Re: [Exim] Delay 220 greeting to reduce spam?

Top Page
Delete this message
Reply to this message
Author: Exim User's Mailing List
Date:  
To: Tor Slettnes
CC: Exim User's Mailing List
Subject: Re: [Exim] Delay 220 greeting to reduce spam?
[ On Thursday, June 3, 2004 at 10:21:32 (-0700), Tor Slettnes wrote: ]
> Subject: Re: [Exim] Delay 220 greeting to reduce spam?
>
> Hmm. If you _require_ a two-way DNS match, you will miss out on a lot
> of "legitimate" mail (from such places as Amazon, Yahoo, Hotmail,
> etc..).


On the contrary _I_ don't miss out on anything! ;-)
I.e. that's a very _good_ thing for my domain! :-)


> And indeed, this is not how the Exim "verify = helo" works;


Of course not -- the check I'm complaining failed for 216.168.1.22 is
purely related to their broken reverse DNS -- nothing to do with the
HELO parameter at all.


> it
> merely verifies that _either_ of these conditions is met:
> - the HELO name resolves to the calling IP, or
> - the calling IP resolves to the HELO name.


The Exim "verify = helo" isn't doing exactly the right thing either, but
that's a somewhat different issue since I'm not running Exim on that
host :-)


> Andrew satisifies the former of these two -- 'trinity.supernews.com'
> resolves to 216.168.1.22 (plus another address).


Yes, of course, and my HELO verification succeeded because there is a
matching A record for the client source address.

But that's not the only test I require every client to pass.

What's the point of having reverse DNS if the result can appear as if
another host is spoofing your hostname? There are algorithmic
definitions for how this stuff is suppose to work so that such stupid
confusions don't happen. You can't begin to expect a computer to assume
that a matching subdomain, or some half-correct reverse DNS wasn't
spoofed, unless you start inventing all kinds of complicated rules that
nobody will ever agree on anyways.

For every hostname there must be a matching PTR and vice versa,
regardless of how many IP addresses a hostname has or how many hostnames
an IP address has. It's simple orthogonality at its purest. If
anything is missing, or even one name is wrong, it's worse than there
being no reverse DNS at all in the first place because it is misleading
at best and indistinguishable from a poisoned cache or other spoofing
tricks.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>