nslookup from WinNT machine

[Brad Knowles]

At 9:00 PM -0400 5/29/01, Kevin Darcy wrote:

>                                     As such, the focus is on 
>delivering as much
>  mail as possible, rather than maximizing the subjective "quality" 
>of the email
>  delivered (i.e. by "sanitizing" spam from it). When it comes to email, it's
>  quantity over quality, basically.

	Which is *precisely* what spammers want.  When management starts 
counting up the cost of spam, I think that they'll almost certainly 
change their minds.  That's certainly been my universal experience 
everywhere I've gone.

>  And, as spam-avoidance mechanisms go, the PTR-based one is pretty much
>  bottom-of-the-barrel, IMO. It'll become completely obsolete once spammers
>  learn how to make PTR records.

	But you still have to get them delegated to you, which is the 
truly hard part.  Of course, while anyone can own their own forward 
DNS, it is much, much harder to own your own reverse DNS, and that 
means that PTR records really are a good way to keep down the noise 
from garbage throw-away dialup lines.

	At AOL, we found that this reduced the amount of spam we got by 
more than 25%, and when you're talking about a site that does 
multiple millions of mail messages per day, and spends tens of 
millions of dollars per year to buy new mail servers to replace the 
overloaded mail servers from last year, this is a *HUGE* cost savings.

>                               Frankly, I don't see the point of basing an
>  anti-spam mechanism on the sender's ability to implement increasingly arcane
>  features of DNS which have no direct relationship to whether they are a
>  spammer or not.

	PTR records are not particularly arcane, and since they require 
delegation, you can be reasonably sure that the delegating authority 
is aware at some level of what the delegee is doing, and you can hold 
them legally responsible for the actions of their customer.

>                                       Now that the spammers are more
>  sophisticated (some of them now run their *own* ISPs), I wouldn't 
>be surprised
>  if the false-rejection rate of the PTR mechanism is actually higher than the
>  legitimate-rejection rate.

	There are still far more spammers out there using garbage 
throw-away free dialup lines than anything else, because there are 
still a lot of sites out there that are backwards enough (such as 
yours) that they accept anything without validating the PTR record.

>  BTW, we *do* implement some spam-avoidance mechanisms here. But they are
>  mainly in the form of rejecting mail outright from "free" mail services like
>  Hotmail.

	How can you be sure that you would never get a business mail 
message from hotmail?  Indeed, hotmail (and many other free e-mail 
services) actually gets quite a bad rap, because the spam never 
actually originates at hotmail, it simply claims a hotmail return 
address to try and throw people off the track.

	I've seen this untold numbers of times, and indeed it is one of 
the simplest tricks that spammers use.  Anyone remotely familiar with 
spammers and proper anti-spam techniques should be aware of this 
issue, and not fall into such a ludicrously silly trap.


	Let's take a better case -- AOL.  Let's say you want to block all 
e-mail coming from AOL.  Well, how do you do this, by domain name or 
by IP address?  It is trivially easy for someone to use AOL as a 
dial-up service provider to send e-mail to you, but to claim a 
non-AOL return address.  As shown above, it is trivially simple for 
someone to claim an AOL return address regardless of what IP address 
they're coming in from.

	So, if you really wanted to do this properly, you'd have to do it 
by IP address and not by domain name.  Problem is, AOL also operates 
one of the largest hosting/housing/co-location services in the world, 
with some of the worlds busiest web sites directly on their premises. 
Many of these companies could very well be customers or suppliers of 
yours, but of course their IP addresses would be in the same ranges 
as owned by the rest of AOL.

	So, what do you do?  You're screwed if you do, and screwed if you don't.

>  Which pretty much proves my point. PTRs are useless for authentication,
>  whether you're trying to authenticate someone as a non-spammer, or as a
>  trusted admin of your sensitive systems.

	It's virtually useless as a server-to-server validation 
mechanism, but not as a client-to-server mechanism.  It does prevent 
people from coming in from a garbage throw-away free dialup system 
from abusing the network and transmitting spam directly to your 
servers (if they really wanted to get e-mail to you, they can route 
it through the servers provided by the ISP that gives them dial-up 
access).  In my experience, this catches at least 25% of all spam (if 
not more), and has a very low number of false positives.

	For the rest of the spammers, there are other mechanisms you can 
employ to try to deal with them.

>                      If given a choice between using crypto or DNS for
>  authentication, we all know that folks *should* be using crypto. But due to
>  laziness or ignorance, many if not most of them *will* continue to choose DNS
>  instead, since it's more familiar to many old-time admins, less "scary" and
>  generally easier to set up. Time to break that crutch.

	Put your money where your mouth is.  Turn off all your machines 
until such time as crypto-based authentication is the only method 
available world-wide, and then I might be willing to listen to you.


	Until then, all I can say is that people will use what they have 
available to them, and all we can do is work to make the crypto-based 
methods more available and easier to use, and maybe sometime in the 
far distant future (many millenia hence), we might be able to turn 
off other authentication mechanisms.

	However, even then, we should continue to maintain PTR records, 
for they serve purposes in addition to authentication.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'