Reverse Dns Question...is it really necessary or not?

Barry Margolin barmar at alum.mit.edu
Tue Jul 20 16:35:51 UTC 2004 

In article <cdjbvr$19e4$1 at sf1.isc.org>, Chip Mefford <cpm at well.com> 
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Good day all;
> 
> 
> Jonathan de Boyne Pollard wrote:
> | KD> some misguided mail servers/admins use reverse lookups as a
> | KD> kind of litmus test for spam (as if spammers couldn't come
> | KD> up with their own reverse records, duh).
> |
> | CM> Right, but spambots don't.
> |
> | Rubbish.  Hijacked third-party machines also often have address->name
> | mappings, and for pretty much the same reason: The people whose
> machines have
> | been hijacked also have deal with the numbskulls who employ these daft
> | "security" mechanisms on their various TCP services.
> 
> They may indeed have address->name mappings, but very seldom does
> one have an MX record. Not MX record, then it is not a legitimate
> mail relay. This is not rubbish.

Many organizations, especially large ISPs, use different machines for 
outgoing and incoming mail (for instance, incoming mail might be 
directed to a machine that performs virus checking).  So there's no good 
reason to expect the mail to come from an address that the MX records 
point to.

> I am a postmaster.
> I take my responsibilities as such seriously. I have an employer and
> clients who depend on me to do so. I also have a community known as the
> internet that also depends on me as I depend on them to try to do, if
> not the *right* thing, then at least a *good* thing when it comes to
> taking responsibility for the presence on the internet that is under my
> administrative control.

Agreed.  This whole situation with spam and email-borne malware has 
resulted in many administrators having to compromise and choose "least 
of evils".  But you're treading a fine line, and you have to be careful 
not to throw out the baby with the bathwater.


> 
> The original question had to do with whether or not reverse
> dns was really necessary. The answer is a resounding yes.

This part I definitely agree with.  Checking for reverse DNS of an 
incoming mail client is likely to result in lots of false positives 
(since many ISPs do provide reverse DNS for all their IPs), but there 
should be very few false negatives.  There's virtually no practical 
reason why a legitimate outgoing mail server cannot have valid rDNS.  If 
there are any that are stuck in this situation, they'll have to be 
handled on a case-by-case basis using whitelists.

To use yet another aphorism, mail administrators are caught between a 
rock and a hard place.  Users are screaming for relief from spam, and 
they expect administrators to do something to stem the flow.  Content 
filtering (e.g. Bayesian analysis) is one prong in their solution, but 
it's not a complete solution, and additional heuristics are needed.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list