On Sun, 2007-06-24 at 08:44 -0700, Marc Perkel wrote: > One thing that spammers can't spoof is RDNS.
Yes they can, and have done in the past.
Although not trivial (many LIRs and RIRs are quite good at stopping
allocations to known spam operations), it's possible that a spammer can
either acquire an IP space allocation and run their own rDNS servers for
it, or be delegated rDNS for another provider's space. This last case is
especially problematic, although usually easier to handle than the first
case.
Unfortunately that drives a bus through your idea :-/
More widely, remember that domain names can be of the form:
host.subdomain.domain.tld
(where "subdomain" can in fact be comprised of multiple parts). To
assume that subdomain.domain.tld is an actual subdomain of domain.tld is
incorrect - it might be a whole, separate, domain out on its' own with
defined nameservers (as delegated from domain.tld's nameservers).
Messages arriving from hosts with rDNS of the form host.domain.tld might
well be predominantly spam, but an operational host.subdomain.domain.tld
might always send ham (or it could be the other way around). How do you
separate the two?
As an example, consider mass virtual hosting providers - their server
farms might have outbound smarthosts with rDNS of (for example)
hosting.domain.tld, and you flag a high percentage of their email as
spam. However they might have an engineering department which uses email
addresses of the form domain.tld exiting the same smarthosts which
*never* sends spam - ever - but you would, in your case, start to mark
all email as ham with this methodology.
