[Mimedefang] rejecting on helo,drive-by-relay,forged_sender,

Chris Myers chris at by-design.net
Wed Jan 14 08:00:23 EST 2004 

----- Original Message ----- 
From: "Lucas Albers" <admin at cs.montana.edu>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, January 13, 2004 12:43 PM
Subject: Re: [Mimedefang] rejecting on helo,drive-by-relay,forged_sender,


> Chris Myers said:
> >
> > Some ISP's don't bother to set up reverse DNS for their customers so
> > $RelayHost will never match $helo...  Sad but true.
>
> You would expect them to use mx hosts with at least reverse dns.
> If AOL accepts only with reverse DNS.
> Couldn't you argue the generally accepted standard is to reject relays
> without reverse DNS?

The ISP owns the IP addresses, so if they are too lazy to set up reverse DNS
the customer has limited recourse.  And most customers are not technical
enough to even know that they need to ask for it.  Keep in mind that the
Internet functions just fine without reverse DNS until the receiving party
(us) decides to do some form of validation ... most don't even today, and
virtually none did even a few years ago -- and those that did were called
some form of "network police" in polite conversation.

The customer, on the other hand, owns and operates the MX server.  They set
it up in a virtual absence of knowledge about DNS other than "my resolver IP
address is A.B.C.D".  Most people out there are what I call "designated
experts", not real experts.

I just went through fixing reverse DNS for a customer in the last couple of
weeks.  They weren't able to send e-mail to AOL and had NO IDEA why that
would be the case.

My real point is basically that using the results of a HELO test for
"broken" conditions as an on/off switch is going to cause more breakage.
Your users eventually WILL need to talk to someone who doesn't have working
reverse DNS for some reason.  If you want to perform these tests, consider
saving the results and make an adjustment to the SpamAssassin score rather
than saying "You don't have the optional PTR records for your IP address, we
refuse to accept mail from you."

The wonderful thing about the SpamAssassin scoring system is that none of us
had mailers that refused all e-mail from the Internet when a certain DNSBL
went offline by listing the entire Internet as a spam source.  Sites that
used the DNSBL's directly in sendmail as an on/off switch lost all their
mail for a day or two!

Chris

More information about the MIMEDefang mailing list