Reminder: Valid User Table Policy (old)

Need help? Ask here.

Moderator: Moderators

RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Reminder: Valid User Table Policy (old)

Post by RollerNetSupport »

By the end of this month, our mail servers will begin checking and reporting the delivery status of all messages that pass through our mail services. Any message that is accepted by our system as valid, but is rejected by the final destination as invalid, will be subject to one of the following actions:

1) If the domain is in "Default Deny" mode, the corresponding table entry in the valid user table that permitted the message will be automatically disabled.

2) If the domain is in "Default Allow" mode, it will be automatically changed to "Defer All" and our servers will stop accepting mail for the domain.

For domains using a global table:

1) A global mode "Deny" table will have the corresponding table entry disabled.

2) A global mode "Allow" table will be changed to "Defer" and our servers will stop accepting mail for any domain using the global table.

Domains in automatic learning mode will be ignored.

If any automated action is taken on a domain by the system, you will be notified at the Alert Email Address configured for your account (or primary address if no alert address is configured). If a domain is automatically placed into defer mode, you may correct the problem and changing it back to the appropriate mode.

This policy change to require a valid user table for mail domains was first announced in September 2005 and became effective in November 2005. In May of 2006, we added an inline recipient verification feature, however, this proved ineffective since many users are simply changing the valid user table settings to bypass the checks. Therefore, we are going to start actively checking and disabling domains that violate this policy.

If you have not correctly configured a valid user table for your domain, do so now. All account levels are subject to this policy. If you have any questions, please contact us, or comment in this thread.


Mail Handling Options:
http://acc.rollernet.us/mail/handling.php

Account Preferences:
http://acc.rollernet.us/prefs.php

September 2005 announcement:
http://forums.rollernet.us/viewtopic.php?t=126

May 2006 announcement:
http://forums.rollernet.us/viewtopic.php?t=212
Last edited by RollerNetSupport on Fri Apr 24, 2009 1:54 am, edited 2 times in total.
Technical Support support@rollernet.us
Roller Network LLC
modest
Posts: 2
Joined: Mon Jul 10, 2006 7:28 pm
Contact:

Post by modest »

but is rejected by the final destination as invalid
What error codes are you looking for in regards to this rejection. I assume you are not going to use temporary errors?
tvierling
Posts: 14
Joined: Fri May 05, 2006 10:50 am
Contact:

Catchall domains

Post by tvierling »

Just to verify, domains that do indeed have a "catchall" account on the receiving end, and thus which should not (in normal circumstances) reject Roller Network mail to such a domain at all -- not counting explicit deny rules -- can still be in Default Allow mode without problems?

(I've personally left recipient verification turned on anyway, as I loathe backscatter. That said, I do understand the burden you're facing, and I appreciate the evolution of service that has come of it ... few mail providers have this degree of transparency to operations.)
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

What error codes are you looking for in regards to this rejection. I assume you are not going to use temporary errors?
5xx errors only.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Just to verify, domains that do indeed have a "catchall" account on the receiving end, and thus which should not (in normal circumstances) reject Roller Network mail to such a domain at all -- not counting explicit deny rules -- can still be in Default Allow mode without problems?
That's correct. The problem we're having is Default Allow being used without catchall accounts.
Technical Support support@rollernet.us
Roller Network LLC
SAK917
Posts: 5
Joined: Sun Aug 28, 2005 8:03 pm

How to deal with spam?

Post by SAK917 »

Just received your notice that if the domain is in "default deny" mode and the recipient is rejected by our server with a 5XX error code, the recipient will be removed from the valid user table.

We are running anti-spam software on our server and it is rejecting a fair amount of the mail coming through Rollernet's servers with a 5XX error code because it is spam. The user accounts being sent to, however, are valid. In this situation, in order to prevent the valid accounts from being disabled on the Rollernet end what do you recommend?
dstutz
Posts: 20
Joined: Mon May 08, 2006 4:30 pm

Post by dstutz »

Basically you have to move all your anti-spam to the rollernet servers. I had this same problem when I started using this service (Thanks for blocking 25 Cablevision). I had a fairly large set of blocklists and reject rules on my postfix installation at home and I added all the custom RBLs that I was using and enabled a bunch of the client validity checks here on Rollernet and I haven't seen any more spam than when I was hosting everything at home. I didn't have greylisting on my server so in some ways this service is actually better than my own configuration at home. One last thing I did at home was to add the rollernet mail servers to my postfix's "mynetworks" field to further limit any chance of rejecting a mail. I haven't had any problems whatsoever in the past 2.5 months. I've noticed a couple problems and brought them to Glen's attention and everything has been fixed in less than 24 hours. He's doing a great job and I'm glad I went with this service instead of "cheaper" redirection alternatives. I originally came here because it was free but when I saw how powerful a solution was available I had to sign up for the full service.

