We have recently implemented a policy on our mail servers of not accepting mail from hosts that do not correctly resolve via reverse DNS. While we on the technical side love the idea, there have been some questions from the business side of the house. If an ISP who doesn't have reverse DNS setup correctly on their mail servers, we point them to the RFC's and generally offer to help them correct it. We have noticed that our spam has reduced drastically, and the complaints are few, but alas this is a double edged sword, where if you even block 1 legitimate e-mail out of the 100K+ that we receive daily, someone is going to complain. Just curious if anybody here is doing the same and the response that they have had from doing so. Replies off list are fine and I will summarize if people are interested. Thanks, Patrick -- Patrick Muldoon, Network/Software Engineer INOC, LLC doon@inoc.net Press Ctrl-Alt-Del now for IQ test.
You are most correct, it is definitely a double edged sword. Let's say you try to reverse DNS on an address who's nameserver is down or otherwise unreachable, what then? Some admins I know deliberately do run reverse DNS as they view it as system cracker tool, or they feel it is an unwarranted load, RFCs be damned. Is this admin decision the fault of the user? You are not first one to try this. I have tried this myself and a financial type didn't get an important email because of it. You know the rest of the story. A better solution is to check the ip and see if it is an MX record for the domain the mail purports to be from. Just my opinion, and I could wrong. -dan -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick Muldoon Sent: Thursday, February 28, 2002 1:15 PM To: nanog@merit.edu Subject: Reverse DNS and SMTP We have recently implemented a policy on our mail servers of not accepting mail from hosts that do not correctly resolve via reverse DNS. While we on the technical side love the idea, there have been some questions from the business side of the house. If an ISP who doesn't have reverse DNS setup correctly on their mail servers, we point them to the RFC's and generally offer to help them correct it. We have noticed that our spam has reduced drastically, and the complaints are few, but alas this is a double edged sword, where if you even block 1 legitimate e-mail out of the 100K+ that we receive daily, someone is going to complain. Just curious if anybody here is doing the same and the response that they have had from doing so. Replies off list are fine and I will summarize if people are interested. Thanks, Patrick -- Patrick Muldoon, Network/Software Engineer INOC, LLC doon@inoc.net Press Ctrl-Alt-Del now for IQ test.
On Thu, Feb 28, 2002 at 01:35:09PM -0700, Daniel Lark wrote:
You are most correct, it is definitely a double edged sword. Let's say you try to reverse DNS on an address who's nameserver is down or otherwise unreachable, what then? Some admins I know deliberately do run reverse DNS as they view it as system cracker tool, or they feel it is an unwarranted load, RFCs be damned. Is this admin decision the fault of the user?
Use a non clueless isp. the market is fairly saturated in most places with service providers.
You are not first one to try this. I have tried this myself and a financial type didn't get an important email because of it. You know the rest of the story.
What I do is format my smtp headers such that a very simple regex can find mail with no reverse dns and dump it in a spam folder. I find this catches a lot of the messages. I try and let people know but for example, I am unable to find anyone at American Express or NWA that can fix their dns. (others are prompt in fixing their dns problems).
A better solution is to check the ip and see if it is an MX record for the domain the mail purports to be from.
This has a number of flaws. I won't delve into them though.
Just my opinion, and I could wrong.
- Jared
-dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick Muldoon Sent: Thursday, February 28, 2002 1:15 PM To: nanog@merit.edu Subject: Reverse DNS and SMTP
We have recently implemented a policy on our mail servers of not accepting mail from hosts that do not correctly resolve via reverse DNS. While we on the technical side love the idea, there have been some questions from the business side of the house.
If an ISP who doesn't have reverse DNS setup correctly on their mail servers, we point them to the RFC's and generally offer to help them correct it. We have noticed that our spam has reduced drastically, and the complaints are few, but alas this is a double edged sword, where if you even block 1 legitimate e-mail out of the 100K+ that we receive daily, someone is going to complain.
Just curious if anybody here is doing the same and the response that they have had from doing so. Replies off list are fine and I will summarize if people are interested.
