[exim] generic hostnames

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: exim-users
Old-Topics: Re: [exim] dnsbls
Subject: [exim] generic hostnames
(was: Re: dnsbls)

For several years we've applied a VERY high degree of distrust for mails
with automatically-generated rDNS. We understand many other sites do
similar. Experience suggests such connections stand an extremely high
chance of being spam. Granted, this is not perfect, and we happily
whitelist any legit mail servers with generic hostnames where we encounter
them. But the overwhelming majority of such attempts are spamming or
virus-infected machines.

There is also an issue of accountability. Say we encounter an abuse or
security problem involving a host (which might be a legit mailserver) with
generic rDNS, e.g:

cust-11-22-33-44.dsl.mega-isp.net

Who should we contact to report the problem or incident ??

The sender details on any spam/virus email received are almost certainly
counterfeit. So, the rDNS may well be the only thing we have to go on.
Attempting to contact someone at the ISP itself (ie. abuse@???)
sadly isn't likely to get us very far, especially in the case of massive
global telecoms companies (zen might be different). In general, in such a
siutation, we're kinda stuck. Hence, for an important resource like a
mail server, we advise configuring a specific rDNS name - such as
"somthing.yourdomain.org" or even better "mailout1.yourdomain.org". In
which case it's immediately clear that postmaster@??? or
abuse@??? would be suitable contacts.


Martin A. Brooks wrote:

| So, if i understand your argument correctly, if the PTR were
| "z0mgpuppieslolzw000000000000pony.antibodymx.net", that would make my
| email somehow more likely to be legitimate?

Clearly *your* email is legitimate. But, percentage-wise, a hostname like
that is probably less likely to be spamming than an obvious generic name.


| How do you know that "z0mgpuppieslolzw000000000000pony" isn't somehow
| derived from the IP address? Short anwer: you don't.

Correct - we don't know. But that's not a problem. If a spammer were to
use a name like that, then yes, it would incorrectly *pass* the generic
hostname test. But hopefully we'd catch it out on something else.



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] authentication against SASLRe: [exim] dnsbls->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)