I'm not so sure that turning off RDNS for dial-up/dynamic is a good idea. RDNS checks aren't just used by SMTP relay blockers. For example: until a few years ago, it was illegal in the United States for a company to "export" high encryption (that's a whole other story, though), so download sites for high encryption products in the U.S. had to use RDNS checks to confirm that the person downloading was from the U.S. or Canada. (The reason I remember this so well is that the non-profit ISP that I volunteered with (and had my dial-up access through) had problems with RDNS, and so I was unable to download encryption products (at that point in time, 128-bit Netscape Navigator - gads, that was a while ago) until we got the RDNS fixed.)
For another example (just discovered this today at http://www.mynetwatchman.com/kb/security/ports/17/137.htm - scroll down to the "False Positives" section at the end) - on a Windows web server, if Netbios is bound to the public IP address of the server, IIS will attempt to do a direct Netbios query back to the client if RDNS fails. This causes (a) unnecessary network traffic and (b) false alarms on firewalls, etc. Which reminds me - I need to check on my Netbios bindings on my Windows boxes... In short - RDNS ain't just for servers. Of course, that's just my 2 cents - your mileage may vary. Kirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tracy Sent: Thursday, June 12, 2003 3:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [xmail] Re: how can I send to AOL users At 17:16 6/12/2003, Michael Harrington wrote: >Honestly, can you blame AOL for doing this? I can't even count how much >SPAM gets thrown at our system from people using their cable or DSL lines. No, I can't blame them for wanting to stop some of the spam. But one of the best solutions I've seen proposed to date has nothing to do with running regex's on DNS names. It's very simple, and very cost effective. Have the ISPs who allocate IP pools for dynamic assignment or for dialup users remove the PTR records for those addresses, and let mail servers do RDNS checks. This serves three purposes: 1) It gives a simple, quick, and reasonably accurate measure of whether an IP address is intended to be a server (no PTR record = no server) 2) It is nearly costless to implement on both sides (removing PTR records is a one-time operation, and can be done quickly; and setting up an RDNS check for incoming connections should be a simple matter in most mail server software - or even on a firewall or portal before it gets to the mail server). 3) It helps prevent users of dynamic or dialup IP addresses from running server packages in contravention of their ISP's AUP and contract. I know that my own ISP does this - I had to explicitly ask for RDNS to be set up on my IP block (I have a 16 address subnet allocated from my ISP). And several other ISPs in the area also do this (set up RDNS only on request, and often charge an additional monthly fee for the service). >The number of messages you stop vs. the number of legitimate email messages >makes the concept seem worth it to me. I'm glad I don't have AOL or >Hotmails systems. They could probably cut their systems in half if it >weren't for the junk mail that they're having to process. The same thing could be said from the other side. Do you have any idea how many spam mails I could block from my server by rejecting anything with "aol.com" or "hotmail.com" in the envelope sender? And, honestly, for my own mail server here, I could do that with near 0% "casualties" to legitimate mail. But would that be ethical as a postmaster to do? I don't think so - just as I don't really think that their solution is ethical. Sure, it's their network, and they can make the rules they want, but... >Spam may not realistically cost end users that much money, but it definatly >costs ISPs money in bandwidth and storage for all that junk. Well, I'm a *small* operation - my mail server handles traffic for three domains, containing a total of about 30 users. My average throughput is around 2000 messages a day. However, out of that 2000 messages, nearly 70% is spam. But I've not found it necessary to result to regex operations on DNS names. Actually, I should say that nearly 70% *was* spam - after having spent a couple of weeks playing with various DNSBLs and assessing their collateral damage, and playing with RDNS checks and assessing the damage there, I've reduced the spam to under 25% of the daily flow - and I'm expecting to reduce it further by tuning the DNSBLs. Granted that 25% of the total traffic is still a whale of a lot of messages, but it's a lot better than 70%. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
