Solved

Client host rejected: cannot find your hostname stop a lot of spam but also some "good guys"

Posted on 2011-02-24
14
935 Views
Last Modified: 2012-05-11
How do you handle all of theese email servers for real companies which does not have a reverse lookup for their IP ?    
We check all incoming email to our server and too many "wanted" emails are bounced due to this ("Client host rejected: cannot find your hostname")

More info:
Email server with Ubuntu Linux and Postfix.
Accordning to official RFC:s all email servers sending mail should have a reverse lookup and preferably also the same forward lookup for that IP.

I know we can make a list of the IP-numbers we want to let throw, and we do whenever we find any rejected email that we would have wanted, but with many customers this is too manually to be good.

How do you handle this delicate problem?
0
Comment
Question by:Martin_Radbo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +1
14 Comments
 
LVL 15

Expert Comment

by:DonConsolio
ID: 34972293
- use whitelists (whitelist sender IPs and sender mail addresses) to unblock your "good guys"
- use the missing RDNS to greylist the offending server
0
 

Author Comment

by:Martin_Radbo
ID: 34972331
* Whitelists is OK but lot of manual work with checking log files and it will never end...

* "use the missing RDNS to greylist the offending server ". Do you mean that a missing reverse lookup always would result in a greylisting and at second attempt we should accept it?
0
 
LVL 10

Expert Comment

by:doninja
ID: 34972693
Depending upon anti-spam system in use reduce the penalty/score of having no reverse lookup so that the system has to have this plus other dns query, uri or domain hit to really classify them as spam.

There are a number of good public whitelist servers that hold known good IP's that may not have a reverse lookup and are checked regularly.

0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974137
>> How do you handle all of these email servers for real companies which does not have a reverse lookup for their IP <<

The way I handle them is to reject them.  If they are not RFC compliant, then they get rejected pure and simple.

The vast majority of servers are configured properly, but there are a handful that aren't.  Those that aren't, don't get to deliver their emails to my servers until they are RFC compliant.  It's not that complicated to get RFC compliant and I am more than happy to advise companies that they are not and need to be.

Alan
0
 

Author Comment

by:Martin_Radbo
ID: 34974562
I would like to reject them as I do now, but then our customer tells me that "when we used another ISP for our email traffic it used to work" and that is quite annoying. Loosing an importante customer just because we follow the RFC...
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 34974644
When your customer tells you that they used to use another ISP and it worked - suggests that they have not configured Reverse DNS on their new fixed IP Address, which is their problem - not yours and they only need to call their ISP to get it configured.

I have little tolerance for poorly configured mail servers and as a result, we get little to no spam at all.  This keeps our customers very happy.  We get a few issues with people not receiving mail but after pointing out the problem is on the sending end, and then changes are made, the mail flows through happily.

If I had a Pound for every time I heard "well we don't have any problems sending mail to anyone else" I would be a rich man!  My approach - get your house in order and your mail will arrive on our server.  We are not doing anything magical, just making sure you are configured properly and if you are, we will accept your mail.

Our Anti-Spam software clearly advises people what the problem is and why their mail is being rejected - all they have to do is read - which sometimes is too difficult : )
0
 

Author Comment

by:Martin_Radbo
ID: 34974723
I think you missunderstood a bit. We have a customer (company A) and they have all their email accounts at our server. Company A has a lot of customers trying to email to them (i.e. to our server). Some of their customers have not configured their reverse IP and therefor OUR server rejects the incoming email.

I think company A hade another ISP for their own email accounts before with other safety regulations and therefor maybe less problem.
That does not matter now, I just want some propositions for how to best configure OUR server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974747
I understand your issue - but the question is - how much spam do you want your customers to receive?

You can't whitelist mail servers one by one - that would be a nightmare and I personally refuse to whitelist a server that isn't configured properly.

My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together.
0
 

Author Comment

by:Martin_Radbo
ID: 34974835
"My $0.02 worth - keep rejecting and advise your customers customers to get their house in order then they won't have any problems.  If they don't hear it from you - they will hear it from someone else until they get their acts together. "

True! I think the mentality here in Sweden are to accept even non-RFC things, to get the email to arrive, rather than take the hassle with rejecting.
This mean that they are able to send their emails to many other servers who acccept them (against the RFC) but not to our server.

One detail: do you give 400 or 500-messages back? Temporary or permament bounce?  With continues 400-messages the sender will never be noticed about his errors.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974917
Well - in the past 93 days - we have received 404,267 emails and blacklisted 148,762 of them.

My approach may not be the norm with other companies / Exchange Administrators and I appreciate that at the end of the day all we want is the good mail and to reject the bad mail, but that's the problem - how to tell the good from the bad.

You may as well not spam filter if you just want the mail in and not worry about being RFC compliant.

If you liken it to passport control at a countries borders - if someone comes up to the control with a forged passport or a passport that is expired, or one that shows a different photograph to the person carrying the passport - do you let them in the country or turn they around and send them back home?

I know what I would do!
0
 

Author Comment

by:Martin_Radbo
ID: 34991484
Thank you all. We have found that the only possible solution in our case is to turn off the reverse checking of IP:n.

But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34992881
Oh well - not to worry.  As long as you don't get spam and your good mail arrives - that's the important part.

Alan
0
 

Author Comment

by:Martin_Radbo
ID: 35030614
"But, we will anyway give a certain amount of points to the email because of the lack of reverse lookup, so we do not negliate it. "

I have a hard time finding the setting to add to our /spamassassin/local.cf to set the amount of score for missing reverse lookup.
0
 
LVL 15

Assisted Solution

by:DonConsolio
DonConsolio earned 250 total points
ID: 35035043
Set a score for NO_RDNS_DOTCOM_HELO

score NO_RDNS_DOTCOM_HELO 100
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question