* on the Fri, Mar 09, 2007 at 07:27:04AM +0100, Marco Wessel wrote:
>> I want to confirm what I need to deny email if there is no PTR
>> record on a
>> connecting IP. I do NOT want to lookup the reverse (PTR) and then
>> look at
>> the A record also and then fail.
Marco didn't answer your question so here's a solution. I don't know if
it's the best method but it'll work:
deny condition = ${lookup dnsdb{ptr=$sender_host_address}{false}{true}}
message = There is no reverse DNS on $sender_host_address
> I'm not sure why you'd want that, as it is a relatively bad idea: it
> would allow me to fake my origin very easily. If I'm delegated the
> reverse for 1.2.3.0/24, I can just set 1.2.3.4's PTR record to be
> 'smtp.paypal.com' without paypal having anything to do with it. Doing
> the forward lookup allows verification: 'smtp.paypal.com' is not
> going to resolve back to my IP address, therefore it is invalid and
> should be disregarded.
There are three options...
1.) No reverse DNS
- This tells me that the source probably shouldn't be sending mail,
or has been configured incorrectly
2.) Reverse DNS that has an A record pointing to a different IP
- This tells me that the dns has probably been configured
"incorrectly"
3.) Reverse DNS that has an A record that maps back to the original IP
- This tells you nothing other than the dns has been set up
"correctly"
As far as I can see, filtering out on number 1 is the safest there.
You seem to think it's number 2... While I agree people could be
"spoofing" their PTR, I don't think it's happening. Certainly not
to the extent that it would be worth worrying about.
In my experience it would be uncommon for a mail admin to not set up
reverse dns. However, it would be more common for a mail admin to set up
reverse dns but not consider where the A record for it points. That's
how I got to the differing descriptions between option 1 and 2.
[snip several examples of where the A record of the PTR is different to
the IP]
> This is Bad. Much worse than not having reverse dns at all.
>
> I supppose you want to do these verifications as an anti-spam
> measure? That's not very effective: most spam originates from hosts
> that do have reverse dns, because they're simply consumer DSL and
> cable connections and such, with the odd open relay thrown in. There
> aren't many ISPs out there these days that don't set up reverse DNS
> for those, except perhaps in china and such. And those are all
> blockable with RBLs.
What is effective for one mail admin is often different to what is
effective for another.
Mike
