| Fred Stluka on 6 Sep 2018 11:49:21 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Rich,
I imagine they have email-approved netblocks they coordinate with the reputation services, and ones that are blacklisted. They don't let servers use the reputable netblocks without a lot of control, because they lose all their business if those blocks get a bad reputation.
Yes, AWS has separate blocks of "elastic" IP addresses, vs regular "dynamic" IP addresses. They work to protect the reputation of the elastic addresses, and they set strict limits on the number of outgoing emails from a dynamic address. Elastic IP addresses are their solution to giving your server a stable IP address w/o actually assigning you a static IP. While a static IP is typically assigned to a specific server, an elastic IP is assigned to an AWS account, and you as the account owner, can dynamically assign it to any of your servers as you like. So, when you spin up a new server to replace an old one, you don't have to mess with DNS entries and propagation delays. You just flip your elastic IP address over to the new server. See my 2009 tip on this topic for details: - http://bristle.com/Tips/CloudComputing.htm#aws_set_elastic_ip_address
Do similar reputation services exist for services other than email? The problem is that you probably do want to accept ssh from dynamic blocks/etc, which is usually the first thing that spam filters go after.
Good question! For email, there is: - SPF -- Sender Policy Framework, where domain owner can create a DNS record that lists which IP addresses are authorized to send email "from" the domain. So email can't be sent from unauthorized IP addresses. - DKIM -- DomainKeys Identified Mail, where each email contains digital signatures of the headers and body that recipient mail servers can decrypt and validate via a public key stored in a DNS record set up by the domain owner. So, email can't be altered in transit. - DMARC -- Domain-based Message Authentication, Reporting & Conformance, where the domain owner can create a DNS record to specify what recipient mail servers should do this messages that fail SPF and DKIM checks, and how to report them to the domain owner. - RBLs -- Real-Time Blacklists, where reputations of IP addresses and domain names are accumulated, and blacklists managed in real-time, so recipient mail servers can block them. - Spam buttons in most email clients, to allow mail users to ding the reputations of domains and IP addresses in the RBLs. - etc. Are there similar tools for other IP connections? Or just email? --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 9/6/18 12:39 PM, Rich Freeman wrote:
On Thu, Sep 6, 2018 at 12:08 PM Ron Guilmet <ronpguilmet@gmail.com> wrote:When it comes to an email server they are very protective. For example, I can't setup an email server, and have it running tonight. I have to fill out all kinds of forms showing how I intend to handle spam, and it has to be approved before they will lift the smtp restrictions that every EC2 instance comes with. ... Is there a way to get IPs that are not involved in email spam penalized?This is already a solved problem, and this is WHY they are so protective about outgoing email. Their SES service (mail forwarding) is likewise very protected. If Amazon didn't tow the line they'd end up spam reputation lists and then half the planet would be bouncing their mail, including all the major ISPs/etc. I imagine they have email-approved netblocks they coordinate with the reputation services, and ones that are blacklisted. They don't let servers use the reputable netblocks without a lot of control, because they lose all their business if those blocks get a bad reputation. The reputation services are all third-party, and tend to be run by folks with more of rsk's mindset. If you get on the bad side of them, you're basically done. No appeals to ICANN or whatever, they have no official standing, but everybody uses them. Your only appeal is to go to every ISP and work out a side deal to whitelist traffic. Amazon probably could do that, but wouldn't want to, largely since those ISPs would just put the same conditions on them anyway. Do similar reputation services exist for services other than email? The problem is that you probably do want to accept ssh from dynamic blocks/etc, which is usually the first thing that spam filters go after.
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug