Re: How common is reverse DNS checking?
On 19-Aug-2010, at 13:08, D G Teed wrote: The only place I've seen which publicly talks about the reverse DNS requirement is AOL. Craigslist requires that the reverse DNS match EXACTLY the mail server name. So, if your mailserver doubles as a dns server and your primary rDNS point to ns1.mydomain.tld and you send mail from mail.mydomain.tld, craigslist will reject it. They also never answer admin mail, so I've just told people using my mailservers to use gmail for craigslist since I don't have spare IPs lying around. I used reject_unknown_reverse_client_hostname and I tried reject_unknown_client_hostname but that as very bad. Don't go there. -- How good bad music and bad reasons sound when we march against an enemy. - Friedrich Nietzsche
Re: How common is reverse DNS checking?
On Aug 23, 2010, at 11:32 AM, LuKreme wrote: On 19-Aug-2010, at 13:08, D G Teed wrote: The only place I've seen which publicly talks about the reverse DNS requirement is AOL. Craigslist requires that the reverse DNS match EXACTLY the mail server name. So, if your mailserver doubles as a dns server and your primary rDNS point to ns1.mydomain.tld and you send mail from mail.mydomain.tld, craigslist will reject it. why mail from is from your host name. your host name should say mail.mydomain.tld = ipaddress , ip address should = mail.mydomain.tld we are talking about sending mail right ? receiving for the domain, thats a different record. They also never answer admin mail, so I've just told people using my mailservers to use gmail for craigslist since I don't have spare IPs lying around. I used reject_unknown_reverse_client_hostname and I tried reject_unknown_client_hostname but that as very bad. Don't go there. i would love to implement reject_unknown_client_hostname. the world would be a better place. i can see many reasons why having a fully qualified name is appropriate. A mail server for one should be able to say yes to ip = name and name = ip.
Re: How common is reverse DNS checking?
On Fri, Aug 20, 2010 at 03:39:48AM -0500, Stan Hoeppner wrote: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. Same here, in Hungary, we can reject about 80% of the incoming SMTP transactions and still only some (usually one or two) complaints per month and even that case we always make the other MTA's sysadmin to use correct rDNS settings then, so it's very usefull ... But sure, it is only my opinion ...
Re: How common is reverse DNS checking?
Noel, pf: Thanks for your suggestions and comments. I also had the same questions and its good to see that others used reject_unknown_reverse_client_hostname without too many false-positives. Now I will enable it on my production server. Regards, -- Klaus Engelmann CCNA CCDA - CSCO10971632 LPIC-2 - LPI000138061 On Thu, Aug 19, 2010 at 4:37 PM, Noel Jones njo...@megan.vbhcs.org wrote: On 8/19/2010 2:15 PM, p...@alt-ctrl-del.org wrote: From: D G Teed Subject: How common is reverse DNS checking? Out of all of the things we do to restrict spam, the only one with a steady trickle of false positives is the host lookup not passing reverse DNS check. reject_unknown_client_hostname = gives problems reject_unknown_reverse_client_hostname = 0 complaints here Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. -- Noel Jones
Re: How common is reverse DNS checking?
Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. However, because of the above situation, the existence of rDNS for a mail sending host is worth less as a spam check because so many devices have rDNS today. Using fully qualified regular expressions to check for such consumer space rDNS is usually much more effective and less error prone. The Enemies List has the largest collection of such expressions matching the largest swatch of consumer (i.e. zombie) rDNS strings on the planet: http://enemieslist.com/ Unfortunately it's not free or publicly available. -- Stan
Re: How common is reverse DNS checking?
On Fri, Aug 20, 2010 at 10:39:48AM CEST, Stan Hoeppner s...@hardwarefreak.com said: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. Humm US is not alone on Internet... -- Erwan
Re: How common is reverse DNS checking?
Erwan David put forth on 8/20/2010 4:23 AM: On Fri, Aug 20, 2010 at 10:39:48AM CEST, Stan Hoeppner s...@hardwarefreak.com said: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. Humm US is not alone on Internet... You're full of wisdom Erwan. ;) The US is the single largest source of spam. We rank #1 every year, IIRC. The point was, since you missed it: The US sends the most zombie spam. The US has the most rDNS assigned to consumer IPs, which are the source of most of this zombie spam. Thus, checking for the existence of rDNS, which is what reject_unknown_reverse_cleint_hostname does, isn't really going to stop said zombie spam. In other parts of the world where providers don't assign rDNS to consumer IPs, then yes, this check helps. More and more providers around the world are assigning rDNS to their consumer IPs. Again, my entire point was that checking for the mere existence of rDNS is far less relevant in the spam blocking game that it once was. Do you dispute that? -- Stan
Re: How common is reverse DNS checking?
