Hi
We are seeing problems with greylisting in mails coming from UPC mailservers. After receiving our "451 Greylisting" response, we never see a retry of the mail again. The sender does not receive an NDR. We have seen this behaviour from the servers at 84.116.36.xxx. Other servers for example the ones in the range 62.179.121.xxx are retrying correctly.
Anybody from UPC here to help sort this out or is anyone else seeing the same problem or is no one using greylisting anymore these days?
Regards,
Mike
We are seeing problems with greylisting in mails coming from UPC mailservers. After receiving our "451 Greylisting" response, we never see a retry of the mail again. The sender does not receive an NDR. We have seen this behaviour from the servers at 84.116.36.xxx. Other servers for example the ones in the range 62.179.121.xxx are retrying correctly.
Anybody from UPC here to help sort this out or is anyone else seeing the same problem or is no one using greylisting anymore these days?
We have seen the very same problem with the very same ISP...
We turned off greylisting for now.
On 01/03/2017 03:09 PM, Mike Kellenberger wrote:
We are seeing problems with greylisting in mails coming from UPC mailservers. After receiving our "451 Greylisting" response, we never see a retry of the mail again. The sender does not receive an NDR. We have seen this behaviour from the servers at 84.116.36.xxx. Other servers for example the ones in the range 62.179.121.xxx are retrying correctly.
Now that you mention that...
I have seen the same behaviour since January 1.:
reject: RCPT from vie01a-dmta-ch02-1.mx.upcmail.net[84.116.36.94]: 450 4.= 2.0
and then was never seen again (at least with that mail) and alos never sent a NDR at all.
Same Problem here, since at least 24. December.
Opened a case today @ UPC. I keep you updated.
On 03.01.17 16:27, Benoit Panizzon wrote:
Same Problem here, since at least 24. December.
Same here since beginning of december. Whitelistied UPC 9.12. 21:37
I do not greylist servers with correct spf record. With UPC i think the main problem is the missing NDR.
happy new year!!
Beat
Hi
I do not greylist servers with correct spf record. With UPC i think the main problem is the missing NDR.
We also do not greylist if the SPF record matches. We do not greylist IP's listed in the DNSWL.org or SWINOG Whitelist either.
But none of this was true for the new 'NL' ranges used by upcmail.net. The ranges in AT were already whitelisted, thus not causing that problem.
So far no progress with the ticket I opened @ UPC.
-Benoît Panizzon-
Quick update on that case.
UPC Switzerland is fully aware of the problem.
The Mail-Platform in the Netherlands is operated by UPC Austria (probably chello.at). And they still deny that there is a problem on their side and blame the ISPs that do greylisting.
UPC Switzerland is trying to escalate the problem.
Regards
-Benoît Panizzon-
On 05.01.17 10:36, Benoit Panizzon wrote:
The Mail-Platform in the Netherlands is operated by UPC Austria (probably chello.at). And they still deny that there is a problem on their side and blame the ISPs that do greylisting.
Thanks.
Yes we all know such guys, sometimes we should look to the mirror...
But who is to blame if their customers do not know that their emails are sent to /dev/nirvana without NDR's ? ;-)
Hi all
Just received this update from UPC:
Many thanks for your e-mail. We reported this greylisting issue to our mailserver administrators. They will take care of it and hopefully resolve this issue within the next week.
We added the 6 IP's of the outgoing mailservers to the DNSWL.org Whitelist.
84.116.36.91 vie01a-dmta-ch01-1.mx.upcmail.net 84.116.36.92 vie01a-dmta-ch01-2.mx.upcmail.net 84.116.36.93 vie01a-dmta-ch01-3.mx.upcmail.net 84.116.36.94 vie01a-dmta-ch02-1.mx.upcmail.net 84.116.36.95 vie01a-dmta-ch02-2.mx.upcmail.net 84.116.36.96 vie01a-dmta-ch02-3.mx.upcmail.net
Many thanks for your understanding.
