server, and don't use any blacklist. Yes, I
| got some amount of SPAMs. However, the vast majority of trashy
| emails I receive each day are advertisements (I signed up for
| random stuff quite liberally)._
|
| You don't run a mail server for other people who are not so
| careful with their e-mail addresses, let alone for a large
| organization. You don't run a mail server which hosts public
| mailing lists.
| prepend wrote:
| I guess another option is to sue the blacklist operator for
| inappropriately including him. Or sending some legal sounding
| letter threatening suit.
|
| I found some old lawsuits [0] that got injunctions and even
| damages awarded from being included in black lists.
|
| I hate how the big tech customer nonsupport is bleeding into
| small firms attitude. "Sorry, you did nothing wrong but might one
| day so get fucked." is really not something that should happen
| very much.
|
| [0] https://www.techdirt.com/articles/20051228/1349229.shtml
| huhtenberg wrote:
| > _Or I can leave the current hosting company_
|
| Yep, that's the one.
|
| If your hoster doesn't care about spam spreading from their IP
| space, you should take your mail server elsewhere. There's
| literally nothing to think about.
|
| And if they _do_ care about this issue, they are likely to be
| taking steps to remove any of their IP space from the blacklists,
| without being nudged.
|
| PS.
|
| I've been running a mail server for close to 20 years now and I
| do blacklist by /24 netblock on the second offense. This doesn't
| bounce emails though, just tags them as spam. So I had a quick
| look in the logs and Hetzner, Digital Ocean, OVH and LeaseWeb are
| all spamming a lot. LayerHost, Colo Crossing, Liquid Web, Host
| Winds and Servion are also close to the top. Anecdotal data,
| obviously, so caveat emptor and all that.
| adrium wrote:
| I have a similar experience: Some hosting providers / AS host
| shady stuff and I understand that VPS ranges end up on block
| lists quite easily.
|
| I only block AS 4134 and AS 4837, some AS that host services
| like shodan, and aggressive crawlers like semrush.
|
| Anything that sends packets to my server get ratelimited
| quickly. Still barely noticeable for occasional human
| interaction. I also started with /24, but I am now up to /12.
|
| PS. By the way, has anyone ever seen spameri@tiscali.it in the
| logs? It shows up almost on a weekly basis as RCPT TO address
| from literally all over the world.
| reaperducer wrote:
| When I first started monitoring spam connections years ago, it
| was almost always home cable+internet providers. They seem to
| have gotten the message and cleaned up thier acts.
|
| As of last night, the number one source of spam for both the
| personal and company servers I maintain is Digital Ocean.
|
| Which is a shame, because otherwise I'm a happy Digital Ocean
| customer. But because of this, I would never move any of my
| commercial projects there.
| pixl97 wrote:
| I'm not sure that home IPs have cleaned up their act, I think
| it is that no large email host accepts their email any longer
| so spammers have stopped sending from there.
| walrus01 wrote:
| Any hosting company where some random person can buy a VM for
| $5 on a credit card has this problem. Mostly I feel sorry for
| the support and staff at the hosting companies who _do not_
| have the time /manpower/resources to deal with it properly, and
| this is an intentional business decision by the people who own
| and run the companies.
|
| It's a race to scraping the bottom of the barrel on per
| customer profit margin and pricing.
| syshum wrote:
| >/24 netblock on the second offense.
|
| That seems excessive and abusive, I am not aware of any
| commercial ISP that is giving out /24 anymore. /29 is most
| common, I had to practically beg to get a /28 so what is the
| justification for banning an /24???
| huhtenberg wrote:
| > That seems excessive and abusive
|
| Good thing it's my own mail server then, isn't it?
|
| The practical reason is that virtually all Whois lookups of
| offending IPs return blocks of /24 or larger, so that's a
| reasonable default. Besides, as I said, this doesn't result
| in a "ban", just tags emails as spam and passes them through.
| At my scale an occasional false positive is not a big deal.
| marcosdumay wrote:
| Block registers don't deal with "justification".
|
| If they did, what would be Google's justification for
| blocking senders that send too few emails?
| pteraspidomorph wrote:
| I wish I knew. I have a user google keeps blocking for spam
| (not even marking, outright blocking) while at the same
| time their reporting tool say the user doesn't send enough
| e-mail to google for any data to be displayed (the user's
| domain generates less than ten e-mails per day, many/most
| of which not to google).
| quags wrote:
| I have run my own mail server about as long, run an RBL, and a
| transactional mail service too. This is a hard line approach
| and blacklisting a /24 on a second offense that never expires
| just doesn't work long term but at least you are not completely
| blocking it and accepting it but as spam.
|
| Lets be real there is spam coming from gmail and
| hotmail/outlook as well and places like abuseix specifically
| state they don't block these ranges. So the large providers get
| excused for clean up because they are too big. Sure blocking
| colo crossing probably won't get any one to complain, but
| Digital Ocean is probably going to get some collateral damage.
| For your own mail server fine, don't accept it, send to spam -
| but there is a reason real RBL lists are very careful to skip
| the big providers or make sure they expire. Spamcop always had
| the best method - expire when the spam stops. Does it keep
| getting listing? Keep it longer. Rspamd also has a good method
| where an RBL increases the score. The hard line approach gives
| gmail and microsoft a large share of the email market and hurts
| smaller providers when they are not held to the same standards
| as everyone else. If gmail emails start bouncing when they have
| a heavy spam hit, then maybe gmail users will change isps and
| help gmail clean up. These are two trillion dollar companies
| that also have spam problems.
