Solved

Client host rejected: cannot find your hostname stop a lot of spam but also some "good guys"

Posted on 2011-02-24
14
929 Views
Last Modified: 2012-05-11
How do you handle all of theese email servers for real companies which does not have a reverse lookup for their IP ?    
We check all incoming email to our server and too many "wanted" emails are bounced due to this ("Client host rejected: cannot find your hostname")

More info:
Email server with Ubuntu Linux and Postfix.
Accordning to official RFC:s all email servers sending mail should have a reverse lookup and preferably also the same forward lookup for that IP.

I know we can make a list of the IP-numbers we want to let throw, and we do whenever we find any rejected email that we would have wanted, but with many customers this is too manually to be good.

How do you handle this delicate problem?
0
Comment
Question by:Martin_Radbo
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 14

Expert Comment

by:DonConsolio
ID: 34972293
- use whitelists (whitelist sender IPs and sender mail addresses) to unblock your "good guys"
- use the missing RDNS to greylist the offending server
0
 

Author Comment

by:Martin_Radbo
ID: 34972331
* Whitelists is OK but lot of manual work with checking log files and it will never end...

* "use the missing RDNS to greylist the offending server ". Do you mean that a missing reverse lookup always would result in a greylisting and at second attempt we should accept it?
0
 
LVL 10

Expert Comment

by:doninja
ID: 34972693
Depending upon anti-spam system in use reduce the penalty/score of having no reverse lookup so that the system has to have this plus other dns query, uri or domain hit to really classify them as spam.

There are a number of good public whitelist servers that hold known good IP's that may not have a reverse lookup and are checked regularly.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974137
>> How do you handle all of these email servers for real companies which does not have a reverse lookup for their IP <<

The way I handle them is to reject them.  If they are not RFC compliant, then they get rejected pure and simple.

The vast majority of servers are configured properly, but there are a handful that aren't.  Those that aren't, don't get to deliver their emails to my servers until they are RFC compliant.  It's not that complicated to get RFC compliant and I am more than happy to advise companies that they are not and need to be.

Alan
0
 

Author Comment

by:Martin_Radbo
ID: 34974562
I would like to reject them as I do now, but then our customer tells me that "when we used another ISP for our email traffic it used to work" and that is quite annoying. Loosing an importante customer just because we follow the RFC...
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 34974644
When your customer tells you that they used to use another ISP and it worked - suggests that they have not configured Reverse DNS on their new fixed IP Address, which is their problem - not yours and they only need to call their ISP to get it configured.

I have little tolerance for poorly configured mail servers and as a result, we get little to no spam at all.  This keeps our customers very happy.  We get a few issues with people not receiving mail but after pointing out the problem is on the sending end, and then changes are made, the mail flows through happily.

If I had a Pound for every time I heard "well we don't have any problems sending mail to anyone else" I would be a rich man!  My approach - get your house in order and your mail will arrive on our server.  We are not doing anything magical, just making sure you are configured properly and if you are, we will accept your mail.

Our Anti-Spam software clearly advises people what the problem is and why their mail is being rejected - all they have to do is read - which sometimes is too difficult : )
0
 

Author Comment

by:Martin_Radbo
ID: 34974723
I think you missunderstood a bit. We have a customer (company A) and they have all their email accounts at our server. Company A has a lot of customers trying to email to them (i.e. to our server). Some of their customers have not configured their reverse IP and therefor OUR server rejects the incoming email.

I think company A hade another ISP for their own email accounts before with other safety regulations and therefor maybe less problem.
That does not matter now, I just want some propositions for how to best configure OUR server.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974747
I understand your issue - but the question is - how much spam do you want your customers to receive?

You can't whitelist mail servers one by one - that would be a nightmare and I personally refuse to whitelist a server that isn't configured properly.

My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together.
0
 

Author Comment

by:Martin_Radbo
ID: 34974835
"My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together. "

True! I think the mentality here in Sweden are to accept even non-RFC things, to get the email to arrive, rather than take the hassle with rejecting.
This mean that they are able to send their emails to many other servers who acccept them (against the RFC) but not to our server.

One detail: do you give 400 or 500-messages back? Temporary or permament bounce?  With continues 400-messages the sender will never be noticed about his errors.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974917
Well - in the past 93 days - we have received 404,267 emails and blacklisted 148,762 of them.

My approach may not be the norm with other companies / Exchange Administrators and I appreciate that at the end of the day all we want is the good mail and to reject the bad mail, but that's the problem - how to tell the good from the bad.

You may as well not spam filter if you just want the mail in and not worry about being RFC compliant.

If you liken it to passport control at a countries borders - if someone comes up to the control with a forged passport or a passport that is expired, or one that shows a different photograph to the person carrying the passport - do you let them in the country or turn they around and send them back home?

I know what I would do!
0
 

Author Comment

by:Martin_Radbo
ID: 34991484
Thank you all. We have found that the only possible solution in our case is to turn off the reverse checking of IP:n.

But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34992881
Oh well - not to worry.  As long as you don't get spam and your good mail arrives - that's the important part.

Alan
0
 

Author Comment

by:Martin_Radbo
ID: 35030614
"But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it. "

I have a hard time finding the setting to add to our /spamassassin/local.cf to set the amount of score for missing reverse lookup.
0
 
LVL 14

Assisted Solution

by:DonConsolio
DonConsolio earned 250 total points
ID: 35035043
Set a score for NO_RDNS_DOTCOM_HELO

score NO_RDNS_DOTCOM_HELO 100
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Migration from EXCH2007 to EXCH2013 14 34
spf record 8 56
Public DNS 2 31
Import a txt file into 2012 DNS server 2 25
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now