[Mimedefang] filter_relay

David Hiebert david at keyway.net
Sun Oct 31 18:40:24 EST 2004 

On Sun, 31 Oct 2004, Ben wrote:

> Date: Sun, 31 Oct 2004 10:17:26 -0600
> From: Ben <bkamen at benjammin.net>
> Reply-To: mimedefang at lists.roaringpenguin.com
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] filter_relay
>
> David F. Skoll wrote:
>
> > On Fri, 29 Oct 2004, David Hiebert wrote:
> >
> > However, I question the wisdom of rejecting mail from machines with no
> > reverse DNS.  I'm not convinced it will block bad mail more often than
> > good.
>
> I would add to that by acknowledging there's a lot of idiots out there on the
> net who haven't a clue how important proper DNS is. Reverse DNS checking blocks
> a LOT of spam... but it does indeed block a lot of legit mail too.
>
> Example: Texas Instruments (yes, the semiconductor powerhouse company)
>   has bad rDNS for their mail server. A tech rep trying to email me was
> getting bounced. Why? Exchange only reports something stupid like,
> "Cannot send mail, and error has occured" versus the whole reject message.
> So the users have no clue what's going on and either the admins aren't bright
> enough to know or just don't care.
>
> I think if just ONE big mail portal (MSN, Yahoo, AOL, etc..) would reject on DNS
> like that, a lot of netizens would fix their darn DNS appropriately.
>
> Where that would help up is if the ISP's purposefully set up DNS for DHCP and
> dialup addresses to NOT be correct... and instantly, all those typically zombied
> addresses would become useless....
>
> Oh well. It's a nice thought anyway.
>
> --
> Ben Kamen - O.D.T., S.P.
> ======================================================================
> Email: bkamen AT benjammin DOT net       Web: http://www.benjammin.net
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>


Ben,
I agree with you 100%.  In fact, AOL does block mail from IP's without
reverse DNS, which is what has convinced my boss to allow me to do the
same, for the exact reason you describe.  Here is more info on AOL's
block:
http://postmaster.aol.com/info/rdns.html

As for Texas Instruments, does their mail server have BAD reverse DNS or
NO reverse DNS?  I agree that blocking BAD (mismatched) reverse DNS would
block alot of legitimate mail, which is why we are only going to block
mail from IP's with NO reverse DNS to reduce the false positives as much
as possible.

As far as admin's that have no clue about things such as Reverse DNS, I
believe that it is a mistake for me to block mail from them, however they
are in many cases the cause of such troubles.  We've had customers in the
past who've had IT personnel come and go for this reason (open proxies,
open relays, poorly configured/secured networks,) and while they usually
get blocked by RBL's, we try to work with them to get things fixed as soon
as possible.  Other ISP's are not so kind, or caring of their reputation,
let alone reducing the proliferation of spam.  While it is a mistake for
me to block mail from these guys, it gets the job done.

I'll definitely take heed of your point on Exchange not sending a proper
rejection notification.  Perhaps I'll add in a whois lookup, and have it
notify the postmaster with a customized mailnote, in addition to the
rejection notice.

Also, a quick disclaimer, opinions shared in this communication are mine,
and mine alone.  They are in no way to be interpreted as the opinion of
Keyway, or it's employees (except obviously for the fact that Keyway
strives to help it's customers, as well as help in any way to reduce the
proliferation of spam on the internet.)


David Hiebert
Keyway Internet Services
909-933-3699

More information about the MIMEDefang mailing list