« More bad guys IPs | Main | Feedback of the week »

Ahh... Verizon

I don't who is in charge of Verizon's mail servers, but they need help, now. A few days ago, a few users of dslreports complained that they are not receiving any email from us. Things like password reminders, notifications they asked for, etc.. It's not spam they're missing but legitimate mail. After checking the logs and seeing nothing but tons of time outs trying to connect to verizon's mail servers I did the very first step any admin would take, mainly:

$ dig verizon.net mx

;; ANSWER SECTION:
verizon.net. 13452 IN MX 0 relay.verizon.net.

okay..

telnet relay.verizon.net 25
Trying 206.46.170.12...

That was from the dslreports mail server.. hmm... could be Verizon's server is down?

$ ping relay.verizon.net
PING relay.verizon.net (206.46.170.12) 56(84) bytes of data.
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=1 ttl=243 time=44.9 ms
64 bytes from relay.gte.net (206.46.170.12): icmp_seq=2 ttl=243 time=44.7 ms

--- relay.verizon.net ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1010ms

rtt min/avg/max/mdev = 44.751/44.833/44.916/0.227 ms

Well.. the server is obviously up, but is the mail server? From another host:

$ telnet relay.verizon.net 25
Trying 206.46.170.12...
Connected to relay.gte.net (206.46.170.12).
Escape character is '^]'.
220 sc002pub.verizon.net MailPass SMTP server v1.1.1 - 121803235448JY ready Mon, 14 Feb 2005 18:08:02 -0600

Well.. gee.. look at that, Verizon is obviously filtering out mail.dslreports.com and not allowing us any connections. Blacklists? Nope, clean as a whistle (btw, Derek, yours is consistently timing out from that site).

I emailed the typical addresses one would try to contact a mail admin.. nothing.. no reply, no acknowledgment, no bounce.. great.. In the meantime some of our users started asking Verizon. As customers they have a bit more leeway than I.. Here's what Verizon came back with:

said by Verizon Online Support Center:

Verizon will not accept mail from senders that are not recognized on the senders mail system as a recipient. This is a problem on dslreport's side and will need to be corrected before mail from this address will be accepted.

The domains that are being looked into for you are not part of any blacklisting issue, but rather a part of a Sender Verify process. A While [sic] ago, servers were installed to verify sender e-mail addresses. All sites would need to be sender verified. if a sender is not valid, or their domain has not been validated, the message will be returned back to them. Any site that is not set up for sender verification will be allowed to pass through our system.

Thank you.

I explained to the user how there is no way they could have tried to verify the sender (although that would have failed, this was one of our bounce addresses) since they never even attempted to accept the message.. kind of hard to do that without basics..like say.. server handshakes or maybe a connection?

They had a nice reply back:

said by un-named Verizon Online Support Agent:

I have passed the information along to our engineers. It seems that you have not understood our explanation of the Sender Verification process. I would suggest that you feel free to research this for yourself. You will see that the Sender Verification process is actually an industry standard.

Industry standard.. erm... whatever.. how is that connection doing? Right.. none.. and apparently they're working with us on it too! Funny, I didn't notice. Not a peep, none. Great job Verizon, way to serve your customers.. I've some gmail invites for all you poor Verizon users.

At this point, I'm guessing (this is really a guess) that they have some sort of limit of how many mails they will bounce based on failed sender verify and then blacklist the host.

Posted by kasia on February 14, 2005 07:22 PM |

Comments

Maybe they are blocking anything that contains 'dsl' in the reverse resolve in an attempt to block out clueless zombies on dsl lines?

You are running postfix, right? Postfix docs on address verification:

http://www.postfix.org/ADDRESS_VERIFICATION_README.html

Brian

Posted by: Brian | February 14, 2005 07:43 PM

That would be helpful if I wanted to implement this rather high in false positives way of filtering spam, but I have more respect for my users than Verizon has for theirs :)

Posted by: kasia | February 14, 2005 09:06 PM

It times out because that DNSBL doesn't exist any more and rbls.org apparently doesn't know that yet. All the NSs in it point to localhost.

Posted by: Derek | February 14, 2005 09:30 PM

Guh, yet another reason I need to switch ISPs. (Verizon also uses publicly-routed 10.x.x.x addresses on some of their IP blocks, which seems to be causing problem with a select few sites that I actually need to access all the time.)

I'm amazed that you managed to even find a support email address for Verizon though. I'm a Verizon *customer* and haven't been able to get even an automated form letter!

Posted by: fluffy | February 15, 2005 10:26 AM

Hilarious. Sounds very familiar with a problem I'm having with Sprint Canada (sprint.ca).

After actually getting past the initial tech support I actually got to someone who could understand the issue. However, they haven't been able to come back with an answer as to why I can't connect with a certain host to their mail system on port 25. They've looked at everything and even sniffed network traffic. They seem to see the traffic come into one of their routers and dissappear. Apparently they can't figure out why. Although I have to figure there is some incompentence going on there.

Posted by: Tim A | February 21, 2005 05:42 PM