Here is the RBL list I use (hint, use the bulk add feature):
argentina.blackholes.us [remove]
bl.spamcop.net [remove]
blackholes.easynet.nl [remove]
brazil.blackholes.us [remove]
cbl.abuseat.org [remove]
china.blackholes.us [remove]
cn-kr.blackholes.us [remove]
dnsbl.ahbl.org [remove]
dnsbl.njabl.org [remove]
hongkong.blackholes.us [remove]
japan.blackholes.us [remove]
korea.blackholes.us [remove]
list.dsbl.org [remove]
malaysia.blackholes.us [remove]
multihop.dsbl.org [remove]
nigeria.blackholes.us [remove]
opm.blitzed.org [remove]
proxies.blackholes.wirehub.net [remove]
relays.ordb.org [remove]
russia.blackholes.us [remove]
sbl-xbl.spamhaus.org [remove]
sbl.spamhaus.org [remove]
spews.blackholes.us [remove]
taiwan.blackholes.us [remove]
thailand.blackholes.us [remove]
turkey.blackholes.us [remove]
whois.rfc-ignorant.org [remove]

Dave
tvierling
Posts: 14
Joined: Fri May 05, 2006 10:50 am
Contact:

Re: How to deal with spam?

Post by tvierling »

SAK917 wrote:We are running anti-spam software on our server and it is rejecting a fair amount of the mail coming through Rollernet's servers with a 5XX error code because it is spam. The user accounts being sent to, however, are valid. In this situation, in order to prevent the valid accounts from being disabled on the Rollernet end what do you recommend?
Set your anti-spam configuration to discard rather than reject mail coming in from the Roller Network servers. Think of it this way: It's not really feasible for rollernet -- which effectively works as a secondary MX -- to validate to your local anti-spam rules within the SMTP session, so a 5xx from you means that rollernet would have to send a bounce. Instant source of backscatter, and that's the major problem here.

(I use custom milter-based filtering, so I was able to change my code to tell the MTA to discard if the anti-spam rule matched, and it came from rollernet. Your software may not be so flexible; if not, I'm not sure how to fix your situation.)
tvierling
Posts: 14
Joined: Fri May 05, 2006 10:50 am
Contact:

Post by tvierling »

dstutz wrote:Here is the RBL list I use (hint, use the bulk add feature):
bl.spamcop.net [remove]
You should not be using bl.spamcop.net as a blacklist unless you feel like rejecting 10% or more of legitimate mail. Spamcop itself states that the list should be used for scoring, not outright blocking, because its automated nature makes it (demonstrably) highly susceptible to accidental listings.
dstutz wrote:sbl-xbl.spamhaus.org [remove]
sbl.spamhaus.org [remove]
If you're using sbl-xbl, then remove plain sbl, because that's a subset of sbl-xbl. You're just doing a redundant lookup here.
SAK917
Posts: 5
Joined: Sun Aug 28, 2005 8:03 pm

Re: How to deal with spam?

Post by SAK917 »

tvierling wrote:Set your anti-spam configuration to discard rather than reject mail coming in from the Roller Network servers.
Thanks for the suggestion tvierling, I appreciate the input. I will configure our server to accept and delete the spam or park it in a spam-trap account as opposed to rejecting it. Don't know why I didn't think of that before... I guess it is easy to go with default settings (reject in this case) if it seems to be working smoothly.

Thanks again!
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Just received your notice that if the domain is in "default deny" mode and the recipient is rejected by our server with a 5XX error code, the recipient will be removed from the valid user table.
Just to clarify; we won't ever remove any existing data from the tables. It will just be switched to "Disabled" and a notification will be sent. If this happens, there won't be any restrictions about reactivating the entry.

As others have mentioned, the preferred solution is to quietly discard or file things that fail your anti-spam filter when it's sourced from one of our mail servers. I'm also working on having a content filter (spamassassin) option in our filters as well, hopefully be the end of the month. Adding Spamassassin should present a complete filtering solution. The hard part is allowing the full set of Spamassassin rules to be modified dynamically through the account manager.
Technical Support support@rollernet.us
Roller Network LLC
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

A new logging type has been added to the mail logs; "SMTP Bounce Logs". Anything logged under this type are errors that cause backscatter and will be subject to our backscatter prevention policy.

Please check these logs and make sure your valid user table is properly configured. If you have any questions, contact us.
Technical Support support@rollernet.us
Roller Network LLC
maxfloden
Posts: 37
Joined: Sun Dec 19, 2004 3:04 pm
Location: Stockholm, Sweden

Ok to allow all for secondary mx

Post by maxfloden »

Is it ok to use allow all for domains where I only use rollernet for secondary mx ?

Thanks/Max
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

Yes, but it will still check for rejects from invalid users.
Technical Support support@rollernet.us
Roller Network LLC
maxfloden
Posts: 37
Joined: Sun Dec 19, 2004 3:04 pm
Location: Stockholm, Sweden

Post by maxfloden »

Just to clarify - what I mean is: is it ok that the few times a primary mx goes down the secondary will accept and send to non valid users without risking any penalties such domain disabled etc?
Post Reply