Crynwr spam blocking resources

Crynwr Software supports spam blocking.

SMTP DNS authorization

I'm proposing that people block SMTP clients which do not have a certain set of DNS records. I call this SMTP DNS authorization.

Testing services

Crynwr Software operates a robot which can test DNS-based spam blocks. Spam is defined thusly. The first and most famous DNSL is the MAPS RBL (Mail Abuse Protection Service's Realtime Blackhole List). Unfortunately, because they deny accesses from my server, I cannot verify the accuracy of their databases, so I no longer support any MAPS products.

The full list includes:

The robot's test is started by sending a piece of mail (any piece of mail) to one of the addresses above. You must send the email from the machine which you wish to test. If you cannot do this, then telnet to the smtp server and send mail by hand. The robot only tests for the one kind of block, so if you're using multiple blocking services you need to send multiple pieces of mail.

Alternately, you can telnet to ns1.crynwr.com from the server you want to test. It will test all of the supported DNSBLs and allow you to watch the SMTP conversation. Neat, eh?

Here's what the robot does:

  1. It examines the mail to get the IP address of the machine which sent the test mail to Crynwr.
  2. It opens a connection to that machine's port 25 from an IP address which is blocked by the respective blocking service.
  3. If it cannot connect, it attempts a traceroute. Some ISP's block some spammer sites without telling their customers.
  4. It issues a HELO command with the IP address's hostname.
  5. It issues a MAIL FROM with an empty sender. This helps ensure that you're not blocking the empty address. Blocking it means that you won't get bounces.
  6. It issues RCPT TO the address used in the envelope sender of the test initiation mail.
  7. It issues a DATA command and throws down a small piece of test mail.
  8. If one of these commands fails, the spamblock is working. Some people implement their spamblock so that the mail is accepted and dropped on the floor. That's okay, but those people will have to understand that that will surprise the test system into saying "Successful termination. As far as I can tell, the email was delivered. That might not be what you want." This method of spamblocking is probably not a good idea, because it's better to let a spammer know that their mail isn't getting through. It will discourage them, and that's a good thing. Most people don't block by discarding mail; let's keep it that way.
  9. The entire SMTP dialogue is emailed back to the envelope sender address.

So, the net effect is that if you get one reply (the SMTP dialogue), you're all set. If you get two replies, you're not blocking the addresses listed by the service you tested. If you get no reply within about ten minutes, either your envelope sender is wrong (which needs fixing anyway), or you are blocking the whole Crynwr Software subnet (NET-CRYNWR).

DNS blocking for qmail

Crynwr Software sells support for qmail, a sendmail replacement Mail Transfer Agent written by Dan Bernstein. You can use Dan Bernstein's rblsmtpd, or ask Crynwr to install it for you.

Privacy Policy

We do not share any information about these tests with anyone else. Neither the fact that you have tested, nor the results of the test are made available to anyone. Each of the services which has a test listed is cooperating with Crynwr Software to the extent of listing an IP address on Crynwr's network (192.203.178). They know what that address is, and they could be logging DNS queries made against that address. That would only tell them that you tested. It would not tell them the results of the test, however they could run their own test against your server. I have no idea whether they do this or not, however the technology exists to make it possible. This is only a concern if you care whether they know if you tested or not. They can certainly notice that you are using their blocking service.


Russell Nelson
Last modified: Thu Oct 6 10:32:01 EDT 2005