Auteur: W B Hacker Datum: Aan: exim users Onderwerp: Re: [exim] blocking on failure of reverse_host_lookup
Ian P. Christian wrote: > Hi all,
>
> I though I'd seen people post on the list about blocking outright on
> reverse_host_lookup - however having implemented this yesterday, it
> seems like it quite possibly did block the occasional email. Before
> yesterday, it was just used as part of a scoring system.
>
> What are peoples thoughts on this?
>
Having a PTR RR for a public-facing server (smtp or otherwise) has been an RFC
requirement for a Very Long Time. Finding, reading, and understanding that very
public information is easy.
But in line with being 'generous with what we accept' most of us did not insist
on it.
Zombots strain even the most generous among us, so we've had to 'work to rule'.
Up until about 12 - 18 months ago, there were a few false positives - very few.
But some of them were 'important' false-positives.
For example - the odd major provider whose 'outbound pool' servers did not have
appropriate DNS credentials that associated them with that provider's identity
and inbound servers for DSN or normal traffic. NetSol's hired third-party hosts
for low-cost and 'vanity' domains were at one time among these.
For a time, those which actually presented traffic to a given server required
whitelisting.
But most that we once had to whitelist have since seen the advantage of strictly
applying the relevant RFC's, have corrected their faux pas, and no longer need
to be whitelisted, so that list (here)) is down to fewer than two-dozen entries
globally, of which less than half seem to be still in need.
Likewise, more and more major providers want to find PTR RR for inbound traffic
to their servers - something distinctly hard for a Zombot to acquire, and
'risky' for professional spammers to register, as it leaves at bit more of a
backtrace trail than most dare deal with.
Criminals defending the 'rights' of Zombot's will tell you otherwise, of course.
They have serious income streams to defend.
There are also grumblings from the odd amateur hobbyist who would like to run an
MTA on dynamic or similar IP where the records cannot be set up. The honest
among those recognize the rules and ask for exemptions or wish they were
changed. The dishonest pretend they do not exist, sometimes rather stridently.
Do your own reading.
But if zombification of smtp is to be reduced, those folks will either have to
use a their provider's smarthost, or rent at least a US$5 / month virtual host
that DOES have proper credentials. No shortage of either.
I sympathize with their plight, but not enough to once again open the door to
millions of zombots.
YMMV, so a 'point score' may be easier to admin for a while yet in some
environments.