|
| As far as UCEprotect. Their level1 is actually reasonable,
| especially for spam traps. The timestamps easily allow for you
| to find exactly what the spam is from with the smtp response
| and time frame. Their scanning methods are less so. Dos
| prevention measures can get you listed there and are not valid.
| The level2/3 lists are utter shit.
| lodovic wrote:
| Email has basically been taken over by Microsoft and Google. They
| set the rules and decides who can is blacklisted. Although to me,
| email has become increasingly less relevant, to a point where I
| only check it once a week or so.
| annoyingnoob wrote:
| Blame your ISP, or hosting provider. As an email admin, I deal
| every-single-day with phishing and malware that comes through
| email. There is not a single hosting company that does anything
| more than pass complaints onto the spammer - thus verifying that
| I'm a good target and causing even more of a problem.
|
| While I do not use any blacklists, I do make my own. I've found
| that blocking individual IPs is useless, there is always another
| one. However, if I block the entire IP range I have much more
| success.
|
| This is your hosting company's fault for allowing spamming and
| doing nothing about it.
| 51Cards wrote:
| We just recently switched from a self hosted email server to one
| of the services (smtp.com, smtp2go, etc.) We gave up the fight.
| pandemicsoul wrote:
| Spam blocklists are run by an unaccountable cowboy cult that
| somehow has managed to consolidate a ton of power simply for the
| fact that most people who run email inbox services didn't want to
| deal with the problem of spam, so they were more than willing to
| just hand over anti-spam "enforcement" to anyone who was
| allegedly doing "what was best for the internet." There's no
| check on these people who run these blacklists, and the system
| they've built is entirely a black box, antithetical to the
| principles of the open internet. And if you're not a huge
| corporation that can afford professional management of your email
| deliverability, good luck - the individuals and small
| organizations are just out of luck. It's a miserable racket and
| for what?
|
| If you want to know why there's a new thread each week on HN
| about why it's impossible to host your own email service, this is
| why.
| Godel_unicode wrote:
| > antithetical to the principles of the open internet.
|
| No. These blocklists are employed by the actor receiving the
| email. They have a perfect right, even on "the open internet",
| to decide that they want to limit who can send them messages.
|
| There are tons of checks on the people who provide those
| blacklists, in the form of their users complaining about lack
| of mail delivery and ultimately not using their list anymore.
| We vote with our wallets, and as a group we have decided that
| these blocklists are useful.
|
| > and for what?
|
| To make email usable. Full stop.
| Underphil wrote:
| Absolutely agree. This doesn't fall under the principles of
| the open internet nor anything in the 'net neutrality' arena.
| You have no right to expect anyone to receive traffic from
| your server if they choose not to. It's a major pitfall of
| running your own relay, but it's not unethical.
| istillwritecode wrote:
| Let's not classify all spam blacklists as the same. UCEPROTECT
| is in a special class of extortionist cowboy, because it's
| basically just an inaccurate protection racket throwing a wide
| net across cloud providers who won't play their game. Some
| other blacklists are updated regularly and only contain IP
| addresses that have actually sent spam. By contrast,
| UCEPROTECT3 just lumps ISPs into the list even though an
| address has never sent spam.
|
| I run a mail server on AWS, and we use some blacklists to drop
| mail. It's quite effective and that's why people keep using
| them. A properly curated blacklist is a powerful tool, and more
| accurate than the machine learning mush that people have come
| to rely upon.
| yosamino wrote:
| > CEPROTECT3 just lumps ISPs into the list even though an
| address has never sent spam.
|
| But this is by _design_ [0]
|
| > This blacklist has been created for HARDLINERS. It can, and
| probably will cause collateral damage to innocent users when
| used to block email.
|
| And it makes for a perfectly usable blocklist. If you use
| postfix, the postscreen_dnsbl_threshold and
| postscreen_dnsbl_sites parameters let you create a simple
| scoring system: postscreen_dnsbl_threshold
| = 10 postscreen_dnsbl_sites =
| zen.spamhaus.org*5, bl.spameatingmonkey.net*5,
| dnsbl.sorbs.net*4, bl.spamcop.net*4,
| dnsbl-3.uceprotect.net*3
|
| I made up the numbers, because you will need to monitor your
| system for a while to see if they make sense, but the
| principle holds. Also make sure that the dnsbl you are using
| are working for you.
|
| But it isn't really a problem with uceprotect, it's about how
| DNSBLs are used.
|
| [0] https://www.uceprotect.net/en/index.php?m=3&s=5 [1] http:
| //www.postfix.org/postconf.5.html#postscreen_dnsbl_site...
| garbagecoder wrote:
| Still better than the alternative
| convolvatron wrote:
| no. its because of spam. just because these people are doing a
| less than perfect job of keeping the screaming hordes out of my
| inbox doesn't remove any of the blame from the hordes.
| pixl97 wrote:
| It's been years since I last hosted my own mail server, and
| even then the HAM to SPAM ratio was well over 1:100. The
| torrent of absolute crap faced at port 25 is unbelievable.
| multjoy wrote:
| So what's the alternative? SBLs work, clearly, and almost every
| mail host, in the absence of distributed list, would work up
| their own lists in short order.
| jasonhansel wrote:
| > If my understanding of the law is correct, spamming is legal,
| albeit immoral.
|
| It's illegal in the US: https://www.ftc.gov/tips-advice/business-
| center/guidance/can...
| Wronnay wrote:
| https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
|
| That blacklist is listed as "Suspect RBL provider". That says
| enough about it...
| newbie789 wrote:
| jrochkind1 wrote:
| That you can pay them to get off the blacklist does sound rather
| like a protection racket. Am I missing anything?
| johnklos wrote:
| The author has some oversimplifications which would be worth
| addressing.
