Reverse Dns Question...is it really necessary or not?

Chip Mefford cpm at well.com
Tue Jul 20 14:48:18 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good day all;


Jonathan de Boyne Pollard wrote:
| KD> some misguided mail servers/admins use reverse lookups as a
| KD> kind of litmus test for spam (as if spammers couldn't come
| KD> up with their own reverse records, duh).
|
| CM> Right, but spambots don't.
|
| Rubbish.  Hijacked third-party machines also often have address->name
| mappings, and for pretty much the same reason: The people whose
machines have
| been hijacked also have deal with the numbskulls who employ these daft
| "security" mechanisms on their various TCP services.

They may indeed have address->name mappings, but very seldom does
one have an MX record. Not MX record, then it is not a legitimate
mail relay. This is not rubbish.

| The end result of this silly game is that every TCP client in the world
| connects from an IP address which has an address->name mapping

Which is closer to ideal than things are currently, yes.

| (plus whatever
| other mappings these misguided administrators come up with) listed in the
| public DNS database, and the world is effectively back to where it started
| (with the exception that the process of allocating an IP address has
all this
| extra baggage attached to it that *everyone* has to carry).

Keep it up with the thinly veiled insults, and I'm going to start taking
it personally ;-)

There is a lot more *baggage* attached to allocating an IP address than
a lot of folks (including some really large ISPs) currently realize.
This is obvious in practice.

In short, (for me, and for many others) it boils down to
postmaster at domain.tld needs to be these three things;

legitimate,
responsive,
clueful.

This is not the case today, it was the case 'once upon a time' and is
no more.
If it were, then perhaps all of us "misguided" administrators would be
able to solve our problems without having to grasp at every straw we can
find, using some, discarding others as the situation dictates.

I am a postmaster.
I take my responsibilities as such seriously. I have an employer and
clients who depend on me to do so. I also have a community known as the
internet that also depends on me as I depend on them to try to do, if
not the *right* thing, then at least a *good* thing when it comes to
taking responsibility for the presence on the internet that is under my
administrative control.

| JdeBP> ... which, of course, they do.  And as a consequence these
| JdeBP> misguided administrators come up with ever more convoluted,
| JdeBP> arbitrary, and fallacious DNS-based tests to apply, and
| JdeBP> cause more and more false positives as a consequence.
|
| CM> This is becoming more prevalent. Not less so.
|
| Where did anybody say that this foolishness was becoming less
prevalent, or
| even comment upon its prevalence at all ?  To whom are you actually
responding

I am responding to you in fact, and the mailing list in general.

A clean and comprehensive DNS configuration for a domain is
practical, doable, and not that hard.

Let me see, I'm receiving 1000 emails a day from an IP address.
None of these emails contain anything other than unsolicited
advertising, the IP address maps to either nothing, or to a
broadband customer of a faceless ISP in Europe (read wanadoo.fr)
The MX records for that domain having nothing whatsoever to
do with that IP address. It's completely fair to assume that
the email is spam being sent from a host either intentionally
or unintentionally. In fact, of the tens of thousands of unwanted,
un-asked-for, undesireable, emails that my machines receive
a day, most of them come from name mappings that are light-years away
from any MX record. *AND* the email that comes in that *IS*
mapped to an MX record oddly, contains the great majority
of legitimate mail that my machines process.

In what way, is this convoluted, arbitrary, or fallacious? It
is none of these things. It is demonstratable, simple to implement
consistent with the RFCs and consistent with common practice that
is becoming more common.

The original question had to do with whether or not reverse
dns was really necessary. The answer is a resounding yes.

| ?
|
| CM> It's a fact, like it or not.
| CM> [...]
| CM> 's all I got to say.
|
| And it wasn't particularly worthwhile for you to say it.

No, what isn't particularly worthwhile to say is that those of us
who are out here having to deal with it should ignore misconfigured
DNS records, ignore postmaster and abuse addresses that have no
living creature behind them, ignore the huge overwhelming spam
traffic that is choking our networks, and worse yet,
Imply to those who come to this list looking for help to ignore the
advise of those who are trying to deal with it themselves.

~ The fact that one
| has to deal with foolishness doesn't prevent one from attempting to
rectify
| that foolishness, by pointing out that it *is* foolishness and why.
Saying
| nothing more than "You have to deal with foolishness, even if you
don't like
| it." to those who do so, contributes exactly nothing.

Arguing that what is being done -by folks who exercise a great deal more
control over how email is sent and received than most of us ever will-
shouldn't be done contributes nothing whatsoever to the *FACT* that
we who are postmasters have to deal with it and adopt appropriate
measures, if it contributes anything at all, contributes very little.
(Which by the way, is crucial to the thread.)
|
| CM> I want to run an open relay, [...]
| CM> I want to run an open innd server, [...]
|
| Your analogies, between not having published address->name mappings
for the IP
| addresses of service clients and running promiscuous proxy servers of
various
| kinds, are false ones.

Not at all.. The analogy was between what was acceptable and what is no
longer, due to abuse of the system that was designed to flexible, not
brittle, cooperative, not hostile, blah blah blah. If you missed this
analogy, I'm sorry I didn't put it better. It is not, however, false.

Look;
I have read much at your website, and learned a lot as a result, I refer
to it fairly often, and find it of great use. I AM NOT YOUR ENEMY, stop
treating me as such.

- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA/TB6a44x14FCa6ARAsfbAJ9x4Cwsr/g8TXIALPBqXRSNhT8/YwCeKbGt
9mJCPiZWfS5UPygsSV5LOaU=
=hO+w
-----END PGP SIGNATURE-----


More information about the bind-users mailing list