On 2011-11-08 13:27 , Mark Andrews wrote:
In message <4EB90EF2.3030100@unfix.org>, Jeroen Massar writes:
On 2011-11-08 12:05 , Mark Andrews wrote:
In message <4EB8F028.8040607@dds.nl>, Seth Mos writes: [..] Sounds like FUD. Who has trusted the contents of a PTR record in the last 2 decades?
Lots of tools (read: SSH, Spam-checks, oh and IRCd's ;) trust PTR, but only if the reverse => forward => reverse. And you don't want to know how many silly people enable the "if user comes from .in they must be from Indonesia^WIndia thus block them" Apache option as recently mentioned on this very thread.
They arn't trusting the reverse record. They are trusting the forward record to verify the reverse record. They know that the reverse record is untrustworthy as the owner of the reverse zone can put whatever they want there without spoofing anything.
Of course that is the case. The PTR itself is useless, but in combo with checking it with the forward it is a very valuable resource. (Add DNSSEC to the mix and you are even sure that nobody spoofed it on the wire for you ;)
Also, note that your precious operating system will likely store the PTR, sometimes even without doing the reverse->forward->reverse check.
As such, you set up a PTR + Forward properly for a host, try to 'hack' a box by password guessing, the log entries will only have the PTR recorded, and you just drop the PTR+Forward from DNS (as they are under your control) the admin comes in, sees all those nice hosts in their logs but as it is gone from DNS will never ever find you. This especially goes for 'who' (utmp) which makes that mistake. Fortunately SSH at least logs both IP + hostname, the more info the better.
Who trusts logs of names without actual addresses? No one sane does.
Well, only one decade back some people from this very list mentioned that to a certain OS that is used quite a lot by a lot of people: http://www.freebsd.org/cgi/query-pr.cgi?pr=22595 And today that is still the case: http://www.freebsd.org/cgi/man.cgi?query=utmp&sektion=5 Note there is just ut_host there is no address being stored, I hope you yourself btw don't use any FreeBSD based devices as otherwise that little attempt at an insult goes for you too ;)
That said though the PTR->forward->PTR check is a proper check and a really great way to figure out if the source SMTP host was actually set up with at least some admin doing it the right way. If they can't be bothered to set that up, why should you bother to accept that mail, or a better choice, just score it a bit negatively at least.
Which only works as a filter because ISP's decided to prevent home users from putting valid PTR records in the DNS for their own machines. It has nothing to do with clue or knowlege.
I don't think ISPs 'decide' to not let users set up reverse DNS, it is generally a 'feature' for which they can ask more moneyz. If ISPs would allow it (which I am for btw) then they only pass the test anyway if they can properly setup reverse->forward->reverse. Which is likely the case anyway for quite some ISPs who populate reverses with a matching forward&reverse based on the IP. Greets, Jeroen