|
| First, there actually does exist a strata of spam which is
| plainly illegal. All the phishing spam and all the messages that
| claim to be from networks and/or addresses that they are not, for
| example, are illegal. The problem is that it's not enforceable.
|
| Second, sending unsolicited messages when you do not have the
| permission of the sender is unambiguously wrong. Large sources of
| spam get around this by mixing bad messages in with good ones.
| This is why we get tons and tons of spam from Gmail, from
| Outlook.com, from Sendgrid, and so on, even though they really
| should know better.
|
| The point is that your "bad neighborhood" doesn't just have
| regular spammers - it's almost certain there are illegal and
| egregious spammers that your ISP is doing nothing about. How do
| we know this to be the case? Because many of the blocklists also
| run honeypot email addresses. If email addresses get harvested
| and someone sends spam to these addresses, you can be 100%
| certain that no permission was ever given, so the behavior that
| leads to this is definitely wrong.
|
| ISPs make too much money to punish anyone but the worst of their
| clients, and that's definitely a factor that contributes to the
| affordability of the author's ISP.
|
| However, the author left out one big, simple, obvious option: pay
| significantly less money than the cost of the blocklist extortion
| to smarthost through an ISP that has good email reputation. You
| get what you pay for, so when you save on your ISP, don't be
| surprised if you have to pay a little more to make up for their
| shortcomings.
| rsync wrote:
| I'm dealing with this right now.
|
| Both my personal domain and rsync.net are on a distinct subnet,
| but that subnet is _smaller than a /24_ and someone on a
| different subnet has, apparently, behaved badly.
|
| Enter "abusix" ...
|
| One of my engineers had an enlightening webchat with one of their
| engineers where we were shown the "offending" IP and it was
| explained that they have no ability to distinguish subnets (and
| no interest in doing so). So if you're not wasting an entire /24
| (we only need ~10 IPs at this location) you're in danger of this
| misclassification.
|
| We were also informed that our normal, business communications
| with paying customers should have unsubscribe notices appended to
| them. Which is to say, you're a paying customer of a service and
| we send you some kind of alert or critical announcement ... and
| it should have an unsubscribe link.
|
| Unbelievable.
| thaumaturgy wrote:
| FWIW, Mailgun has worked pretty well for me in the past as an
| alternative to handling delivery myself.
|
| You might not be able to go this route if your customers have
| some expectations about how your email is handled, in which
| case this recommendation is here for anyone else that might
| read this and need another thing to try.
| zamadatix wrote:
| The inability to generate IP reputation smaller than a /24 is
| inherent to the way internet routing works. Nothing smaller
| than a /24 can be publicly assigned or advertised to prevent
| the route table from becoming too bloated. On IPv6 the smallest
| advertise able block is a /48 for the same reason. Privately
| managed assignments in shared or further split subnets aren't
| publicly visible, verifiable, or accountable to anything but
| the organization owning and advertising the /24 (or larger).
|
| As such the reputation score of a subnet is the reputation of
| the entity advertising itself as publicly controlling and
| maintaining that network, not the reputation of individual sub
| entities inside that subnet (which is known only to the
| controlling entity). If that entity is constantly allowing bad
| actors onto their block then that block is considered poor
| reputation.
| vorpalhex wrote:
| > We were also informed that our normal, business
| communications with paying customers should have unsubscribe
| notices appended to them.
|
| You should have an unsubscribe link. You should also have your
| business address and identify yourself.
|
| Even if it's not required by the letter of the law, you should
| add it.
|
| As an example: Amazon automatically opted me into an "alert"
| when a wishlist I viewed had a new viewer. Since it's an
| "alert" and a "business communication" it has no unsubscribe.
| This is spam - this is an ad hidden as a notification.
| rsync wrote:
| "You should have an unsubscribe link. You should also have
| your business address and identify yourself."
|
| What would that even look like ?
|
| You're a paying customer of a service - they charge you every
| month - and you use that service ~daily ... and then you
| unsubscribe to emails ...
|
| So then what ?
|
| We just keep taking your money and when the service fails or
| there is an outage or critical notification we ... just don't
| send it ?
| zamadatix wrote:
| Yes, just because I use your service doesn't mean I want to
| see every outage notification status update as an email.
| Preferably email subscription status would be granular so I
| can select what I want to get not what some idealized
| average user would want to get.
| cbm-vic-20 wrote:
| I've been a paying customer of rsync's service for more
| than a decade. The only mail I get is the monthly
| invoice, and roughly once-per-year notice of
| infrastructure changes that may temporarily affect
| availability.
| zamadatix wrote:
| Oh I have no doubts whatsoever the volume is low and the
| messages sent intended to be genuinely important to the
| vast majority of customers, rsync seems very reputable
| based on what I've heard over the years on HN.
|
| It's still nice to have granular subscription though even
| for rare things you think 95% of users may like to hear
| about e.g. I've been using a similar service since 2015
| and I have 0 interest in receiving their downtime or
| scheduled maintenance notifications as I don't care
| enough to take a special action for a failed sync or two
| in the first place so... I don't opt to receive them and
| I appreciate that option. I don't get the invoices
| emailed so I haven't had to think about it one way or the
| other there.
| scarface74 wrote:
| Yes. I explicitly told you I didn't want any emails from
| you.
| spookthesunset wrote:
| That is gonna lead to all kinds of misunderstandings and
| complaints.
| scarface74 wrote:
| If I unsubscribed that already told you I didn't want you
| sending me emails. Your attitude is the very reason I use
| "Hide My Email".
| kazinator wrote:
| Though that may be a nice opinion, your ISP has no business
| dictating that to you.
