Mailing to AOL behind a firewall?

Discussion in 'Mail Chat' started by SuperGenii, Oct 22, 2017.

  1. SuperGenii

    SuperGenii www.DataMCP.com

    Joined:
    Apr 9, 2011
    Messages:
    177
    Likes Received:
    25
    Trophy Points:
    63
    Location:
    Southern California
    Greetings Mailers, Noobs, Anti's, Law Enforcement, and everyone else who now has open access to this forum,

    I've been troubleshooting an issue which has led me ultimately to the following conclusion and perhaps someone else here with any skill can confirm.. SO I guess I am chatting with Nick... Maybe some other AOL pros still linger here?

    Long story short... I suspect 64.236.82.0/24 is used by DMARC to authenticate AOL mail set with a strict policy. If you are behind a firewall, which I know many third party IP providers use, you may inadvertently be blocking this range from accessing your DNS records. You will see more Service Unavailable 421 errors as a result.

    The back story... I have been experiencing higher than normal traffic load and packet loss. After extensive investigation I found DNS lookups coming from 64.236.82.0/24 in very high volume, to domains which were no longer active. rDNS had not been updated and these queries were coming in for the incorrect domain. Traffic was snowballing across 1000 subdomains/queries.

    Queries to properly set rDNS domains are minimal however, and I suspect this is because DMARC could authenticate and cache the authenticated results, while the fails check over and over.

    At first, I mistook the fails for a DNS Amplification DDOS attempt on the clients mailing IPs. But when I blocked 64.236.82.0/24 at the router, packet issues disappeared and AOL deferrals rose immediately. Open the range again and the network would slow but 250 Success returned.

    So, the ISP has corrected rDNS and I am waiting to see the failed lookups correct to the new domains/rDNS.

    Then I thought, what about IPs from another source... They use a strict fire wall and I don't see any traffic AT ALL coming from 64.236.82.0/24, AND delivery is shit.. I contacted that ISP and requested they open their firewall to this traffic under the assumption it was not malicious but in fact necessary for DMARC and IP longevity. As soon as they opened the pipe, I saw the lookups pointing right back to DMARC, and the number of successfully delivered messages immediately rose from poor to decent..

    Moral of the story... If you mail with DMARC authentication, make sure, if you are hosting your own DNS, that your firewalls permit 64.236.82.0/24, and that your IP providers also permit this traffic. If you are using third party DNS, you might want to mail with NO DMARC because this could inflate your bill a bit. Also be sure not only to have rDNS set, but that its set properly to match your forward DNS, otherwise the failed lookups will start to clog your network for no good reason...

    If you're asking yourself, "How do we work with this guy? Sounds like he knows a thing or two..." Just visit www.DataMCP.com and let us know you're interested.

    Thanks,
    SG
    Super Genii, Inc. - DataMCP.com
     

Share This Page