On Sun, 2007-06-24 at 08:44 -0700, Marc Perkel wrote: > One thing that spammers can't spoof is RDNS.
Yes they can, and have done in the past. Although not trivial (many LIRs and RIRs are quite good at stopping allocations to known spam operations), it's possible that a spammer can either acquire an IP space allocation and run their own rDNS servers for it, or be delegated rDNS for another provider's space. This last case is especially problematic, although usually easier to handle than the first case. Unfortunately that drives a bus through your idea :-/ More widely, remember that domain names can be of the form: host.subdomain.domain.tld (where "subdomain" can in fact be comprised of multiple parts). To assume that subdomain.domain.tld is an actual subdomain of domain.tld is incorrect - it might be a whole, separate, domain out on its' own with defined nameservers (as delegated from domain.tld's nameservers). Messages arriving from hosts with rDNS of the form host.domain.tld might well be predominantly spam, but an operational host.subdomain.domain.tld might always send ham (or it could be the other way around). How do you separate the two? As an example, consider mass virtual hosting providers - their server farms might have outbound smarthosts with rDNS of (for example) hosting.domain.tld, and you flag a high percentage of their email as spam. However they might have an engineering department which uses email addresses of the form domain.tld exiting the same smarthosts which *never* sends spam - ever - but you would, in your case, start to mark all email as ham with this methodology. Graeme -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
