[ On Tuesday, March 30, 1999 at 00:07:45 (+0200), Sheldon Hearn wrote: ]
> Subject: Re: [EXIM] Bug#35221: Another anti-spam idea
>
> The DNS resolvers queried by the _remote_ host for MX lookups are seldom
> the same resolvers used by the _local_ host for name resolution.
I don't see any difference. An MTA is both a client and a server.
> What the guys are saying is that it's usually unreasonable to reject
> mail in a situation where the _local_ host's resolver is cooked.
If your MTA's resolver is down then you should probably try to make sure
any MTA that depends on it is down too -- SMTP cannot function without
the DNS. Period.
> Well, what you're proposing allows me to cause all your mail to bounce
> by trashing your resolver. Since your resolver is often (by necessity)
> more publically accessible than your MX might be, that's risky.
My DNS resolver endeavours never to accept bogus replies to the queries
it makes, and indeed the applications that use it attempt to verify that
the answers it gives are consistent within both the forward and reverse
zones. I.e. my MX's resolver is *NOT* publically "accessible" in the
sense that the average internet server is), and certainly much less so
than the SMTP service itself. If you only manage to trash my resolver
by preventing valid answers to get to it then I will not bounce
messages, but simply defer them.
(Yes, I know more than enough about the bandwidth required to flood a
resolver with fake replies fast enough that the request ID is matched
before the authoritative reply arrives from the true nameserver.)
> But that's not the point. The point is that it's rude to bounce mail
> just because your DNS is trashed, so most people are careful not to do
> it. If you're happy with breaking this general rule of thumb, go ahead.
> Just be careful about the unqualified advice you give to others.
No, that's not the point at all. I only bounce e-mail from folks I
couldn't send e-mail to in the first place, and rightly so. I don't see
anything rude or un-neighbourly in that. In fact I've had people say
they like to use my MTA as a test system to see if they've got their DNS
and mailers configured properly. If folks with screwed up DNS really
need to contact me they can use literal IP addresses or find some
out-of-band communications medium (of which dozens abound).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
--
*** Exim information can be found at
http://www.exim.org/ ***