On Mar 26, 2007, at 7:33 AM, Robert Story wrote:
On Fri, 23 Mar 2007 18:39:59 -0400 (EDT) Dean wrote:
DA> Real anti-spam groups at large ISPs don't use reverse DNS for spam
DA> filtering. There have been attempts to do so in the past, but
those
DA> ended in (sometimes well-publicized) disasters.
This is patently and provably false. AOL clearly states that "AOL's
mail servers will reject connections from any IP address that does
not have reverse DNS (a PTR record)." and "AOL's mail servers will
not accept connections from systems that use dynamically assigned
or residential IP addresses." [1] (I don't know how they are
determining 'dynamically assigned or residential IP addresses', so
that may or may not be via reverse DNS.)
While having a valid PTR record in the reverse address space might be
used as one criteria for email acceptance, a test for the PTR record
might be that it resolves to some IP address. However, this IP
address will not necessarily relate to the SMTP client. A bad actor
on a compromised a system can also easily assert a host-name matching
that of a PTR record.
Determination of acceptable IP address space is done with the aid of
third-party lists often determined directly from network providers.
When the network provider does not cooperate, there might be clues
uncovered by the reverse PTR records. However this information is
not reliable as it is often poorly maintained or fails to include all
possible host-names.
SpamHaus is a rather well know spam-fighting organization, and they
clearly state that having reverse DNS is 'highly desirable.' [2]
Forward and reverse DNS zones being properly configured helps in many
ways. Often prior to block-listing, an attempt is made to contact
network providers based upon BGP information. Reverse zones help
confirm relationships discovered in this manner.
The seventh paragraph in section 3.1 perhaps slightly overstates
"matching" reliance placed upon the reverse DNS zone information or
expectations of consistent conventions. Nevertheless, this
information is often gleaned for rating clues. Clearly finding a
match improves the likelihood of message acceptance. The reverse DNS
space might be seen as a way for network providers to constrain the
use of their IP address space. However, conventions for such reverse
zone control are lacking. It also seems adoption of IPv6 may further
frustrate reverse zone reliance and establishing consistent conventions.
One might expect forward based authorizations in conjunction with
cryptographic identification will approximate current abuse control
strategies. At this point, it is not clear whether such
authorization will be placed within DNS or perhaps found within
something like OpenID structures.
-Doug
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
