Re: [exim] Automatic Whitelist Generation - Why wouldn't thi…

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: exim-users
Subject: Re: [exim] Automatic Whitelist Generation - Why wouldn't this work?


Arthur Hagen wrote:
> On Sun, 2007-06-24 at 18:30 -0700, Marc Perkel wrote:
>
>> Eli wrote:
>>
>>>> Maybe I'm missing something. Can I take one of my IP addresses and make
>>>> the RDNS appear to be from xxx.amd.com and make a lookup on xxx.amd.com
>>>> agree?
>>>>
>>> Yes you can. That's why reverse DNS information is pretty much completely
>>> useless when doing any type of tracing. I suggest you read up on DNS
>>> servers and how zonefiles work et al before going too far on speculations
>>> regarding DNS, especially if you're using the results to filter stuff (email
>>> in this case).
>>>
>>>
>> If you do a reverse lookup and then check to see if the name resolves to
>> the IP that you looked up you can tell it's fake.
>>
>
> That tells nothing of the sort, despite the advise that forward and
> reverse entries /should/ match. (It's really only a /must/ for
> authoritative DNS servers.) There's many reasons why there may not be
> a match, temporarily or permanently:
>
> Consider a failover solution, for example. Normally, it would be:
>
> # Using a private address space here, as it's an example.
> # In real life, it would be in a public address space.
> zone 16.16.172.in-addr.arpa:
> 1    IN PTR    foo.my.example.
> 2    IN PTR    bar.my.example.
> zone my.example:
> foo    IN A    172.16.16.1
> bar    IN A    172.16.16.2

>
> But, if foo goes down, the forward zone changes to:
> foo    IN A    172.16.16.2
> bar    IN A    172.16.16.2

>
>
> Or this example, with a multi-homed host:
>
> zone my.example:
> foo    IN A    172.17.17.1
> ...
> zone 17.17.172.in-addr.arpa:
> 1    IN PTR    foo.my.example.
> 2    IN PTR    foo.my.example.

>
> Where some of the traffic goes out from 172.17.17.1 and some from .2,
> depending on routing. If you look up 172.17.17.2, you get
> foo.my.example, but if you look up foo.my.example, you get 172.17.17.1.
> This is perfectly legal.
>
> Regards,
>


If there is a mismatch then I don't whitelist so if there's a DNS error
then they don't get whitelisted that time. Ultimately if there isn't a
match then the mail will still get delivered. But they don't get the
priviledge of bypassing the spam filter