on Wed, Sep 12, 2007 at 10:13:00AM -0600, Jason J. W. Williams wrote:
It seems to me reverse DNS just isn't an acceptable anti-spam measure. Too many broken reverses exist with smaller companies (try getting a 3rd party to fix it). It's not that hard for a bot to figure out a DSL's reverse entry and use that for its HELO. And there are a lot more effective pre-processing anti-spam measures, including greylisting (with its own problems) and reputation-based systems.
Your first sentence and your third are in direct conflict, as are your first and your fourth - please understand that the use of rDNS (especially generic - as distinct from known dynamic or static) is an extremely effective tool against the botnets, and can itself be an extremely useful input into "reputation-based systems". As for your second sentence, well, you're right in saying that blocking solely on the perceived absence of, or generic nature of, rDNS naming is probably prone to false positives, but nonetheless it's not really my responsibility to ensure that you choose a decent service provider with the ability to provide proper and current and specific identification for your IP. If more ISPs dealt with abuse issues on their own networks, this wouldn't be such a big deal - but it's difficult for me to accept mail from, say, a host named 'dsl-static-pool.1.2.3.4.bigisp.example.net' when I've seen hundreds of thousands of abusive messages from hosts with that same naming convention, all bots. YMM, of course, V. As for the third, well, now you know why I use generic rDNS detection to defeat bots. As you say, "It's not that hard for a bot to figure out [any infected host]'s reverse entry and use that for its HELO". In fact, that's exactly what many of them do, when they're not forging well known services or sending unqualified/unresolvable strings in HELO/EHLO. And that, in itself, is responsible for over a fifth of our SMTP-time spam detections (and rejections, so there's no outscatter, unlike with a wide variety of "antispam" appliances, such as Barracudas). It's a sensible and sane perimeter defense tactic, far better than what I see most doing. If you're running a mail source, make damn sure it's got non-generic rDNS /and/ that it's configured to HELO with something that doesn't make it look like a "bot", and you'll stand a much better chance of delivering mail to me and my service's users. If you're not, well, the time is running short for you to fix that brokenness. Steve -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/