[Mimedefang] OT: DNS sanity check
Les Mikesell
les at futuresource.com
Thu Jul 5 14:57:52 EDT 2007
Kris Deugau wrote:
>> So any virus-infested spam-sending home box will pass this test as
>> long as the ISP provides a DNS name and PTR record entirely unrelated
>> to the domain the box might claim to be in?
>
> Well, yes. This is odd or unusual how, exactly? (It's not *good*, but
> it *can* be used as a reference point in spam scoring systems like
> SpamAssassin. Among other places.)
It's odd or unusual to think that this test is meaningful. I think most
ISP connections to individual users would automatically have the forward
and reverse addresses in DNS as some meaningless node name - and these
are the most likely spam/virus senders. The ones that will fail are the
connections to businesses where the delegations are made to servers
that don't bother to maintain a meaningless name for this association
and for one reason or another the meaningful name is changed or never
set up to match.
> Well, aside from "is it consistent" (as I laid out), it's not really
> much use on its own. I was just pointing out that you were asking about
> mismatches with the wrong pair of lookups. name->IP->reverse lookups
> are far more likely to show a mismatch between the name and reverse than
> IP->name->IP lookups will show mismatched IPs.
Yes, I guess that's correct for this particular situation. And easily
handled by the delegated server for the IP range if he is willing to
match it up with a meaningless name in a forward domain that he also
controls - without any regard to the actual use of the address or real
domain of the host(s) involved. A real spammer would be sure to get
this right...
--
Les Mikesell
lesmikesell at gmail.com
More information about the MIMEDefang
mailing list