| Godel_unicode wrote:
| Abusix isn't their ISP, they're an email blocklist
| provider. Telling people what they need to do to not get
| blocked for being abusive is literally their job.
| thaumaturgy wrote:
| ~rsync runs a storage service for offsite backups. You think
| they should add a one-click "unsubscribe" link to service
| alerts?
| boopmaster wrote:
| if the service is managed: customers should be able to
| manage notification preferences tailored to the severity of
| the issue, methinks.
| thaumaturgy wrote:
| That's not how unsubscribe links are supposed to work.
|
| Once the unsubscribe is activated -- and it's supposed to
| be very easy to activate -- then it's permanent. There's
| no "un-unsubscribe", "oops I clicked it again", "some
| other service glitched and clicked it for me".
|
| Further, there's a distinction made between "commercial"
| and "transactional" messages in both law and etiquette.
| The unsubscribe link is expected in commercial messages,
| not transactional ones.
|
| Abusix didn't know what they were talking about.
| wl wrote:
| > Further, there's a distinction made between
| "commercial" and "transactional" messages in both law and
| etiquette. The unsubscribe link is expected in commercial
| messages, not transactional ones.
|
| Most of the junk that gets through my spam filter are
| transactional or other "mandatory" messages intended for
| someone who fat fingered their email address. If those
| senders don't want to be marked as spam, they need to
| provide a way for me to make the messages stop.
| thaumaturgy wrote:
| Email confirmations should be standard but that's not
| what we're talking about here (and I'd expect that ~rsync
| is handling that properly).
|
| Unsubscribing from transactional emails eventually causes
| the following support conversation: "Hi, uhh, rsync?
| Yeah, so, I'm having trouble logging in to my account and
| we really really need our backups, our intern just nuked
| a database. Yeah, it's uhh... cto@company.com. What do
| you mean my account's not active? ... ... Why didn't you
| just tell me my card expired? Well yeah, of course I
| unsubscribed, but I still wanted to know my account was
| being shut down!"
|
| There's a scale of headaches happening here. At one end
| of the scale we have "nuisance", as in, "I'm getting too
| much email, or I have a stupid email address, or I don't
| know how to filter messages from reputable senders", and
| at the other end we have "job-ending cockup", as in, "I'm
| just now finding out that a critical part of our disaster
| recovery plan hasn't been working for a long time because
| somebody somewhere was inconvenienced by a notification,
| and I'm finding this out now because today happens to be
| the day we really need that disaster recovery plan".
|
| Pushing the needle away from the nuisance end moves it
| closer to the disaster end.
| vorpalhex wrote:
| The service is not meant to cater to the lowest common
| denominator. If you unsubscribe from critical
| notifications and get screwed over.. that is on you.
|
| It is not fair to the rest of us to be inundated with
| endless spam just so some screwup can be kept from doing
| something stupid.
| girvo wrote:
| Transactional email from a backup service you
| deliberately signed up to isn't spam, so congratulations
| you've got what you're after.
|
| Now someone will likely reply shifting the definition of
| what "spam" is to include Rsync's critical service
| emails, and now the term spam is so wide as to be
| meaningless.
|
| At that point it's on you to manage your own spam filter
| if you truly feel "your critical backup service is down"
| is spam. I haven't been inundated with endless spam for
| about a decade.
|
| Abusix don't know what they are talking about, and
| basically all services that let you manage your email
| notifications still send through critical "your service
| is about to be turned off because your card details
| failed" emails regardless of how many checkboxes you
| disable -- and for good reason.
| wl wrote:
| > Transactional email from a backup service you
| deliberately signed up to isn't spam
|
| The example was transactional email from a service I
| specifically didn't sign up for. That's spam.
| vorpalhex wrote:
| You can always login and re-enable an email on the
| service. The service is allowed to request information
| needed to process the unsubscribe.
|
| I get emails for some dude's Chevy when it needs
| servicing. I can't unsubscribe. I am stuck getting emails
| about a car I have never owned from some dealer in
| Pittsburg. I need an opt out that lets me communocate
| "hey, some dumbass fatfingered his email, stop spamming
| me."
| thaumaturgy wrote:
| Genuine question: your comment and a bunch of others make
| me wonder why people seem unable to filter email by
| sender. That used to be a pretty standard part of having
| an inbox. Are you using a mail client or service that
| doesn't have filtering built in? Do you find it difficult
| to set up a filter rule? Are you unfamiliar with filter
| rules? Do you use filters but just ideologically object
| to any unwanted email?
|
| I'm honestly curious.
| ohyeshedid wrote:
| The conversations about spam are usually incredibly
| nebulous, as there's different perceptions and
| perspectives.
|
| I think what you're picking up on, is that some folks
| don't differentiate between commercial email filtering
| services, and personal spam filters.
|
| There's conflation of email 'I don't care about and don't
| want', bulk UCE, shifty list operators with shifty 40
| page terms, etc.
| Shared404 wrote:
| For rsync however, it seems more likely that it's instead
| things like disc quota or expiring service.
|
| At least based on my understanding of rsync-the-company and
| rsync-the-hn-commenter.
| dredmorbius wrote:
| Those unsubscribe links _should_ be there, for several reasons.
|
| - The service-based economy means that entities (individuals
| and businesses) have _numerous_ relationships. For the typical
| _individual_ the number of password-based accounts crossed the
| 100 threshold _years_ ago, at a doubling rate of every 2--3
| years.
|
| - Responsibilities can be transferred. The person who signed up
| for your service 5 years ago may no longer be at the company.
