[Mimedefang] OT: DNS sanity check

[Les Mikesell]

Kris Deugau wrote:

>> So any virus-infested spam-sending home box will pass this test as 
>> long as the ISP provides a DNS name and PTR record entirely unrelated 
>> to the domain the box might claim to be in?
> 
> Well, yes.  This is odd or unusual how, exactly?  (It's not *good*, but 
> it *can* be used as a reference point in spam scoring systems like 
> SpamAssassin.  Among other places.)

It's odd or unusual to think that this test is meaningful.  I think most 
ISP connections to individual users would automatically have the forward 
and reverse addresses in DNS as some meaningless node name - and these 
are the most likely spam/virus senders.  The ones that will fail are the 
  connections to businesses where the delegations are made to servers 
that don't bother to maintain a meaningless name for this association 
and for one reason or another the meaningful name is changed or never 
set up to match.

> Well, aside from "is it consistent" (as I laid out), it's not really 
> much use on its own.  I was just pointing out that you were asking about 
> mismatches with the wrong pair of lookups.  name->IP->reverse lookups 
> are far more likely to show a mismatch between the name and reverse than 
> IP->name->IP lookups will show mismatched IPs.

Yes, I guess that's correct for this particular situation.  And easily 
handled by the delegated server for the IP range if he is willing to 
match it up with a meaningless name in a forward domain that he also 
controls - without any regard to the actual use of the address or real 
domain of the host(s) involved.  A real spammer would be sure to get 
this right...

-- 
   Les Mikesell
    lesmikesell at gmail.com