On Fri, Aug 20, 2010 at 11:42:02AM CEST, Stan Hoeppner s...@hardwarefreak.com said: Erwan David put forth on 8/20/2010 4:23 AM: On Fri, Aug 20, 2010 at 10:39:48AM CEST, Stan Hoeppner s...@hardwarefreak.com said: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. Humm US is not alone on Internet... You're full of wisdom Erwan. ;) The US is the single largest source of spam. We rank #1 every year, IIRC. The point was, since you missed it: The US sends the most zombie spam. The US has the most rDNS assigned to consumer IPs, which are the source of most of this zombie spam. Thus, checking for the existence of rDNS, which is what reject_unknown_reverse_cleint_hostname does, isn't really going to stop said zombie spam. In other parts of the world where providers don't assign rDNS to consumer IPs, then yes, this check helps. More and more providers around the world are assigning rDNS to their consumer IPs. Again, my entire point was that checking for the mere existence of rDNS is far less relevant in the spam blocking game that it once was. Do you dispute that? No, I do not. But I had misunderstood you. -- Erwan
Re: How common is reverse DNS checking?
Zitat von Stan Hoeppner s...@hardwarefreak.com: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. However, because of the above situation, the existence of rDNS for a mail sending host is worth less as a spam check because so many devices have rDNS today. Using fully qualified regular expressions to check for such consumer space rDNS is usually much more effective and less error prone. Since we are using greylisting all need for checking rDNS or DNSBL because of spam-bots from dynamic IPs is gone anyway. Or main problem are the half-legal spam networks spanning whole AS and operating with proper DNS, real mailservers and even SPF and DKIM. So no, rDNS checking is useless or even harmful in our case. Baseline for the OP: Your server, your rules. Check your traffic and see what spam fighting method is most useful and least error prone in your special case instead of blindly trust third party experience. Regards Andreas
Re: How common is reverse DNS checking?
On Fri, Aug 20, 2010 at 8:14 AM, lst_ho...@kwsoft.de wrote: Zitat von Stan Hoeppner s...@hardwarefreak.com: Robert Fournerat put forth on 8/19/2010 4:46 PM: Quoting Noel Jones njo...@megan.vbhcs.org: Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Agreed. Given that the majority of consumer broadband providers in the US assign rDNS to even all their consumer IP addresses, there's no reason for a legit mail sending host to not have rDNS. However, because of the above situation, the existence of rDNS for a mail sending host is worth less as a spam check because so many devices have rDNS today. Using fully qualified regular expressions to check for such consumer space rDNS is usually much more effective and less error prone. Since we are using greylisting all need for checking rDNS or DNSBL because of spam-bots from dynamic IPs is gone anyway. Or main problem are the half-legal spam networks spanning whole AS and operating with proper DNS, real mailservers and even SPF and DKIM. So no, rDNS checking is useless or even harmful in our case. Baseline for the OP: Your server, your rules. Check your traffic and see what spam fighting method is most useful and least error prone in your special case instead of blindly trust third party experience. I don't know if it is blind trust. Some of these people have answered my questions here before with smarts. But I will continue to observe my maillog stats in cacti. I made the change late yesterday and so far the only noticeable blip was a few hundred more virus emails quarantined than on any other recent day. I have to balance this against sometimes urgent situations where someone has been not getting email and is running against some deadline. If we can avoid raising the stress levels and not have it associated with our IT group, this could be a good thing. Normally the problem is that the other site believes they have rDNS set up, but have non-matching values, often due to new mail gateway appliances or services. I'm going to start another thread about greylisting choices. --Donald
Re: How common is reverse DNS checking?
From: D G Teed Subject: How common is reverse DNS checking? Out of all of the things we do to restrict spam, the only one with a steady trickle of false positives is the host lookup not passing reverse DNS check. reject_unknown_client_hostname = gives problems reject_unknown_reverse_client_hostname = 0 complaints here
Re: How common is reverse DNS checking?
On 8/19/2010 2:15 PM, p...@alt-ctrl-del.org wrote: From: D G Teed Subject: How common is reverse DNS checking? Out of all of the things we do to restrict spam, the only one with a steady trickle of false positives is the host lookup not passing reverse DNS check. reject_unknown_client_hostname = gives problems reject_unknown_reverse_client_hostname = 0 complaints here Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. -- Noel Jones
Re: How common is reverse DNS checking?
Thanks for the responses and tip on reject_unknown_reverse_client_hostname I've made the switch to that and it seems to catch many unmapped IPs. I half suspected there was something less stringent I could go for, and had not noticed that variant. We had only reject_unknown_client from older Postfix config (we're still on 2.4). --Donald
Re: How common is reverse DNS checking?
Quoting Noel Jones njo...@megan.vbhcs.org: On 8/19/2010 2:15 PM, p...@alt-ctrl-del.org wrote: From: D G Teed Subject: How common is reverse DNS checking? Out of all of the things we do to restrict spam, the only one with a steady trickle of false positives is the host lookup not passing reverse DNS check. reject_unknown_client_hostname = gives problems reject_unknown_reverse_client_hostname = 0 complaints here Same here. reject_unknown_client_hostname is too strict, but reject_unknown_reverse_client_hostname rejects lots of obvious spambots without resorting to an RBL lookup. The false-positive rate is close enough to zero that I would not consider removing this restriction. -- Noel Jones Call me a BOFH, but I have no sympathy for mail servers that do not pass the FCRDNS test. Robert This message was sent using IMP, the Internet Messaging Program.