|
| - List purging is a Real Thing. A few years back I'd worked for
| an organisation that had ... numerous relationships ... with
| individuals and corporations. These received regular email
| messages. Nominally, requested. Included amongst these was a
| major Wall Street financial firm whose implosion years earlier
| hit lead news and headlines worldwide. Despite not existing for
| years, there remained hundreds if not thousands of addresses
| being sent email on a regular ongoing basis.
|
| - Mail can be forwarded. It's quite possible that you're
| sending mail to one address that is is being forwarded,
| manually or automatically, to others. This raises issues in
| unsubscribe requests, but might at the least be an opportunity
| to reach out to your customer to clarify the situation.
|
| - I don't know if revisiting email contact approval on a
| regular basis (say once every year or two) is yet a recommended
| practice, but I'd strongly suggest that it be so.
|
| Your hat may be less blisteringly white than you presume.
| rsync wrote:
| Everything you've said makes perfect sense - for a contact
| management function.
|
| We have that. You can change contact info, set
| owner/technical/emergency contacts, alert thresholds, etc.
|
| But unsubscribe means something totally different:
|
| When _I_ click on unsubscribe I want it to be the end of all
| communications. Period.
|
| In this case, that makes no sense. Ceasing communications for
| all purposes implies service cancellation and, in our case,
| service cancellation implies a human interaction confirming
| data destruction.
|
| How would we confirm data destruction for your implied
| cancellation if no further contact is permitted ?
|
| You, and the blacklist operators, have become so jaded by the
| abuse you've suffered that you've forgotten that legitimate,
| paid services exist. I'm sorry.
| dredmorbius wrote:
| You may have missed that bit in my earlier comment about
| working for a paid service provider.
| seszett wrote:
| An unsubscribe link doesn't have to immediately cancel all
| service and communication. It can simply lead to account
| settings or even to a page explaining how to cancel the
| account.
| newaccount74 wrote:
| I strongly disagree. There is absolutely no need to put an
| unsubscribe link into a transactional email.
|
| All emails should of course contain enough information to
| make it clear who the message is from, why the message is
| being sent, and who it was sent to.
|
| But there is no point in adding unsubscribe links to messages
| and notifications that are essential to the service.
|
| I mean, what are you going to do if the user accidentally
| clicks "unsubscribe", and then a payment doesn't go through?
| Should you just cancel their account without informing them?
| That's absurd.
|
| I'd be really pissed if eg. my backups were deleted because I
| accidentally unsubscribed from emails from a cloud service
| provider.
| berdon wrote:
| What about situations where your email somehow (mistype)
| gets set up for someone else's account? I have 2-3 people
| with similar emails to my previous email address that would
| mistype and I'd receive their emails. These weren't spam
| but the companies wouldn't offer _any_ way to fix this.
|
| My recourse is to just flag them as spam in gmail.
| newaccount74 wrote:
| That's why I said the email should contain info about the
| sender -- there should of course be a way to contact
| them. Ideally you should just be able to reply to the
| message and tell them about the error. If there's no way
| to contact a company, that's a whole different problem,
| and not really one that would be fixed with unsubscribe
| links in important email messages.
| jsnell wrote:
| > That's why I said the email should contain info about
| the sender -- there should of course be a way to contact
| them.
|
| That implies a level of manual effort on the part of the
| recipient that's unreasonable. I have no relationship
| with these companies. They did not verify the email
| address before starting to send a stream of supposedly
| transactional messages to it. They should be happy that
| I'm willing to click unsubscribe when available, because
| the alternative is to set up a mark-as-spam filtering
| rule that'll hopefully tank their sender reputation.
|
| Writing them via a contact form begging to be removed is
| not an option.
| berdon wrote:
| In 99% of the cases - there is no recourse. In one
| instance, I tried replying and they asked me to prove my
| identity as the customer to cancel the emails.
| Spooky23 wrote:
| I have a few hundred dollars worth of gift cards for an
| Australian store received as gifts over several years.
|
| The company won't talk to me, and the sender sends a
| lovely message, but no contact information.
| pishpash wrote:
| This, I've had people receiving _bank_ alerts for an
| account they don 't own and they can't be stopped. What
| these companies lack are customer-centric processes that
| they've thought through.
|
| Wtf is wrong with putting contact information in the
| unsubscribe link, or reach out productively on request?
| Why would you presume somebody clicks it by accident vs.
| the much more likely case of it being a legitimate
| request? Are you afraid they really want to cancel your
| service? Or are you afraid you can't send spam under the
| guise of transactional messages? Or worse, listen to
| customers about how best to alert them? Truly ridiculous!
| elondaits wrote:
| You can create a Gmail filter to delete or archive them
| automatically and avoid poisoning the spam filter.
| berdon wrote:
| But...it is spam? If they don't give the tools necessary
| to stop the spam (unsubscribe or a link to "received this
| by mistake") then it's spam - intentional or not.
| pishpash wrote:
| It's not on me to do their job for them. It costs time
| and hence money.
| nkrisc wrote:
| If I get continuously get emails sent to me that I did
| not request and I can't unsubscribe to, then it's spam.
| Maybe companies should make sure they're not sending
| emails to the wrong person, because I'm just going to
| keep marking it as spam when it comes my way.
| incongruity wrote:
| Emails should be confirmed before being used for ongoing
| communication. Simple as that. It's easier to get right
| up front than it is to clutter and confuse in the cases
| already illustrated.
| berdon wrote:
| Sure - but these companies aren't doing that. They're
| sending emails without any means of preventing it, e.g.
| spam.
| zargon wrote:
| You're expecting that a company incompetent enough to
| attach unverified email addresses to an account to
| "correctly" deal with unsubscribing from transactional
| email? This seems entirely futile to me. (Correctly in
| scare quotes because I can't fathom what a correct
| automated unsubscribe would look like in this situation.)
