Re: [exim] ot: rDNS + spam assassin

Top Page
Delete this message
Reply to this message
Author: Chris Siebenmann
Date:  
To: Mike Tubby
CC: exim-users, cks
Subject: Re: [exim] ot: rDNS + spam assassin
> Our experience is that rDNS cannot be used reliably for several reasons
> that include:
>
>      * multiple hosts behind load balancer

>
>      * mis-match between exact host and generic host like 
> "mx01a.megacorp.com" and "mx.megacorp.com"

>
>      * internal hosts calling out through firewalls, eg. host 
> MSEXCH01.internal.megacorp.com calls out through a firewall with a 
> public IP that either reverses to "fw.megacorp.com" or in case of some 
> organisations like the police is simply anonymous (no rDNS)


To add another opinion, I think it's useful to distinguish between two
sorts of RDNS verification that I suspect people are doing.

In the first sort, you simply verify that the IP address has valid RDNS
that verifies, which is to say that the IP has a PTR record and the name
in the PTR record lists the IP address as one of its A records (for
IPv4).

In the more elaborate sort, you insist that the name the client EHLO'd
with matches the RDNS name (which you may or may not validate too). Or
maybe you insist that the name the client EHLO'd with has the connecting
IP as one of its A records (see, we're already getting complicated
here).

Although I haven't run the numbers on our mail logs, I would expect
a certain amount of verification failures for the first sort of RDNS
verification and a *lot* of verification failures for the second sort.
People EHLO with all sorts of perfectly valid names that don't exactly
correspond to the IP address that is connecting to your server. Mike
Tubby listed some of the reasons for this above, and I'm sure there are
more.

Overall I would expect there to be only a weak correlation between
this and spam level in general for arbitrary hosts. Of course if most
of your valid email comes from large hosts that do this 'right' (such
as GMail) and most contacts from random other IPs are sending spam, you
may observe a high (apparent) correlation between 'does not have RDNS'
and 'sends me spam'. But this is heuristic correlation, *not* causation,
and you should not be surprised if this correlation breaks down some day
(perhaps explosively, as you find a source that you very much want email
from that doesn't do this in what your particular setup considers right).

    - cks