Thanks, Patrick
-- Patrick Muldoon, Network/Software Engineer INOC, LLC doon@inoc.net
Press Ctrl-Alt-Del now for IQ test.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Hi Does anyone know of a program that can flag such things and alter mail headers on the fly like this? Nicole On 28-Feb-02 Unnamed Administration sources reported Jared Mauch said :
On Thu, Feb 28, 2002 at 01:35:09PM -0700, Daniel Lark wrote:
You are most correct, it is definitely a double edged sword. Let's say you try to reverse DNS on an address who's nameserver is down or otherwise unreachable, what then? Some admins I know deliberately do run reverse DNS as they view it as system cracker tool, or they feel it is an unwarranted load, RFCs be damned. Is this admin decision the fault of the user?
Use a non clueless isp. the market is fairly saturated in most places with service providers.
You are not first one to try this. I have tried this myself and a financial type didn't get an important email because of it. You know the rest of the story.
What I do is format my smtp headers such that a very simple regex can find mail with no reverse dns and dump it in a spam folder. I find this catches a lot of the messages.
I try and let people know but for example, I am unable to find anyone at American Express or NWA that can fix their dns. (others are prompt in fixing their dns problems).
A better solution is to check the ip and see if it is an MX record for the domain the mail purports to be from.
This has a number of flaws. I won't delve into them though.
Just my opinion, and I could wrong.
- Jared
-dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick Muldoon Sent: Thursday, February 28, 2002 1:15 PM To: nanog@merit.edu Subject: Reverse DNS and SMTP
We have recently implemented a policy on our mail servers of not accepting mail from hosts that do not correctly resolve via reverse DNS. While we on the technical side love the idea, there have been some questions from the business side of the house.
If an ISP who doesn't have reverse DNS setup correctly on their mail servers, we point them to the RFC's and generally offer to help them correct it. We have noticed that our spam has reduced drastically, and the complaints are few, but alas this is a double edged sword, where if you even block 1 legitimate e-mail out of the 100K+ that we receive daily, someone is going to complain.
Just curious if anybody here is doing the same and the response that they have had from doing so. Replies off list are fine and I will summarize if people are interested.
Thanks, Patrick
-- Patrick Muldoon, Network/Software Engineer INOC, LLC doon@inoc.net
Press Ctrl-Alt-Del now for IQ test.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|\ __ /| (`\ | o_o |__ ) ) // \\ Daemon Technologies(tm) | Phone: 510.895.9667 nicole@daemontech.com | -------------------(((---(((----------------------- - Powered by FreeBSD - Email, DNS, SiteHosting, FTP Services, Dedicated Servers, Co-Location, and a Lot More ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
http://www.spambouncer.org I have no connection to this software other than being a satisfied user. -Paul At 07:29 PM 2/28/2002, Nicole Harrington wrote:
Hi Does anyone know of a program that can flag such things and alter mail headers on the fly like this?
Nicole
On 28-Feb-02 Unnamed Administration sources reported Jared Mauch said :
On Thu, Feb 28, 2002 at 01:35:09PM -0700, Daniel Lark wrote:
You are most correct, it is definitely a double edged sword. Let's say you try to reverse DNS on an address who's nameserver is down or otherwise unreachable, what then? Some admins I know deliberately do run reverse DNS as they view it as system cracker tool, or they feel it is an unwarranted load, RFCs be damned. Is this admin decision the fault of the user?
Use a non clueless isp. the market is fairly saturated in most places with service providers.
You are not first one to try this. I have tried this myself and a financial type didn't get an important email because of it. You know the rest of the story.
What I do is format my smtp headers such that a very simple regex can find mail with no reverse dns and dump it in a spam folder. I find this catches a lot of the messages.
I try and let people know but for example, I am unable to find anyone at American Express or NWA that can fix their dns. (others are prompt in fixing their dns problems).
A better solution is to check the ip and see if it is an MX record for the domain the mail purports to be from.
This has a number of flaws. I won't delve into them though.
Just my opinion, and I could wrong.
- Jared
-dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Patrick Muldoon Sent: Thursday, February 28, 2002 1:15 PM To: nanog@merit.edu Subject: Reverse DNS and SMTP
We have recently implemented a policy on our mail servers of not accepting mail from hosts that do not correctly resolve via reverse DNS. While we on the technical side love the idea, there have been some questions from the business side of the house.