| oblib wrote:
| Yeah, I run my own email server and have the same issues
| with the same services as the person who wrote the piece
| this links to.
|
| In my case users are sending estimates and invoices and
| monthly statements to their clients and while fake invoices
| may be a spammer thing those clients know who's sending
| them an invoice, and why and what for, so an 'Unsubscribe"
| link would be completely out of context because they are
| not subscribed to any email list.
|
| I've had the same domain name for over 20 years now and
| none of my users have ever used my apps to send spam. And
| as spam and email volume go my server isn't even close to
| sending out a lot of email.
|
| When I set up a new email server last year, with a new IP
| address, I had to go through the process of getting white
| listed. All the big email service providers have ways to do
| that. Google made it very easy. They gave you a unique
| string to add it to your DNS records and that's it.
| Microsoft is so convoluted I've still not gotten anywhere
| with them. Comcast and others had a few hoops and ladders
| but nothing that got me stuck.
|
| Personally, while it's a bit of a PITA to setup and manage
| an email server, it's been worth it.
|
| I used "Mail-in-a-Box". It's pretty easy to set one up with
| that. It has a built-in DNS server and that's a really
| great thing to have for managing several domain names and
| as many email addresses as you want. I've setup email
| accounts for family and friends as well as throwaways for
| my wife, who signs up for everything she sees on the
| internet.
|
| I can move the IP address of my email server to the top of
| the list in my Mac's System Preferences for DNS and start
| testing new domain names and changes to the DNS
| immediately. I don't have to wait for those to propagate to
| whatever my access provider is using.
|
| So I have 3 servers. An Email/DNS server, a database
| server, and a website/webapp server running on
| DigitalOcean's "Droplets". It's a bit of work for a small
| shop but it's much easier to manage once it's setup and I
| don't have to worry about any 3rd party service selling out
| or going under or changing their API to something entirely
| different. All of which has happened to me in the past.
| mgkimsal wrote:
| > There is absolutely no need to put an unsubscribe link
| into a transactional email.
|
| Agreed. rsync alluded to it below as well.
|
| 'unsubscribe'... from what? If I just bought something from
| service ABC, and I get an email from ABC saying "you just
| bought foo from us"... what would an 'unsubscribe' even
| mean? "Do not ever email me about this purchase again?" "Do
| not ever email me about future purchases?"
| thesimon wrote:
| > Do not ever email me about this purchase again
|
| Please send me the order, just don't send me the PDF
| invoice :)
| Silhouette wrote:
| _Those unsubscribe links should be there, for several
| reasons._
|
| In some jurisdictions there is information that businesses
| are _legally required_ to provide to their customers in a
| permanent form and email is the conventional (and potentially
| the only) way of satisfying that requirement.
|
| IMHO, it is not helpful for anyone to have a system where
| recipients may not understand this and may treat that mail as
| spam, yet businesses are compelled to send it anyway.
| contravariant wrote:
| I've also had email from the wrong person delivered to me
| some times. One company in particular kept sending updates
| for a service I had no way of using. An unsubscribe link
| would have been handy, though confirming email addresses
| before linking them to an account would also be a good idea,
| probably.
| wl wrote:
| > We were also informed that our normal, business
| communications with paying customers should have unsubscribe
| notices appended to them. Which is to say, you're a paying
| customer of a service and we send you some kind of alert or
| critical announcement ... and it should have an unsubscribe
| link.
|
| You absolutely should. The amount of junk I get because someone
| else signed up for something and fat fingered their email
| address is ridiculous. "Mandatory communication" with a company
| I've never dealt with gets flagged as spam.
| ratww wrote:
| Yep. I had to file a GDPR complaint to get an airline to stop
| sending me "letters from the CEO" and other COVID-related
| reports that never mattered to me.
|
| I never flew with them but somehow they still sent ads
| disguised as reassuring messages every other week.
|
| Support constantly denied help, since I was never a customer.
| Only a GDPR complaint solved it.
| derefr wrote:
| That's a (very legitimate and important) reason to do _double
| opt-in_ unilaterally for all email communications. Companies
| should make 100% sure that the person who signed up, and the
| person receiving the email, are the same person, before they
| associate the email with the account. Otherwise, malicious
| people can sign up arbitrary third parties for tons of random
| crap.
|
| But it's not a good reason for adding unsubscribe links
| unilaterally to all email communications.
|
| Remember, unsub links are machine-automatable; Gmail at least
| offers to follow any embedded unsubscribe links for you if
| you mark a message as spam. (Which, with hotkeys enabled, is
| one accidental keypress away.)
|
| So consider the extreme case: what if the user _fat-fingers
| an unsubscribe_ (without realizing) to their local electric
| company 's e-invoices, which is what they've been relying on
| to prod them to log onto the site and pay the bill?
|
| If it's clear that "bills you need to react to or your power
| will be shut off" shouldn't have an unsubscribe link, then
| clearly there's some sort of line that must be drawn
| _somewhere_.
|
| (Note, I'm not arguing against the use of "Manage your Mail
| Preferences" links in these cases -- the kind that act as
| magic sign-in links and take you directly to a page on which
| you can un-check a "mail me about X" checkbox. It makes sense
| to include _those_. I 'm just arguing specifically against
| unilaterally including "Unsubscribe" links -- the kind where
| following the link unsubscribes you with no further
| confirmation needed.)
| scarface74 wrote:
| For my power to be cut off, I would have to...
|
| 1. Forget I had a monthly power bill for a couple of
| months.
