Reverse Dns Question...is it really necessary or not?

Chip Mefford cpm at well.com
Tue Jul 20 17:06:40 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Barry; All

Barry Margolin wrote:
| In article <cdjbvr$19e4$1 at sf1.isc.org>, Chip Mefford <cpm at well.com>
| wrote:
|>
|>Good day all;
|>
|>
|>Jonathan de Boyne Pollard wrote:
|>| KD> some misguided mail servers/admins use reverse lookups as a
|>| KD> kind of litmus test for spam (as if spammers couldn't come
|>| KD> up with their own reverse records, duh).
|>|
|>| CM> Right, but spambots don't.
|>|
|>| Rubbish.  Hijacked third-party machines also often have address->name
|>| mappings, and for pretty much the same reason: The people whose
|>machines have
|>| been hijacked also have deal with the numbskulls who employ these daft
|>| "security" mechanisms on their various TCP services.
|>
|>They may indeed have address->name mappings, but very seldom does
|>one have an MX record. Not MX record, then it is not a legitimate
|>mail relay. This is not rubbish.
|
|
| Many organizations, especially large ISPs, use different machines for
| outgoing and incoming mail (for instance, incoming mail might be
| directed to a machine that performs virus checking).  So there's no good
| reason to expect the mail to come from an address that the MX records
| point to.

Sigh,
Okay, I give.
However, over the last few months, on irc and other places, I've worked
with folks who all of a sudden were bouncing email where none had
bounced before. I checked their dns records, found no spews, orbs or
other listings, asked them to add an MX for the machine that was getting
rejected, and prest-o, change-o magicly the mail started going through
to aol, compuserve, apple.com others, where it wasn't before.

Therefore, I inferred, and others have confirmed, that some large
networks were doing these checks, and others are following their lead.
again, fact of life.

| Agreed.  This whole situation with spam and email-borne malware has
| resulted in many administrators having to compromise and choose "least
| of evils".  But you're treading a fine line, and you have to be careful
| not to throw out the baby with the bathwater.
very careful indeed.
I do *not* take this draconian measure. If I did, I would not
be servicing my employer or clients, as many of our correspondents
are in the us government. They (the usg) still have some open relays,
and queries address to the listed POCs seem to drop into a black hole.

I have vendors who put out information to some of my folks via home
based broadband using the same software and the same practices utilised
by many "mass marketing" enterprises. This has caused me no end of grief.

I'll take a moment to clarify that I do *NOT* support this spf movement
at all. Will I register? When it becomes an issue (*if* it becomes an
issue) yes. I am more in favor of the using tls with CA certs for
identifying mail hosts as trusted. However, until such a time as
there is a recognised non-partisan, non-verisign, non-polical,
free-as-in-beer CA, I can't support that either. Will I do it anyway?
Yes, if I have to.
|
|>The original question had to do with whether or not reverse
|>dns was really necessary. The answer is a resounding yes.
|
| To use yet another aphorism, mail administrators are caught between a
| rock and a hard place.  Users are screaming for relief from spam, and
| they expect administrators to do something to stem the flow.  Content
| filtering (e.g. Bayesian analysis) is one prong in their solution, but
| it's not a complete solution, and additional heuristics are needed.

They are indeed.

Thanks kindly for your words on this matter.

- --chipper

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA/VEOa44x14FCa6ARAurEAKCMLTzZv/FIWmfSAur2GCUy/ZcWIgCgqwhI
JpdX3LlP1xqZjdABtA4KpEo=
=hMWX
-----END PGP SIGNATURE-----


More information about the bind-users mailing list