[Mimedefang] OT: DNS sanity check

Kris Deugau kdeugau at vianet.ca
Thu Jul 5 14:25:20 EDT 2007 

Les Mikesell wrote:
> So any virus-infested spam-sending home box will pass this test as long 
> as the ISP provides a DNS name and PTR record entirely unrelated to the 
> domain the box might claim to be in?

Well, yes.  This is odd or unusual how, exactly?  (It's not *good*, but 
it *can* be used as a reference point in spam scoring systems like 
SpamAssassin.  Among other places.)

I don't reject connections based on DNS mismatches on any mail system I 
admin;  as an ISP mail admin I don't want the headaches that go along 
with doing so.  I *do* reject a very few mail connections based on very 
obviously wrong HELO arguments - my IP and my hostname are the only two 
I recall offhand.

The OPs question included the following:
 > the problem I'm told by the ISP is that they're rejecting mail from my
 > machines because:
 >
 > a) machine #1 doesn't have a reverse DNS PTR record defined
 > b) machine #2 has a PTR record defined, but it doesn't match the forward
 > A record

IE, whoever is rejecting mail has gone to specific effort to reject mail 
due to DNS mismatches that are suspicious but (should) not (be) fatal.

(IP->reverse->otherIP, rather than IP->reverse->IP)

*I* don't think that's reasonable;  if for no other reason than DNS 
*does* fail and/or time out sometimes causing the crosscheck to fail 
even if the DNS information nominally available is "correct".

IIRC one critical note in most RFCs is that the local admin is free to 
do as they please (RFC "MUST" and "MUST NOT" provisions 
notwithstanding), so long as they understand the consequences.  Far too 
many don't.  :(

> In what scenario is this information useful, if it isn't related to any 
> name claimed by the box itself?  You are likely to be testing a NAT 
> gateway address, anyway.

Well, aside from "is it consistent" (as I laid out), it's not really 
much use on its own.  I was just pointing out that you were asking about 
mismatches with the wrong pair of lookups.  name->IP->reverse lookups 
are far more likely to show a mismatch between the name and reverse than 
IP->name->IP lookups will show mismatched IPs.

-kgd

More information about the MIMEDefang mailing list