|
| 2. Ignore the e-bill that gets sent to my bank bill payment
| service - ebills have been a thing for almost two decades.
| I worked on some of the early implementations.
|
| 3. Ignore the physical snail mail warnings for a couple of
| months.
| [deleted]
| gfody wrote:
| the email w/unsub link could be forwarded also, it's often
| a portal to change notification settings w/o auth and leaks
| personal preference info - and when there is auth it's
| impossible to unsub when if were signed up maliciously.
|
| it happened to me - someone charged a bunch of stuff to my
| cc and then registered my email at thousands of sites to
| bury the email receipts (it didn't work since I have simple
| filters for that sort of thing) but it has been impossible
| to unsubscribe from all the junk. livemail's bulk optout
| was roughly 50% effective. the dark patterns around optout
| are outrageous and it's worse when you have to use google
| translate just to find it.
| ratww wrote:
| Ugh that sucks.
|
| But in the cases where there is authentication, isn't it
| enough (in most cases) to reset the password and change
| the email to something disposable?
|
| Of course that's not really practical for the case where
| you get subscribe-bombed, but maybe for the general case
| it is, no?
| ratww wrote:
| _> So consider the extreme case: what if the user fat-
| fingers an unsubscribe (without realizing) to their local
| electric company 's e-invoices, which is what they've been
| relying on to prod them to log onto the site and pay the
| bill?_
|
| I actually unsubscribed from my provider's invoices. That's
| because I have activated direct debit from my bank account
| so they're always paid, and I can view my past invoices on
| the website.
|
| However you make a good point. I'd say the one thing where
| it doesn't make sense to have an "unsubscribe" at all is on
| "bill unpaid" emails.
| wl wrote:
| > So consider the extreme case: what if the user fat-
| fingers an unsubscribe (without realizing) to their local
| electric company's e-invoices, which is what been relying
| on to prod them to log onto the site and pay the bill?
|
| To name a specific example of this problem, I want Gulf
| Power of Florida to stop sending exactly the kind of email
| you speak of. Bills. Nastygrams when the person falls
| behind on the bills. Unwanted power saving tips. Calling
| the company and sending them postal mail has not helped. It
| all gets marked as spam these days. If they had an
| unsubscribe button, it wouldn't.
|
| If the email is so damn important, they can go back to
| sending postal mail to the service address when someone
| unsubscribes.
| bo1024 wrote:
| I think you're trying to use two wrongs to make a right.
| If we're talking about things Gulf Power of Florida
| should do differently, then rather than add unsubscribe
| buttons to bills which is a bad idea, they should confirm
| people's email addresses before sending them email.
| wl wrote:
| What's wrong with giving the user the ability to remove
| themselves from any automated emails? The alternative is
| being hit with the spam button.
|
| They should have confirmed their user controlled the
| email address, too, but why not go with both?
|
| And this is hardly confined to Gulf Power. Verizon,
| Spectrum, countless banks...
| bo1024 wrote:
| That's a different problem. They should have first sent a
| confirmation email, then paused all communications until it
| was confirmed.
|
| But once the email is confirmed, I think it's totally fair
| for a company like rsync to say 'if you're a paying customer
| of this service, then we need to send you certain information
| to fulfill our obligations in the contract, if you truly
| don't like it cancel your account and take your business
| elsewhere.'
| girvo wrote:
| That UCEPROTECT racket is extortion, frankly. What a mess.
| LinuxBender wrote:
| There is a typo in their title. If intentional please instead
| consider words like _block reject and deny_ for the people that
| do not speak English as a first language.
|
| I've dealt with real time blocklists as long as they have
| existed. They are not going away any time soon. I agree that the
| paid exception lists are a bit shady but I also see the validity
| of their methods of temporarily punishing everyone on a hosts
| network to put pressure on the ISP/platform provider to police
| it's own network and remove spammers. The best one can do today
| aside from securing ones own server is to research an ISP's IP
| space ahead of time to see how dirty they are. There are plenty
| of providers that cleaned up their act some time ago. Linode is a
| great example of change. New accounts can't even send email
| unless they open a ticket and prove they made some effort to
| comply with can-spam. More providers need to follow that example
| so that we don't run into this problem of dirty networks that
| real time block-lists like UceProtect have listed. It's an
| imperfect solution to an old ugly problem.
| IshKebab wrote:
| It's "blacklist" in most languages though so the non-standard
| "block list" would be probably more confusing to non-native
| speakers. Anyway they clearly meant blacklist.
| r_hoods_ghost wrote:
| Yeah except we've had this recently with Linode's IP range
| landing on that exact blacklist and being blocked by Microsoft
| and other major mail providers, knocking out our ability to
| send to huge chunks of our customers. I've had to get the mail
| server moved off Linode to another hosting company as paying
| the ransom fee did nothing. UceProtect does seem at least as
| morally dubious if not more so that the spammers it alleges to
| protect against.
| boudin wrote:
| Which other major provider uses this list? Uceprotect is
| attempting to racket me from time to time. While I'm blocked
| i try different providers to guess the ones using this, I
| only found Hotmail blocking me.
| r_hoods_ghost wrote:
| Unfortunately we were being blocked by all Microsoft mail
| services so outlook.com but also anyone using hosted 365,
| exchange etc. which in our case meant a lot of our
| enterprise and public sector customers. Also NHS.net mail
| and a lot of large hospital groups in Europe (APHP etc.)
| derekzhouzhen wrote:
| Ditto here. It is ironic because I actually recommended
| outlook.com over gmail.com for my non-techie friends,
| because outlook.com was more lenient, at least 2 years
| ago. Gmail is using some invisible reputation crap that
| shovel my emails to the jink folder from time to time.