Kind regards,
M.Giger
Abuse Desk
abuse@upc.ch
UPC Schweiz GmbH Postfach 8021 Zürich 0800 66 88 66 upc.ch
Regards,
Mike
Mike Kellenberger wrote:
Hi
We are seeing problems with greylisting in mails coming from UPC mailservers. After receiving our "451 Greylisting" response, we never see a retry of the mail again. The sender does not receive an NDR. We have seen this behaviour from the servers at 84.116.36.xxx. Other servers for example the ones in the range 62.179.121.xxx are retrying correctly.
Anybody from UPC here to help sort this out or is anyone else seeing the same problem or is no one using greylisting anymore these days?
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
/Per
On 04.01.2017 08:54, Per Jessen wrote:
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
/Per
I don't see how this approach would scale. We greylist everything. If some mail servers appear to have a problem with that and are legit, they are whitelisted. That approach scales for us.
Kind regards,
Viktor
Viktor Steinmann wrote:
On 04.01.2017 08:54, Per Jessen wrote:
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
/Per
I don't see how this approach would scale.
To my knowledge, it scales quite well. We maintain a list of regex server-name patterns that we consider 'dodgy' as well as a whitelist. If a reverse lookup matches one of these patterns, we greylist. There are some more checks, e.g. on the HELO, but the reverse mapping is the main one. We run this on a cluster of some 45-46 boxes. The list of patterns is fairly stable.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
Am Mi den 4. Jan 2017 um 8:54 schrieb Per Jessen:
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
I had the same in mind but didn't post as I only run a small server pressent days.
I utilize grossd and use several blacklists (also not that trusted ones) to decide who to greylist and who not.
dnsbl = blacklist.woody.ch;2 dnsbl = bl.spamcop.net dnsbl = ix.dnsbl.manitu.net dnsbl = pbl.spamhaus.org dnsbl = sbl-xbl.spamhaus.org
That setup made it really good. "Normal" mailservers get their mails delivered without any interuption and even if you end on a blacklist for whatever reason, your mail can get delivered later.
Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Klaus@Ethgen.ch Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
Hi Per
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
True, no point in greylisting a propper SMTP engine that does queueing and would resend the email later in case of a 4XX error.
But how do you find out which ip's to greylist and which not to?
We use milter-greylist and this has nice features like being able to do DNS whitelist lookups and query SPF records to decide whether to greylist a specific trippled or not. And it can sync it's database across multiple servers.
-Benoît Panizzon-
Benoit Panizzon wrote:
Hi Per
Is there any point in greylisting genuine mailservers? We only greylist dodgy-looking setups.
True, no point in greylisting a propper SMTP engine that does queueing and would resend the email later in case of a 4XX error.
But how do you find out which ip's to greylist and which not to?
Hi Benoit, as I wrote yesterday, we use a fairly simple set of regex patterns to look at the reverse mapping of the server address, plus another simple set of criteria for e.g. the HELO. I'll be happy to share them with everyone.
Hi
Update on the Problem.
I got two replies, one yesterday stating, that the problem is about our side, that the UPC servers rotate between 3 IP addresses and this causes problems with greylisting.
=> Fact: Already last week I told them I see those 3 IP Addresses from within the same /24 and that our greylisting implementation considers IPv4 within /24 and IPv6 within /64 as 'same', but that the problem was, that UPC does never retry to re-send the email after the first attempt.
=> So the UPC Techs obviously stil didn't read my reply.
The reply also stated, that the UPC servers retry to send the email every 4 hour.
=> Fact: I provided our logs of the case I did not see the servers re-try. I asked them to check their logs.
=> Obviously the UCP Techs did not look at their logs.
Today I got the simple reply, that the problem was solved and that our customers should re-try.
So I'm still waiting for a statement on what got wrong and why they obviously neither ready my reply last week not looked at their logs after I provided my logs clearly showing the problem.
Did someone else get a clear statement on the issue?
-Benoît Panizzon-
-
Beat Siegenthaler -
Benoit Panizzon -
Klaus Ethgen -
Marc Balmer -
Matthias Egger -
Mike Kellenberger -
Per Jessen -
Viktor Steinmann