On Mon, Nov 7, 2011 at 1:34 AM, <Valdis.Kletnieks@vt.edu> wrote:
You're missing some 'obvious' considerations. Consider a spam complaint sent with 'full headers' included. The rDNS _at_the_time_of_the_crime_ is present in the complaint. And if the rDNS isn't provided, any sane MTA will have included the IP address and timestamp involved, which shouldn't take you all *that* much longer to
On Mon, 07 Nov 2011 01:09:19 CST, Robert Bonomi said: track down to one of your users.
I wouldn't take for granted that "IP address plus timestamp" can be used to track down a user after the fact. This is not always the case, plenty of times it is not; the user may not be logged on anymore, and there might be no historical data available, or the lifetime of the historical data short enough, that it expired before the complaint came in, possibly 24 hours or more later. Especially not on shared LANs, where an unruly user might actually select some random IP address and use it without permission. The RDNS will help in some of those cases if you don't keep/have sufficient information to identify a user by IP address, if your ability to create a mapping is unreliable... for example, you can't really be sure about accurate clock synchronization in the timestamps of the MTAs to any detail info you may have. But even with RDNS there is still a matching problem... DNS records have TTLs. The old mapping for an IP address can live in a cache for a significant amount of time. Sometimes unruly DNS servers or unruly applications fail to correctly implement DNS, and wind up holding a record past its TTL... an "old PTR mapping" for the IP address may be reported in message headers. The result can be a previous customer's ID in such a scheme would appear in the complaint. Now I suppose you could include another piece of info in the reverse record <custid>.registeredat<timestamp>.checksum And then if the purported timestamp in the complaint is after the 'next DNS record registration time' + TTL you know that the RDNS on the complaint listed is invalid To maintain integrity in that case... you would need to ensure the IP address could not be recycled to another user before all DNS records cached at the logoff time + DNS registration interval expired. -- -JH