nslookup from WinNT machine
Brad Knowles
brad.knowles at skynet.be
Wed May 30 14:16:53 UTC 2001
At 9:00 PM -0400 5/29/01, Kevin Darcy wrote:
> As such, the focus is on
>delivering as much
> mail as possible, rather than maximizing the subjective "quality"
>of the email
> delivered (i.e. by "sanitizing" spam from it). When it comes to email, it's
> quantity over quality, basically.
Which is *precisely* what spammers want. When management starts
counting up the cost of spam, I think that they'll almost certainly
change their minds. That's certainly been my universal experience
everywhere I've gone.
> And, as spam-avoidance mechanisms go, the PTR-based one is pretty much
> bottom-of-the-barrel, IMO. It'll become completely obsolete once spammers
> learn how to make PTR records.
But you still have to get them delegated to you, which is the
truly hard part. Of course, while anyone can own their own forward
DNS, it is much, much harder to own your own reverse DNS, and that
means that PTR records really are a good way to keep down the noise
from garbage throw-away dialup lines.
At AOL, we found that this reduced the amount of spam we got by
more than 25%, and when you're talking about a site that does
multiple millions of mail messages per day, and spends tens of
millions of dollars per year to buy new mail servers to replace the
overloaded mail servers from last year, this is a *HUGE* cost savings.
> Frankly, I don't see the point of basing an
> anti-spam mechanism on the sender's ability to implement increasingly arcane
> features of DNS which have no direct relationship to whether they are a
> spammer or not.
PTR records are not particularly arcane, and since they require
delegation, you can be reasonably sure that the delegating authority
is aware at some level of what the delegee is doing, and you can hold
them legally responsible for the actions of their customer.
> Now that the spammers are more
> sophisticated (some of them now run their *own* ISPs), I wouldn't
>be surprised
> if the false-rejection rate of the PTR mechanism is actually higher than the
> legitimate-rejection rate.
There are still far more spammers out there using garbage
throw-away free dialup lines than anything else, because there are
still a lot of sites out there that are backwards enough (such as
yours) that they accept anything without validating the PTR record.
> BTW, we *do* implement some spam-avoidance mechanisms here. But they are
> mainly in the form of rejecting mail outright from "free" mail services like
> Hotmail.
How can you be sure that you would never get a business mail
message from hotmail? Indeed, hotmail (and many other free e-mail
services) actually gets quite a bad rap, because the spam never
actually originates at hotmail, it simply claims a hotmail return
address to try and throw people off the track.
I've seen this untold numbers of times, and indeed it is one of
the simplest tricks that spammers use. Anyone remotely familiar with
spammers and proper anti-spam techniques should be aware of this
issue, and not fall into such a ludicrously silly trap.
Let's take a better case -- AOL. Let's say you want to block all
e-mail coming from AOL. Well, how do you do this, by domain name or
by IP address? It is trivially easy for someone to use AOL as a
dial-up service provider to send e-mail to you, but to claim a
non-AOL return address. As shown above, it is trivially simple for
someone to claim an AOL return address regardless of what IP address
they're coming in from.
So, if you really wanted to do this properly, you'd have to do it
by IP address and not by domain name. Problem is, AOL also operates
one of the largest hosting/housing/co-location services in the world,
with some of the worlds busiest web sites directly on their premises.
Many of these companies could very well be customers or suppliers of
yours, but of course their IP addresses would be in the same ranges
as owned by the rest of AOL.
So, what do you do? You're screwed if you do, and screwed if you don't.
> Which pretty much proves my point. PTRs are useless for authentication,
> whether you're trying to authenticate someone as a non-spammer, or as a
> trusted admin of your sensitive systems.
It's virtually useless as a server-to-server validation
mechanism, but not as a client-to-server mechanism. It does prevent
people from coming in from a garbage throw-away free dialup system
from abusing the network and transmitting spam directly to your
servers (if they really wanted to get e-mail to you, they can route
it through the servers provided by the ISP that gives them dial-up
access). In my experience, this catches at least 25% of all spam (if
not more), and has a very low number of false positives.
For the rest of the spammers, there are other mechanisms you can
employ to try to deal with them.
> If given a choice between using crypto or DNS for
> authentication, we all know that folks *should* be using crypto. But due to
> laziness or ignorance, many if not most of them *will* continue to choose DNS
> instead, since it's more familiar to many old-time admins, less "scary" and
> generally easier to set up. Time to break that crutch.
Put your money where your mouth is. Turn off all your machines
until such time as crypto-based authentication is the only method
available world-wide, and then I might be willing to listen to you.
Until then, all I can say is that people will use what they have
available to them, and all we can do is work to make the crypto-based
methods more available and easier to use, and maybe sometime in the
far distant future (many millenia hence), we might be able to turn
off other authentication mechanisms.
However, even then, we should continue to maintain PTR records,
for they serve purposes in addition to authentication.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list