On Tue, 17 May 2005, Dennis Peterson wrote: > > How would you handle the PTR record for an SMTP server that hosts 500 > virtual domains? >
Yes, I realize that getting everyone to change would be a pain in the butt and if we can do the following it would certainly reduce spam. We host many domains and I can't think of a reason that it would break our virtual domain system since rDNS(IP) == HELO == SMTP's 220. This is not to say that a spammer can't put a system like this together, but if they do it will certainly be easier to blacklist. This won't get rid of it all, but it should drop rouge virus mailers with their own smtp-sending engine. IMO, a sending MTA should never have its smtp port closed unless it is an end-user. If they are an end user then SASL should be used to authenticate. Dynamic SMTP servers are ok provided that the constraints below are accurate. If you ignore SASL authenticated connections, we can better authenticate mail connections with the following list of constraints: 1. fDNS(rDNS(IP)) == IP # trivial 2. rDNS(IP) == HELO # should be trivial 3. rDNS(IP) == IP:smtp's 220 string. 4. SMTP FROM domain has an MX # trivial 5. SMTP FROM domain MX has a 220 string of itself, rDNS or HELO. Caveats: (please add your caveats here) #3 & #5: Sending server must have something on port 25 to issue a 220 string. This server does not need to have any more than a 220 response, though it should be friendly enough to wait for a quit. This can be done with a few lines of perl. We don't implement this 100% but our system is moving that direction. We will also tie SPF to the list of constraints. Those who send email through us as their mail gateway will use SASL. For what other reasons might this not work? What can we do to fortify this? -Eric _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
