Keeping the channels of communication between us and the wider Internet community open has always been one of our main priorities. Just lately we received some input that caused us to rethink the way we've been doing things on this front.
Receiving Mail
Like any organisation in charge of running an email service, we have tried a mix of methods over the years to fend off spam. These have included Bayesian filtering, greylisting, various ACL checks, and external, third-party RBLs (Real-time Blackhole Lists). Although each of these methods has helped us defend against spam to an extent, we have found that the RBL service available from zen.spamhaus.org has provided a particularly high level of protection. For this reason, we have now been using Spamhaus RBL for well over a decade.
Recently, one of our members contacted us with concerns about our use of the Spamhaus RBL. And we believe that this member made a number of good points. In particular, we agree that if someone is blacklisted in error, or is in conflict with a blacklist operator, this should in no way affect their ability to contact us. As a neutral organisation committed to contributing to a stable Internet, we have a responsibility to ensure that the channels of communication between us and the rest of the community stay open.
So, shortly, we will implement the following measures:
- Whitelist our members by making sure any email address subscribed to the ncc-announce@ripe.net mailing list will always reach RIPE NCC support (this being the most efficient way to gather emails for members right now)
- For any other sender whose email to us is rejected because of RBL filtering they will receive a link to a web form that they can use to contact us
While not a complete solution, we believe these are good first steps.
In the long term, the solution to all this would involve reducing our reliance on external RBLs for spam filtering. What exact steps this would involve is still to be worked out and will take some work to implement. Simply switching off RBL filtering isn’t an option at this point, especially when you consider that it helped us block 60,000 mails in August this year alone. We welcome input regarding the experiences others in the community and our members have had in their attempts to reduce reliance on third-party sources for filtering incoming emails.
Sending Mail
We also have some news on how we are sending emails. We are generally quite conservative in adopting technologies that are not mature or widely adopted enough to minimise potentially negative effects for our recipients. This we are mainly referring here to email authentication methods.
About a year ago, for instance, we introduced a Sender Policy Framework (SPF) record that allowed remote mail servers to validate that the emails received from us were sent from servers authorised to send on our behalf. Around the same time we wrote about a change in our Mailman configuration, caused by more and more subscribers having email addresses in domains that have configured Domain-based Message Authentication, Reporting and Conformance (DMARC) policies.
To ensure deliverability of emails sent to our mailing lists subscribers, we set a DMARC option in Mailman (dmarc_moderation_action) that rewrites (munges) the From: header field to include the list address and the original sender’s name “via the list”, but only for those messages with the original domain having a DMARC policy p=reject or p=quarantine. In short, this enabled us to ensure that anyone subscribed to our mailing lists would receive emails from all other subscribers.
These changes will stay in place and now it is the time to take an additional step. Shortly we will also start signing our outgoing mails with a DomainKeys Identified Mail (DKIM) signature and we will be publishing a DMARC record with the policy p=none. Thus emails we send out will contain an extra DKIM signature header and the DMARC aggregate reports will offer us visibility on the SPF and DKIM alignment and produce failure reports.
Feedback
Please leave a comment if you have any questions or believe any of the issues or proposed changes described about affect you in any way.
Comments 16
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
john jones •
just going to leave this report on mail here: https://internet.nl/mail/ripe.net/274171/ consider also implementing DANE
Hide replies
Razvan C. Oprea •
Thank you for the link, we know about the internet.nl reports. DANE is indeed something we are looking into as well.
Alex •
RIPE NCC should follow only official SMTP standartds and RFCs. Strange private and not transparent companies like spamhaus should not be used. People, ISPs, Datacenters lot of times got delivery problems with because of non transparent, not objective blacklists. There are a lot of cases in the internet showing that such blacklists should not be used. It's a good opportunity to use only new SMTP options like TLS, DMARK, SPF specially done for that. Third-party RBLs should not be used.
Hide replies
Razvan C. Oprea •
We are already using TLS and SPF. I mentioned above we will implement DKIM, DMARC and dial down on relying on third party RBLs.
Pavel Polyakov •
I hope this is fixed asap.. host mahimahi.ripe.net[193.0.19.114] said: 550-rejected: XXX.XXX.XXX.XXX is in a black list....
Hide replies
Razvan C. Oprea •
Pavel, if you are subscribed to ncc-announce mailing list and still get this message, please contact us at https://www.ripe.net/contact-form and we'll look into it.
Nick •
Why do you think that blacklists are so effective? Look at Gmail, they never used 3rd party blacklists.. So why do provide Spamhaus opportunity to control you and your customers? I'm afraid that you didnt investigated their work properly, as they hides real crimes and real spam. And btw, Spamhaus is nonexisting organization, it's not possible to find them, check this by yourself! I'm sure RIPE doing a BIG mistake by using spamhaus..
Pavel •
Ripe must not use private RBLs. Spamhaus is bad.
Den •
Guys, please dont use this 3rd party crime service like Spamhaus, they can block whole country, it's crime organization! please make your own blacklists, other services, but dont trust Spamhaus!
Michael •
do not use Spamhaus, here are the first topics found from the Google about their work: https://www.netangels.ru/company/news/2014/fuck-spamhaus/ https://virusinfo.info/showthread.php?t=85583 https://habr.com/post/171223/ https://www.securitylab.ru/news/396828.php
Hide replies
Dan •
Quite strange you only provide russina websites… Russian being a top country in spam volume… And one more thing… as most providers, inclusing Linode, DigitalOcean, Amazon, not doing actually enough to stop spammers use their network, I vote for RBLs, no matter the name.
Mark •
Maybe you can get in touch with Peter, who is actively running the BGP powered Spam list at https://bgp-spamd.net/, where you vould also contribute with the amount of Mails you receive
Hide replies
Razvan C. Oprea •
Thanks for the pointer, Mark, I'll look into it.
Patrik Schindler •
From my experience, a well-trained bayes-db with carefully adjusted individual scores for certain rules is sufficient. I'm not using external RBLs for blocking (just some defaults, Spamassassin uses for additional checks) and also no greylisting.
Hide replies
Razvan C. Oprea •
Agreed, the key here is " well-trained bayes-db", otherwise it can do more harm than good. Regarding greylisting, it seems it is no longer as efficient as in the past and we might remove it in the near future.
Cristian •
Have you considered using a 3rd-party spam filtering software? first result on google: spamexperts.com