[Mimedefang] OT: DNS sanity check
Kris Deugau
kdeugau at vianet.ca
Thu Jul 5 14:25:20 EDT 2007
Les Mikesell wrote:
> So any virus-infested spam-sending home box will pass this test as long
> as the ISP provides a DNS name and PTR record entirely unrelated to the
> domain the box might claim to be in?
Well, yes. This is odd or unusual how, exactly? (It's not *good*, but
it *can* be used as a reference point in spam scoring systems like
SpamAssassin. Among other places.)
I don't reject connections based on DNS mismatches on any mail system I
admin; as an ISP mail admin I don't want the headaches that go along
with doing so. I *do* reject a very few mail connections based on very
obviously wrong HELO arguments - my IP and my hostname are the only two
I recall offhand.
The OPs question included the following:
> the problem I'm told by the ISP is that they're rejecting mail from my
> machines because:
>
> a) machine #1 doesn't have a reverse DNS PTR record defined
> b) machine #2 has a PTR record defined, but it doesn't match the forward
> A record
IE, whoever is rejecting mail has gone to specific effort to reject mail
due to DNS mismatches that are suspicious but (should) not (be) fatal.
(IP->reverse->otherIP, rather than IP->reverse->IP)
*I* don't think that's reasonable; if for no other reason than DNS
*does* fail and/or time out sometimes causing the crosscheck to fail
even if the DNS information nominally available is "correct".
IIRC one critical note in most RFCs is that the local admin is free to
do as they please (RFC "MUST" and "MUST NOT" provisions
notwithstanding), so long as they understand the consequences. Far too
many don't. :(
> In what scenario is this information useful, if it isn't related to any
> name claimed by the box itself? You are likely to be testing a NAT
> gateway address, anyway.
Well, aside from "is it consistent" (as I laid out), it's not really
much use on its own. I was just pointing out that you were asking about
mismatches with the wrong pair of lookups. name->IP->reverse lookups
are far more likely to show a mismatch between the name and reverse than
IP->name->IP lookups will show mismatched IPs.
-kgd
More information about the MIMEDefang
mailing list