| Now outlook.com just did the one-up and start using
| UCEPROTECTL2/3.
| boudin wrote:
| That's good to know. I never thought about exchange/365,
| that's a really good point.
| collegeburner wrote:
| What hosts are best for running a mail server? I have the
| same issue.
| LinuxBender wrote:
| That's a tough question to answer. This is very much a
| moving target. I suppose if I were to generalize an answer
| it would be something to the effect of
|
| - A dedicated server provider that has been around for a
| while and has a strict AUP and is known to enforce it.
|
| - A hosting provider that is not entry-level in cost.
| Spammers gravitate towards cheap throw-away ephemeral
| solutions.
|
| - A hosting provider that verifies identity of its
| customers. e.g. Dunn and Bradstreet lookup for commercial
| customers. Video conference meeting for individual
| customers and commercial customers and that have mutually
| signed contracts.
|
| Short of that if you just want to use a VPS provider then I
| would look up their AS number of a prospective provider,
| get all their CIDR blocks and start validating their IP
| addresses against the numerous RBL/RSL sites. AFAIK there
| is not a good database of this. Good RBL/RSL sites will
| remove listings after a week or two. One could even open a
| ticket with a VPS provider and state your intentions to run
| a mail server, explain your process to deal with spam and
| ask for an IP from a clean subnet.
| derekzhouzhen wrote:
| Thanks, I fixed the typo.
|
| Blocking outgoing port 25 unless going through an extra step is
| IMHO against the spirit of the internet, and would make
| operating a personal email server harder than necessary. The
| world of email is already too centralized as it is.
| LinuxBender wrote:
| _against the spirit of the internet_
|
| I completely agree. I believe the commonly used phrase is
| _and this is why we can 't have nice things_. The open and
| decentralized internet is also open to people with ill
| intent. We can solve things with technical solutions,
| monetary solutions and/or legislative solutions. All of these
| are double edged swords and have varying degrees of
| effectiveness and unintended side effects in my opinion.
|
| I don't really know what the right solution should have been
| that would have made everyone happy minus the people with ill
| intent.
| basilgohar wrote:
| This has literally just recently (re-)become an issue for me
| because after a good year or so of not being blocked, several
| emails from my server started getting filtered as spam by both
| Google and then just being outright blocked by both Google and
| Microsoft. When I got through Microsoft's steps to unblock, after
| several days and steps, they send me the message that actually my
| IP is not blocked.
|
| Google's recent message was more helpful - apparently forwarding
| emails from the accounts I setup for my kids to my wife's Gmail
| account triggered some obscure rule that ruined my server's
| reputation with Google, and I think Google & Microsoft
| collaborate because the issues cropped up within a week of each
| other.
|
| The interesting thing was I discovered the Outlook issue by
| trying to reply to an email sent from an Outlook customer. Yes,
| my reply to an Outlook customer's email to me was blocked because
| of my server's reputation.
|
| To be clear, I run no mailing lists nor solicit any business with
| my email server. I use it for personal use only and my consulting
| work which involves know contacts. The forwarding I spoke of
| before is solely to our own personal accounts.
|
| I use Mail-In-A-Box, for what it's worth, on a Linode VPS.
| gog wrote:
| How did you contact Google and Microsoft regarding
| deliverability issues?
| pteraspidomorph wrote:
| Microsoft:
|
| 1. Set up on
| https://sendersupport.olc.protection.outlook.com/snds/
|
| 2. Read everything at
| https://sendersupport.olc.protection.outlook.com/pm/
|
| 3. Make sure everything is fixed, then use the link to the
| form hidden under Troubleshooting > "Sender services, tools,
| and issue submission" (the link's label is "here") to contact
| support. Make sure all fields are provided, including a
| website. It may take a few days to get a response. You may
| have to try multiple times until someone actually helps you.
|
| Google:
|
| Pray
| robomartin wrote:
| We recently ran into this issue and were forced to change email
| providers. It isn't that our host didn't care, it's that it is
| almost impossible to play whack-a-mole with dozens of blacklists.
|
| We have been with the same provider for 15 years, no problems,
| ever. It seems that email delivery started to become unreliable
| about six months ago. After repeated attempts to fix it we had no
| choice but to move elsewhere.
| TillE wrote:
| Email is a fundamentally broken protocol which has become less
| and less important, I don't really get the point of running your
| own server except as a technical exercise.
|
| Set up your email wherever is convenient, encrypt stuff that
| matters, and move as much communication as possible elsewhere.
| 1over137 wrote:
| All the 'elsewheres' are non-federated, centrally controlled,
| and/or corporate. No thanks.
| DrBoring wrote:
| But where is elsewhere?
| dredmorbius wrote:
| Postal, as a backstop. The cost is a feature.
|
| Network-specific messaging tools are another option. I
| strongly prefer open protocols.
|
| The concept that anyone anywhere can intrude on anyone
| anywhere else at no financial or reputational cost is
| ultimately flawed. It works only so long as those with that
| access are few in number, generally of mutual interest, and
| act in a largely principled manner.
|
| As numbers increase, and levels of interest and level of
| principles fall, the system will collapse.
|
| Usenet was the first such network to fall to this dynamic.
| Email is well on its way. Telephony is into its first years
| of general intolerability (any direct-dialed universal
| access, wired or otherwise). Facebook faces this threat less
| through its lack of filters than the defection of high-
| affinity users.
|
| Postal mail has its own issues with quality, but the
| associated costs do in fact impose a minimum bar to malicious
| content.
___________________________________________________________________
(page generated 2022-02-05 23:00 UTC)