RE: [Exim] Inbound Hosts without valid rDNS

Góra strony
Delete this message
Reply to this message
Autor: Exim User's Mailing List
Data:  
Dla: eli
CC: Exim User's Mailing List
Temat: RE: [Exim] Inbound Hosts without valid rDNS
[ On Tuesday, December 30, 2003 at 00:30:32 (-0500), Eli wrote: ]
> Subject: RE: [Exim] Inbound Hosts without valid rDNS
>
> Nothing broken about that DNS setup. People seem to have quite the
> misconseption about how DNS zones should be set up - point is though that
> DNS allows for quite a few different setups, even if some people think
> they're "broken".


True enough. The DNS is a remarkably flexible and resilient system,
though unfortunately it's far from perfect. However the DNS is entirely
and totally useless if people don't "use" it in consistent and
predictable ways, and that goes double for the convention of the reverse
DNS.

> The cold truth is, that not many people have much, if any, control over
> their reverse DNS.


The realy absolute-zero truth is that you are making a totally
misleading statement there.

One does not need full nor direct control over one's reverse DNS in
order to make it correct and complete.

Never the less, broken reverse DNS remains a worse nightmare for those
suffering with it than no reverse DNS at all.

Indeed the main concepts behind the reverse DNS are founded upon the
expectation that a separate "authority" will be in control of the
reverse DNS zones used for the addresses in a given domain. It's the
same idea, though perhaps to a lesser degree, as having someone witness
your signature on a document by adding their own.

> Take for example my hosting company. We offer static IPs for websites, but
> we give no control over reverse DNS. To aid our support department in quick
> tracing, we have all reverse DNS point to the name of the webserver, however
> forward DNS of the various domain names yeilds one of the IPs on the server:
>
> domain.com -> 123.123.123.123
> 123.123.123.123 -> web1.company.com


Well that's brokenness entirely your own doing then. You should try to
learn what others on the Internet expect of you rather than defining a
scheme that's useless to everyone else and of less use to you and your
customers than it could potentially be. Sadly your customers are no
doubt too naive and too complacent to force you to fix your systems.

> As you can see, this can be considered quite broken in DNS land, since you
> get back not what you queried in the first place,


Indeed it its. The person who designed that system you use really must
have been quite naive about the DNS in general -- either that or totally
uncaring.

> but the hard truth is -
> what's the difference between the "official" name, and any one of its
> pointers it may have?


Well once you realize that there is no such thing as an "official"
hostname in the DNS, nor can there ever be such a construct, then maybe
you'll come to understand a little bit more about how the reverse DNS
can be made to be _much_ more useful than you make it out to be.

> It seems that since the advent of spammers, people try to take any and all
> measures to try and block them.


True enough, but what you say is also misleading and off-base.

However the use of reverse DNS in SMTP transactions is not really
related at all to spammers -- spam came along long after people started
making use of the reverse DNS to enhance the level of trust one can put
in hostnames used and recorded in SMTP transactions.

It's just that before spam the Internet was mostly controlled by
academics who were vastly more interested in removing any even potential
impediments to communications than they were on doing things carefully
and correctly. I.e. the Interent was not built by accountants,
businessmen, bankers, policemen, and parents. :-/

> The funny thing is that mail delivery
> should depend on only 2 things for DNS - an MX record for new style mail
> delivery, and failing an MX record, the ability to at least get the ip of
> the domain name after the @ to deliver to it directly.


Well, the funny thing about e-mail delivery is that there's more to it
than just routing a message to a destination host and making a TCP
connection to the SMTP server on that host. At least there is if you're
not "just" a spammer.

What you are missing, entirely, (and what spammers really want us all to
"miss") is what the SMTP server might wish, or even require, to know
about the sending client host.

Although the following analogy is nowhere near perfect (as is the case
with most analogies between the the pre-Internet world and the
Interent), what you've described is much like junk mail that's delivered
direct to a mailbox without a stamp or a postal mark. The recipient has
very little to go on to identify the party responsible for making the
delivery. The best you can do is photograph the delivery person, but
unless you've got better resources than the average police department
such "evidence" won't tell you anything about where you might find log
entries regarding the initial steps the message took on its way to you,
especially if you don't start looking for such information for hours or
days after the delivery takes place.

There are relatively few domains which require valid and correct reverse
DNS for all their foreign SMTP clients (though a remarkable number of
them seem to be exim users and active subscribers to this list :-).
Personally I don't require there be any reverse DNS for foreign SMTP
clients connecting to my mail servers, though I do require that if there
is any reverse DNS that it be valid, correct, and complete.

Unfortunately some of the folks requiring reverse DNS for foreign SMTP
clients don't care to check if it is valid and correct, let alone
complete. What they hope to gain, I cannot imagine. While it is true
that some spammers send their junk from clients that don't have valid or
correct reverse DNS, it is also true that a vast number of non-spammers
also communicate via clients (i.e. SMTP gateways/relays) that don't have
valid reverse DNS. Meanwhile there are enough spammers who do have have
direct control over their own reverse DNS. As a result those of you who
are requiring reverse DNS but who are not confirming that it is valid
and correct are doing yourselves and your user's a major disservice
since you are providing misleading and even blatantly incorrect
information about the source of those very messages which you and your
users are most interested in tracing back to their origins.

Worse yet those folks requiring reverse DNS but not caring if it's valid
or correct are perpetuating the idea that you can get away with creating
the broken reverse DNS that you've described. (Same goes for those who
require a syntactically correct HELO greeting but who don't care if it's
valid and semantically correct -- you're only making things much more
difficult for everyone else (except of course the spammers).)

You can certainly continue to live in the broken little reverse DNS
world you've created for yourself (and, sadly, your naive customers),
but you don't have to and you really shouldn't want to if your goal is
to be a good Internet neighbour. Shame on you for perpetuating
apathetic notions that make it easier for spammers to hide their tracks.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>