On Tue, Feb 05, 2002 at 07:40:06PM -0800, Brent Jones wrote:
> For the past several months now, I've been denying hosts with no reverse
> mapping on their IP's, and believe me, this stops
> a lot of spam! But, I've also been watching how many legitimate hosts are
> being denied, because their admins, or themselves
> do not have correct reverse mapping set on their IP's.
This is something I have had long debates about with people in the past.
I personally do block on no reverse lookup, but only for my personal mail,
mail sent to my work address is subject to completely different policies,
(and gets about 100 times the amount of spam that my personal mail does).
> Now, I know the world is perfect, and mistakes are made, but I would think
> that any professional mail server would have both
> forward and reverse lookups functioning on it.
Yes. I think this should be the case too. Many perfectly legitimate exim
configurations will require this to be set up, and similarly for other
MTAs. Not having forward and reverse DNS that correspond is, IMHO a sign
of utter cluelessness.
I have come across companies who are not willing to have rDNS on their
outward facing mailservers "for security reasons". This argument just
doesn't cut it, and shows a general lack of understanding.
Personally, I'd be quite happy to deal with your mail server, if, for
example with my mail server, colon.colondot.net [212.135.138.209] was called
209.138.135.212.in-addr.colondot.net (in much the same way as BT do their
hosts for dsl and dialup). Obviously this has the disadvantage of looking
like a dialup host, but it isn't. The point though, is that if that name
exists, then the forward must exist too and point back. This gives out no
information (but I know it's a mail server anyway, otherwise it wouldn't
be connecting to me).
> I recently disabled that check, since a few signifigant e-mails have been
> unfairly dropped, but I would just like to ask a question to
> everyone here; how many legitimate mail servers do you guys think there are
> running out there without correct reverse lookups?
Lots. But educating them could be a priority. Saying that you're not going
to accept mail from domains with no reverse DNS is one way to try and get
them to change. It shows that they've gone to some effort to set up their
IP network correctly.
> I'm just curious, because it has stopped a lot of those up one day, down the
> next mail servers who send 5 million e-mails, and go
> down immidiatly after that, but like I said, a few messages that were
> legitimate were also dropped.
I have a system whereby unseen mailservers are 450'ed for 3 hours, giving
them a chance to go on blacklists or to hit bait addresses on my system.
This helps with that situation.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/