If an ISP who doesn't have reverse DNS setup correctly on their mail servers, we point them to the RFC's and generally offer to help them correct it. We have noticed that our spam has reduced drastically, and the complaints are few, but alas this is a double edged sword, where if you even block 1 legitimate e-mail out of the 100K+ that we receive daily, someone is going to complain.
Just curious if anybody here is doing the same and the response that they have had from doing so. Replies off list are fine and I will summarize if people are interested.
Thanks, Patrick
-- Patrick Muldoon, Network/Software Engineer INOC, LLC doon@inoc.net
Press Ctrl-Alt-Del now for IQ test.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|\ __ /| (`\ | o_o |__ ) ) // \\ Daemon Technologies(tm) | Phone: 510.895.9667 nicole@daemontech.com | -------------------(((---(((----------------------- - Powered by FreeBSD - Email, DNS, SiteHosting, FTP Services, Dedicated Servers, Co-Location, and a Lot More ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
Once upon a time, Nicole Harrington <nmh@daemontech.com> said:
Does anyone know of a program that can flag such things and alter mail headers on the fly like this?
If you use sendmail as your MTA, you can configure it to do it with the check_local rulesets from http://www.digitalanswers.org/check_local/. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
You are most correct, it is definitely a double edged sword. Let's say you try to reverse DNS on an address who's nameserver is down or otherwise unreachable, what then? Some admins I know deliberately do run
Temporary DNS errors (timeouts reaching a server etc) are/should be distinguishable from hard errors (NXDOMAIN responses, no such RR for the queried name), and the SMTP daemon could/should then react appropriately by using a 5xx error for hard DNS errors and 4xx errors for temporary errors, where a 4xx error should then result in the sending side queueing the mail appropriately for a later attempt.
reverse DNS as they view it as system cracker tool, or they feel it is
You mean don't run reverse DNS? Having good reverse DNS is a requirement to allow things like tcp-wrappers to work with domainnames rather than just IP addresses.
an unwarranted load, RFCs be damned. Is this admin decision the fault of the user?
You are not first one to try this. I have tried this myself and a financial type didn't get an important email because of it. You know the rest of the story.
A better solution is to check the ip and see if it is an MX record for the domain the mail purports to be from.
An MX record always contains a name, not an IP address. Thus, you will still need to do reverse lookup on the IP to try and match it against that name. Your approach will be further complicated by the fact that MX record do not (necessarily) list the canonical name of the MTA (ie for which a PTR record exists). Further, you are requiring that everyone sends mail from the same server that they receive mail on. Such a requirement is too restrictive. What should be checked is that the domain of the sender's address exists and has a valid MX record (and that the name that MX record points to exists as an A record), so that there is a chance that complaints/bounces actually can be returned to the sender. AFAIK, sendmail (and likely other MTAs) already have facilities to perform these checks. One could go further and actually try whether any of those listed MX servers actually accepts SMTP connections before accepting the mail, but that would generate a *lot* of unneccessary traffic and would most likely overload one's own server too.
Just my opinion, and I could wrong.
same here. Mathias
On Fri, 01 Mar 2002 11:22:54 +0800, Mathias Koerber <mathias@koerber.org> said:
You mean don't run reverse DNS? Having good reverse DNS is a requirement to allow things like tcp-wrappers to work with domainnames rather than just IP addresses.
Using domain names with tcp-wrappers has some hidden considerations that 95% of the people don't think through... If you are getting a connection from an IP/name you *would* let in, but the PTR entry fails on a timeout or whatever, you're rejecting a legitimate connection. Depending on your paranoia level, this may be acceptable. If you allow in based on DNS name, you may accept a connection that you should have rejected. The ususal causes of this are DNS cache poisoning and related attacks - and of course, these are most likely to happen in conjunction with an attempted illegitimate connection. It's probably an OK thing to do *IF* you realize that the DNS can be lied to, and the connection has to pass OTHER authentication as well (for instance, if you only accept SSH connections from "your-OK.yourdomain.com", but still require a valid 'publickey' authentication or similar before actually allowing it in). -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
participants (8)
-
Chris Adams
-
Daniel Lark
-
Jared Mauch
-
Mathias Koerber
-
Nicole Harrington
-
Patrick Muldoon
-
Paul Timmins
-
Valdis.Kletnieks@vt.edu