Panix mail blocking policy

Mail blocking at Panix

For many years, Panix blocked no mail at all. We wanted (and still prefer) to allow our users to filter their mail on an "opt-in" basis.

The increase in spam and viruses, worms, and other malware has made this policy unworkable. These days, mail volume is huge. It overwhelms our servers and discourages our users. We have decided that more harm is done by accepting all mail and making email a less valuable service than is done if we very selectively reject some mail that originates outside our network.

The blocking that we have in place should not affect any mail that is properly formed and legitimate. (Sometimes a bona fide sender is using a misconfigured client, or sending from a system that provides misconfigured headers. In those cases, the sender will receive a bounce message with a diagnostic that will show what the problem was. That permits reconfiguring the client or having the admins fix the outbound headers to fix the problem.)

This doesn't begin to eliminate the spam or malicious email. Some very effective measures are still available to users on an opt-in basis. We highly recommend SpamAssassin, a very configurable spam filtering program that can be used from procmail or set up directly from the webmail interface. Users with webmail access can also elect to block spam at the server (that is, bouncing it) by using the Advanced Anti-Spam Options available from the webmail interface. Some of those are very aggressive, and likely to block some real mail; use them with discretion.

The following blocks apply to all users, whatever others they may choose to apply:

We block mail from the outside when

the sender domain (from the envelope) has neither A nor MX record
the client HELOs as panix.com, net, or org; access.net; or 166.84.1.70 - .76, inclusive
the sender address belongs to a Panix staff account
the recipient address is an account that should never receive mail from outside -- "root", "daemon", "ftp", etc.
the sender address (from the envelope) does not end with a fully- qualified domain name
the recipient address is in a domain that we don't provide mail services for
the recipient address is in a domain for which we have a list of all valid addresses, and the recipient address does not appear in that list
the Subject line is characteristic of the w32/mimail virus
we detect a Received header that indicates a forged panix.com/net/org HELO somewhere up the chain of relays

We also sometimes search message bodies for virus signatures, and reject messages on that basis -- but only when virus volume is quite high. We're not currently doing that as of November 2005, and always announce it when we apply such a block.

And, of course, we also block mail when

a user-configured restriction (e.g. the Zen blocklist) is matched